A new kind of security needed
Lyndon Nerenberg
lyndon at orthanc.ca
Fri Jul 18 20:41:59 UTC 2008
On 2008-Jul-17, at 00:54 , Robert Watson wrote:
> FWIW, I have some work in progress on the capability front, but it's
> a highly complex issue that will take years to work through
> properly. Unfortunately, the real issue isn't so much the OS
> primitives as building up a non-trivial application base that uses
> them. Providing primitives to subdivie applications isn't easy, but
> once you've done that you still have to rewrite lots of applications
> to take advantage of it, and in a way that shows a lot more
> application programmer discipline. It's not clear to me that the
> pressure is there to make feature-driven application development for
> major desktop applications adopt techniques of this sort.
Realistically, this will never happen. It would require *every*one
agreeing on a single consistent API, and that just won't happen with
any sort of policy-based mechanism.
It's sad people don't pay more attention to Plan 9. Namespaces go a
long way towards solving this problem in a manner that's completely
transparent to the application, and trivial for the end-user to
configure and use.
See:
http://plan9.bell-labs.com/sys/doc/names.html
http://plan9.bell-labs.com/magic/man2html/1/0intro
http://plan9.bell-labs.com/magic/man2html/4/namespace
In a nutshell, your view of the 'filesystem' is fully mutable. A
simple 'rfork n' in the shell will instantiate a brand new instance of
the namespace, which you can then fiddle to your heart's content. E.g.
rfork n
bind /usr/ftp /
creates a namespace where /usr/ftp (by convention the anonymous FTP
directory) is now the "root" directory of the process' filesystem.
Analogous system calls exist for programmatic use. And since there is
no concept of (or need for) a 'superuser' these facilities are
available to everyone.
This makes sandboxing trivial for any number of remotely accessible
network services as well as to the interactive system user. Both files
and directories can be bind targets, and the source of the bind can as
easily be a program as a file or directory; the ability to create
secure synthetic filesystems just naturally falls out of this paradigm.
And the applications are blissfully unaware that any of this even
exists.
--lyndon
More information about the freebsd-security
mailing list