Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: dynamic context transitions - a seteuid parallel
From: Frank Mayer <mayerf_at_tresys.com>
Date: Tue, 2 Nov 2004 07:49:12 -0500
To be fair, privilege bracketing came about primarily as a compromise of how to meet the B2 requirements. The ideal was something like ring brackets from the Multics hardware, or even the simplified execution privilege levels from x86 architecture. I'm sure that on of the first places privilege bracketing argument was used was the B2 Trusted XENIX project, where we stretched greatly the B2 requirements of least privilege and separation of security relevant code, and successfully used the concept of privilege bracketing as en evaluation strategy. So I'll admit my culpability in weakening the B2 requirements, but that does not mean privilege bracketing is a good idea just because we used it in the pass as a means to expedite evaluations. Rings and x86 privilege levels are truly separate, distinct security domains. Privilege bracketing is not (all software in the process will typically have complete control over what privileges it desires to use). Unfortunately, like Trusted XENIX (and any Unix), the only really distinct execution domains we have are processes, which has much greater overhead cost for switching than rings. So if we were honest, the real reason we want to change security content is for performance reasons, not security assurance reason. Frank -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 2 Nov 2004 - 07:49:25 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |