ctl-alt-del/secure attention sequence

Robert Watson robert at cyrus.watson.org
Wed Apr 12 14:16:43 GMT 2000 

Bengt,

I hope you will not object that I have CC'd this response to the
TrustedBSD discussion mailing list.

On Sun, 9 Apr 2000, Bengt Richter wrote:

> FreeBSD does not seem to have addressed the
> issue of how to ensure that you are talking
> to trusted software when you log in.
> 
> Is that on your agenda?
> 
> The default response to ctl-alt-del (which is
> the secure attention sequence for NT) after I
> installed FreeBSD 3.3-RELEASE (GENERIC) was
> to call shutdown_nice(), causing a reboot --
> irrespective of whether anyone was even logged in.
> You have to recompile to get rid of that line
> in the console drivers.
> 
> To reboot or shutdown from a shell by command requires
> root. Not too consistent ;-/
> 
> Bring remote access and virtual terminal switching
> and X and fb into the picture and it gets more
> complicated, but I think a consistent approach is
> possible with some architectural tweaking, so I wondered
> what's in the mill.

The trusted computer system evaluation criteria do not mandate the trusted
path feature until its B2 evaluation level.  That said, I agree that it is
a useful functionality.  At least on the console, sans X, you can imagine
a number of ways to guarantee that the trusted path is maintained -- one
is through use of Biba integrity policy, in which the console has a high
integrity level preventing the execution of low integrity code.
Similarly, you can imagine a trusted escape key of some sort causing the
console driver to solicit keying material.  This is not an area we have
currently given much attention, but as it clear has benefit, I see it as a
potential target.

Using Ctrl-Alt-Delete as the escape key was an interesting choice in
Windows NT, as traditionally Ctrl-Alt-Delete has been used for the
software reboot, as it is configured by the BIOS on the PC platform.  In
Windows 95 and 98, the keypress brings up a task manager and shutdown
menu, which is also a more management-oriented function.  Personally, I
would not have overloaded that functionality, but can see arguments for
doing so.

In the standard PC environment, there is a decent argument that access to
the physical console of the machine already provides the ability to power
the machine off, and that mapping Ctrl-Alt-Delete to a safe shutdown
provides unprivileged console users the ability to shut down the machine
safely given the physical need to.  In its most frequently deployment, I
see this as an advantage.  This is certainly something that could be
revisited, but my temptation would be to use an alternative key press to
invoke a trusted path.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list