Re: Possible project


From: Jesse Pollard <pollard@dns1.navo.hpc.mil>
Subject: Re: Possible project
Date: Fri, 2 Jun 2000 13:09:26 -0500 (CDT)

Next Article (by Date): Re: Possible project "John Everitt"
Previous Article (by Date): Possible project "John Everitt"
Top of Thread: Possible project "John Everitt"
Next in Thread: Re: Possible project "John Everitt"
Articles sorted by: [Date] [Author] [Subject]


"John Everitt" <je@firetrench.net>
> Hi,
> 
> I have begun a secure Linux project and I am in the process of rounding up
> people for comments, suggestions and help.
> 
> The rough objectives are outlined at:
> http://www.firetrench.net/users/barebones
> 
> I would appreciate this being forwarded to anyone you think relevant and I
> would advise them to read the existing feed back on the page to avoid
> repetition.  It's too early to give a concrete set of objectives but the
> more debate the better.  I am sure there are many things that need comment.

If you are going to secure the system then you must also support the
nonexecutable stack (and data) space. This combined with capability lists
should prevent the loading of a complex function into buffer overflow attacks
and have them work.

Nonexecutable stack does break some compatibility.

What you appear to be generating is a very limited function system for a
small list of applications - single web server (no user logins), DNS server,
routers, and maybe firewalls. No compilers. No debuggers. No editors.

Anything else calls for nearly the entire range of capabilities. Control
at this level would be better served by a combination of IPSec, MLS (RSBAC),
user identification, and careful definition of the trusted utilities. This is
more flexable and resiliant to failures. Yes, it is harder to administer; but
it is far more capable and usefull.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: Possible project "John Everitt"
Previous Article (by Date): Possible project "John Everitt"
Top of Thread: Possible project "John Everitt"
Next in Thread: Re: Possible project "John Everitt"
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.