FW: XP as a base for NetTop

FW: XP as a base for NetTop

[Frank Mayer]

Stephen Smalley wrote:
> Looks like Microsoft is indeed pushing an XP-based NetTop
> called Trusted Multi-Net/Typhon XP, e.g.:
> 
> http://www.computerweekly.com/Article123730.htm
>
http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8432d
5/Trusted%20Multi-Net%20for%20SSE%202003.ppt




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FW: XP as a base for NetTop

[Chris Babcock]

> Stephen Smalley wrote:
>> Looks like Microsoft is indeed pushing an XP-based NetTop
>> called Trusted Multi-Net/Typhon XP, e.g.:
>>
>> http://www.computerweekly.com/Article123730.htm
>>
> http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8432d
> 5/Trusted%20Multi-Net%20for%20SSE%202003.ppt
>

Interesting.

The slides indicate that in their system threads are able to change what
context they run in.

It makes me wonder if they have some magic to prevent threads from
poluting shared data (unlikely), or if it is just a hack to avoid process
vs. thread design issues on windows.

-Chris

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FW: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

"The goal is to build on National Security Agency (NSA) research using
 virtual machines to provide separation of security domains on one
 desktop.

 The effort uses VMware 3.02, which has already been evaluated by the
 NSA. There are also plans to add support for Microsoft's Virtual Machine
 Monitor. "



vmware, as you are no doubt aware, runs an entirely separate x86
virtual machine (for which they have licensed phoenix bios).

so it's completely compartmentalised and you do not need to add
in any security into the host OS other than banning it from
network access.

this is a _goooood_ thing: with the focus on speed and functionality
(e.g the screen driver redirection layer being removed from
nt 3.51 for the nt 4.0 release) NT has gone downhill to the
quality and security of windows 3.1 - but for worse, because
of the hundred fold increase in code to audit.


another hint is that they are focussing on network access so
presumably that means writing a special / modified VMware network
driver.


... anyway, what's this got to do with SE/Linux? :)

no.

you don't think they're seriously considering running SE/Linux
in those vmware sessions do you?



On Wed, May 26, 2004 at 04:49:00PM -0700, Chris Babcock wrote:
> > Stephen Smalley wrote:
> >> Looks like Microsoft is indeed pushing an XP-based NetTop
> >> called Trusted Multi-Net/Typhon XP, e.g.:
> >>
> >> http://www.computerweekly.com/Article123730.htm
> >>
> > http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8432d
> > 5/Trusted%20Multi-Net%20for%20SSE%202003.ppt
> >
> 
> Interesting.
> 
> The slides indicate that in their system threads are able to change what
> context they run in.
> 
> It makes me wonder if they have some magic to prevent threads from
> poluting shared data (unlikely), or if it is just a hack to avoid process
> vs. thread design issues on windows.
> 
> -Chris
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Dr. Eugene D. Myers]

On 5/27/04 04:07, "Luke Kenneth Casson Leighton" <lkcl@lkcl.net> wrote:

> 
> "The goal is to build on National Security Agency (NSA) research using
> virtual machines to provide separation of security domains on one
> desktop.
> 
> The effort uses VMware 3.02, which has already been evaluated by the
> NSA. There are also plans to add support for Microsoft's Virtual Machine
> Monitor. "
> 
> 
> 
> vmware, as you are no doubt aware, runs an entirely separate x86
> virtual machine (for which they have licensed phoenix bios).
> 
> so it's completely compartmentalised and you do not need to add
> in any security into the host OS other than banning it from
> network access.


Not true.  VMWare executes as an application and it uses the host OS for
access to files, devices, etc.  For example, VMWare's virtual disks are, in
reality, files and, therefore, a virtual machine's access to its virtual
disk, etc. is controlled by the operating system.

In NetTop, each virtual machine is assigned a specific type (for example,
vm1_d) and the files that contain the virtual disks are assigned a different
type (for example, vm1_t).  Each virtual machine type vmX_d (where X is an
arbitrary number) can only access files (virtual disks) of type vmX_t.

The restriction means that each virtual machine can only access only its
virtual disks.

In NetTop, the SELinux policy is written such that -->Only<-- only a VM can
access a virtual disk and only its associated virtual disk.  No other
process (including other VM's) has permission to access a VM's virtual disk.
This includes processes that execute with root permission.

