On Tue, 31 Aug 2004, Linas Vepstas wrote:
Every now and then, I look at SELinux, and I get scared away by its
complexity. This complexity makes it very hard to audit, and assure
oneself that its actually providing any real security, as opposed to
the illusion of security. ...
Tough questions. Good questions!
Still, I do believe MAC has value in contrast to DAC.
But the opposing "flying buttress" to this is that it all
boils down to binary ... somewhere. And is THAT part isolated?
Compare this to less complex security provided by e.g. the Linux
VServer project. VServer is intended to allow an ISP to pretend they
have a rack of 100 cpu's all running linux, when in fact they have just
one. The fact that it provides security is a side-effect; but its
far simpler, far easier to audit, and allows me to sleep at night.
Ahhh... virtual machines. (And I don't mean Java.)
I'm thinking VMware and (esp) z/VM (IBM style mainframe).
Been using both or years, VMware since 1.0 beta and mainframe since ...
well ... I was pretty young at the time. But not for security per-se,
they have other interesting features. Linas' mention of VServer
and its side-effect security reminds me of something I read
in the anals of VM hisory:
(Stephen, Howard, and the rest and friends at the NSA
please take no offense. I found this terribly entertaining.)
Even from its earliest days, VM (CP) isolated each user, so:
"On another occasion we almost had an in-house protest.
Among the early users of CP-67/CMS were both the National
Security Agency and the CIA; the fact that the DAT hardware
isolated each user in his own address space was viewed as a
powerful system security feature. One time in 1970, I
think, the CIA sent two of their people to Cambridge to talk
about something that Ed Hendricks had developed or was
working on. In the atmosphere of the time, none of the
technical people at CSC, especially Ed, wanted to talk to
them at all! Ed stormed around the halls muttering "damned
spooks!" for half an hour or more before Craig Johnson and
Norm Rasmussen were able to coerce him into the meeting.
Even more amazing is that they were spooks; there was a man
and a woman, both of slightly below-average height, average
build, average everything! You could stand and talk
directly to them or study them for five minutes or more, but
if you turned around there was nothing to remember and
nothing to describe; they were effectively invisible."
Thanks to Lynn Wheeler for helping me dig this up.