A new kind of security needed

Lyndon Nerenberg lyndon at orthanc.ca
Fri Jul 18 20:41:59 UTC 2008 

On 2008-Jul-17, at 00:54 , Robert Watson wrote:

> FWIW, I have some work in progress on the capability front, but it's  
> a highly complex issue that will take years to work through  
> properly.  Unfortunately, the real issue isn't so much the OS  
> primitives as building up a non-trivial application base that uses  
> them.  Providing primitives to subdivie applications isn't easy, but  
> once you've done that you still have to rewrite lots of applications  
> to take advantage of it, and in a way that shows a lot more  
> application programmer discipline.  It's not clear to me that the  
> pressure is there to make feature-driven application development for  
> major desktop applications adopt techniques of this sort.

Realistically, this will never happen. It would require *every*one  
agreeing on a single consistent API, and that just won't happen with  
any sort of policy-based mechanism.

It's sad people don't pay more attention to Plan 9. Namespaces go a  
long way towards solving this problem in a manner that's completely  
transparent to the application, and trivial for the end-user to  
configure and use.

See:

http://plan9.bell-labs.com/sys/doc/names.html
http://plan9.bell-labs.com/magic/man2html/1/0intro
http://plan9.bell-labs.com/magic/man2html/4/namespace

In a nutshell, your view of the 'filesystem' is fully mutable. A  
simple 'rfork n' in the shell will instantiate a brand new instance of  
the namespace, which you can then fiddle to your heart's content. E.g.

   rfork n
   bind /usr/ftp /

creates a namespace where /usr/ftp (by convention the anonymous FTP  
directory) is now the "root" directory of the process' filesystem.  
Analogous system calls exist for programmatic use. And since there is  
no concept of (or need for) a 'superuser' these facilities are  
available to everyone.

This makes sandboxing trivial for any number of remotely accessible  
network services as well as to the interactive system user. Both files  
and directories can be bind targets, and the source of the bind can as  
easily be a program as a file or directory; the ability to create  
secure synthetic filesystems just naturally falls out of this paradigm.

And the applications are blissfully unaware that any of this even  
exists.

--lyndon

More information about the freebsd-security mailing list