This is a significant point.  In systems, where data separation is
important, being able to show that data cannot flow (in this case from one
VM to another, which can happen if a VM gains access to another VM's virtual
disk) is an important property of a mandatory policy.  In the NetTop policy,
the VMware virtual machines are isolated from the rest of the system and
data flows into and out of a virtual machine, only if the policy allows it.

> 
> this is a _goooood_ thing: with the focus on speed and functionality
> (e.g the screen driver redirection layer being removed from
> nt 3.51 for the nt 4.0 release) NT has gone downhill to the
> quality and security of windows 3.1 - but for worse, because
> of the hundred fold increase in code to audit.
> 
> 
> another hint is that they are focussing on network access so
> presumably that means writing a special / modified VMware network
> driver.
> 
> 
> ... anyway, what's this got to do with SE/Linux? :)
> 
> no.
> 
> you don't think they're seriously considering running SE/Linux
> in those vmware sessions do you?
> 
> 
> 
> On Wed, May 26, 2004 at 04:49:00PM -0700, Chris Babcock wrote:
>>> Stephen Smalley wrote:
>>>> Looks like Microsoft is indeed pushing an XP-based NetTop
>>>> called Trusted Multi-Net/Typhon XP, e.g.:
>>>> 
>>>> http://www.computerweekly.com/Article123730.htm
>>>> 
>>> http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8
>>> 432d
>>> 5/Trusted%20Multi-Net%20for%20SSE%202003.ppt
>>> 
>> 
>> Interesting.
>> 
>> The slides indicate that in their system threads are able to change what
>> context they run in.
>> 
>> It makes me wonder if they have some magic to prevent threads from
>> poluting shared data (unlikely), or if it is just a hack to avoid process
>> vs. thread design issues on windows.
>> 
>> -Chris
>> 
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Dr. Eugene D. Myers]

On 5/27/04 04:07, "Luke Kenneth Casson Leighton" <lkcl@lkcl.net> wrote:

> 
> "The goal is to build on National Security Agency (NSA) research using
> virtual machines to provide separation of security domains on one
> desktop.
> 
> The effort uses VMware 3.02, which has already been evaluated by the
> NSA. There are also plans to add support for Microsoft's Virtual Machine
> Monitor. "
> 
> 
> 
> vmware, as you are no doubt aware, runs an entirely separate x86
> virtual machine (for which they have licensed phoenix bios).
> 
> so it's completely compartmentalised and you do not need to add
> in any security into the host OS other than banning it from
> network access.
> 
> this is a _goooood_ thing: with the focus on speed and functionality
> (e.g the screen driver redirection layer being removed from
> nt 3.51 for the nt 4.0 release) NT has gone downhill to the
> quality and security of windows 3.1 - but for worse, because
> of the hundred fold increase in code to audit.
> 


Not true.  VMWare executes as an application and it uses the host OS for
access to files, devices, etc.  For example, VMWare's virtual disks are, in
reality, files and, therefore, a virtual machine's access to its virtual
disk, etc. is controlled by the operating system.

In NetTop, each virtual machine is assigned a specific type (for example,
vm1_d) and the files that contain the virtual disks are assigned a different
type (for example, vm1_t).  Each virtual machine type vmX_d (where X is an
arbitrary number) can only access files (virtual disks) of type vmX_t.

The restriction means that each virtual machine can only access only its
virtual disks.

In NetTop, the SELinux policy is written such that -->Only<-- only a VM can
access a virtual disk and only its associated virtual disk.  No other
process (including other VM's) have permission to access a VM's virtual
disk.  This includes processes that execute with root permission.

This is a significant point.  In systems, where data separation is
important, being able to show that data cannot flow (in this case from one
VM to another, which can happen if a VM gains access to another VM's virtual
disk) is an important property of a mandatory policy.  In the NetTop policy,
the VMware virtual machines are isolated from the rest of the system and
data flows into and out of a virtual machine, only if the policy allows it.

