Roland C. Dowdeswell
elric at imrryr.org
Fri Jun 4 01:35:00 EDT 2004
On 1086305059 seconds since the Beginning of the UNIX epoch
Bob Ippolito wrote:
>Sounds like a lot of work for a little real benefit. Let's imagine for
>a second that I'm running an email server that I would like to be
>highly secure. By some hook or crook, an attacker gets uid 0 on my
>highly secure machine. They decide it would be funny to wipe out all
>of my mail spools and start sending spam. Everything I wanted that
>machine to do is now ruined, and I need to wipe the disk and restore
>from tape or start over. What's really left to protect if userspace is
>hosed? I'm not sure if I should care whether or not they can talk on
>the PCI bus.
It depends whether you need real security or not. Wiping out your
mail spools and sending spam is not exactly the most exciting attack
that people might think of. First off, it is immediately obvious
that it is going on. Attacks can be substantially more insidious.
If people can access your PCI bus, then they have the complete run
of the machine. You might not want to actually trust that machine
again for a number of purposes, e.g. they might fiddle with the
firmware on an ethernet card that can PXE-boot to ensure that no
matter what you do they continue to have access to the machine.
Or just play with the BIOS. In a very security sensitive context,
you have just completely lost the hardware, or at least have to do
a lot of work to ensure that all of the firmware that's lying around
has not been modified.
Also, consider audit trails. Even in a moderately security sensitive
context, you might want to make certain guarantees about being able
to discover information about what they did, what time they came
in, etc. You can do this by making the log files append-only (as
well as sending them to another machine, but of course that one
has to be more secure than this one.) And so on.
In short, setting up a bit of a TCB is hard work. It isn't possible
without secure levels or a logical equivalent---at least something
that limits root's access to various things, especially the hardware.
There are situations where it makes sense. Perhaps it does not
make sense for you, but for some people it does. If anything, it
does not go far enough rather than being an appendix.
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the talk