> 
> another hint is that they are focussing on network access so
> presumably that means writing a special / modified VMware network
> driver.
> 
> 
> ... anyway, what's this got to do with SE/Linux? :)
> 
> no.
> 
> you don't think they're seriously considering running SE/Linux
> in those vmware sessions do you?
> 
> 
> 
> On Wed, May 26, 2004 at 04:49:00PM -0700, Chris Babcock wrote:
>>> Stephen Smalley wrote:
>>>> Looks like Microsoft is indeed pushing an XP-based NetTop
>>>> called Trusted Multi-Net/Typhon XP, e.g.:
>>>> 
>>>> http://www.computerweekly.com/Article123730.htm
>>>> 
>>> http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8
>>> 432d
>>> 5/Trusted%20Multi-Net%20for%20SSE%202003.ppt
>>> 
>> 
>> Interesting.
>> 
>> The slides indicate that in their system threads are able to change what
>> context they run in.
>> 
>> It makes me wonder if they have some magic to prevent threads from
>> poluting shared data (unlikely), or if it is just a hack to avoid process
>> vs. thread design issues on windows.
>> 
>> -Chris
>> 
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Joshua Brindle]

> In NetTop, each virtual machine is assigned a specific type (for example,
> vm1_d) and the files that contain the virtual disks are assigned a different
> type (for example, vm1_t).  Each virtual machine type vmX_d (where X is an
> arbitrary number) can only access files (virtual disks) of type vmX_t.
> 
> The restriction means that each virtual machine can only access only its
> virtual disks.

on the slide entitled seperation it says that ACL's are used to protect 
the disk files so that rogue apps in a vm can't affect other vm's, 
additionally each vm's disk file is encrypted so that only the 'level' 
user can access it.

Obviously both of these things can be done with (SE)Linux but it appears 
  they thought about this already.

Joshua

> 
> In NetTop, the SELinux policy is written such that -->Only<-- only a VM can
> access a virtual disk and only its associated virtual disk.  No other
> process (including other VM's) have permission to access a VM's virtual
> disk.  This includes processes that execute with root permission.
> 
> This is a significant point.  In systems, where data separation is
> important, being able to show that data cannot flow (in this case from one
> VM to another, which can happen if a VM gains access to another VM's virtual
> disk) is an important property of a mandatory policy.  In the NetTop policy,
> the VMware virtual machines are isolated from the rest of the system and
> data flows into and out of a virtual machine, only if the policy allows it.
> 
> 
>>another hint is that they are focussing on network access so
>>presumably that means writing a special / modified VMware network
>>driver.
>>
>>
>>... anyway, what's this got to do with SE/Linux? :)
>>
>>no.
>>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

On Thu, May 27, 2004 at 06:52:33PM -0500, Joshua Brindle wrote:
> >In NetTop, each virtual machine is assigned a specific type (for example,
> >vm1_d) and the files that contain the virtual disks are assigned a 
> >different
> >type (for example, vm1_t).  Each virtual machine type vmX_d (where X is an
> >arbitrary number) can only access files (virtual disks) of type vmX_t.
> >
> >The restriction means that each virtual machine can only access only its
> >virtual disks.
> 
> on the slide entitled seperation it says that ACL's are used to protect 
> the disk files so that rogue apps in a vm can't affect other vm's, 
> additionally each vm's disk file is encrypted so that only the 'level' 
> user can access it.
 
  ha, you had me there for a minute: i seriously thought you were
  saying that microsoft recommended installing linux to baby-sit
  their flagship OS.

> Obviously both of these things can be done with (SE)Linux but it appears 
>  they thought about this already.

 it would seem to me that SE/Linux would be a better choice of OS
 to achieve this goal.

 1) linux code can be audited without dependence on a single vendor
    for their cooperation (or otherwise)

 2) at the choice of the user [, developer or admin] the code and
    applications can be cut away to an absolute minimum at runtime:
	a linux "thin client" to run VMware
 
 3) additional vetting of the behaviour of each vm session can be done
    including network access.

	it would be a bit painful to do such vetting without any cooperation
	from the VMware sessions, but definitely doable...

	... but it might be possible to... write a program that runs
	"other" programs and communicates with the host OS, and that
	program asks the SE/Linux system to perform domain transitions.

    [without such a program, it'd be necessary to run one VMware
	 session per application - or per "purpose".]


 just a thought.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[kris carlier]

Luke,

> > Obviously both of these things can be done with (SE)Linux but it appears
> >  they thought about this already.
>
>  it would seem to me that SE/Linux would be a better choice of OS
>  to achieve this goal.
>

something similar has been under development already for some time: SINA
http://www.bsi.bund.de/fachthem/sina/download/downloads.htm (in German)

One of the things on the planning is something similar as NetTop, first
read about it about 1 year ago. The company making this is Secunet (.de).

kr=


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Stephen Smalley]

On Thu, 2004-05-27 at 19:52, Joshua Brindle wrote:
> on the slide entitled seperation it says that ACL's are used to protect 
> the disk files so that rogue apps in a vm can't affect other vm's, 
> additionally each vm's disk file is encrypted so that only the 'level' 
> user can access it.
> 
> Obviously both of these things can be done with (SE)Linux but it appears 
>   they thought about this already.

ACLs are a poor substitute for MAC, e.g. see
http://marc.theaimsgroup.com/?l=selinux&m=104508693312829&w=2

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

On Tue, Jun 01, 2004 at 01:39:44PM -0400, Stephen Smalley wrote:

> On Thu, 2004-05-27 at 19:52, Joshua Brindle wrote:
> > on the slide entitled seperation it says that ACL's are used to protect 
> > the disk files so that rogue apps in a vm can't affect other vm's, 
> > additionally each vm's disk file is encrypted so that only the 'level' 
> > user can access it.
> > 
> > Obviously both of these things can be done with (SE)Linux but it appears 
> >   they thought about this already.
> 
> ACLs are a poor substitute for MAC, e.g. see
> http://marc.theaimsgroup.com/?l=selinux&m=104508693312829&w=2
 

 NT Security Descriptors (which contain ACLs) were pinched pretty
 much wholesale from VME / VMS, and they are a lot more comprehensive
 than what is described at that reference.

 NT security descriptors contain four ACLS:

 - a system mandatory acl
 - a system discretionary acl
 - a [user?] mandatory acl
 - a [user?] discretionary acl

 bizarrely all of those are optional and the usual default behaviour
 of an empty SD is "allow everything" which is about the only
 stupidity of the NT security model.

 NT ACLs themselves contain ACEs (access control entries) which
 themselves contain a SID (security identifier) and an oh i forget
 what call it a.. a... access permission set.

 SIDs are up to 6 32-bit words in length and consist of a domain
 prefix (long) and a suffix (only one, the last one, of the 32-bit
 words).

 access permissions are 32-bit - 16 of those bits are "generic"
 and consist of things like generic read, generic write, generic
 execute, then delete, access, etc. pretty much like capabilities,
 and then there are 16-bits which are designated for "service-specific"
 things.

 so a service can create up to 16 separate "capabilities".


 the only thing about the use of NT security descriptors is that they
 are implemented pretty much exclusively in USER SPACE.

 usually in those lovely DCE/RPC applications.

 there is very little in the way of kernel-level support for NT
 security descriptors, and what there is is self-contained and
 uses the same API as the user-space applications e.g. the NT
 SMB file server is all in kernel-space *gibber*.

 
 so, what _most_ people think of in "ACLs" is user and group and
 other read-write-execute lists, whereas in NT it's a lot more
 comprehensive and pervasive.

 and, due to the default of "allow everything if there's no SD"
 it's a pretty moot issue, silly people.

 as a developer, you make one mistake (add a new function and
 forget to correct support the user-space SDs) and NT's toast.

 l.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Richard Sharpe]

On Tue, 1 Jun 2004, Luke Kenneth Casson Leighton wrote:

>  NT security descriptors contain four ACLS:
>
>  - a system mandatory acl
>  - a system discretionary acl
>  - a [user?] mandatory acl
>  - a [user?] discretionary acl

This does not appear to be correct. From rpc_secdesc.h in source/include

typedef struct security_descriptor_info
{
        uint16 revision; /* 0x0001 */
        uint16 type;     /* SEC_DESC_xxxx flags */

        uint32 off_owner_sid; /* offset to owner sid */
        uint32 off_grp_sid  ; /* offset to group sid */
        uint32 off_sacl     ; /* offset to system list of permissions */
        uint32 off_dacl     ; /* offset to list of permissions */

        SEC_ACL *dacl; /* user ACL */
        SEC_ACL *sacl; /* system ACL */
        DOM_SID *owner_sid;
        DOM_SID *grp_sid;

} SEC_DESC;

Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

On Tue, Jun 01, 2004 at 11:27:11PM -0700, Richard Sharpe wrote:
> On Tue, 1 Jun 2004, Luke Kenneth Casson Leighton wrote:
> 
> >  NT security descriptors contain four ACLS:
> >
> >  - a system mandatory acl
> >  - a system discretionary acl
> >  - a [user?] mandatory acl
> >  - a [user?] discretionary acl
> 
> This does not appear to be correct. From rpc_secdesc.h in source/include
> 
> typedef struct security_descriptor_info
> {
>         uint16 revision; /* 0x0001 */
>         uint16 type;     /* SEC_DESC_xxxx flags */
> 
>         uint32 off_owner_sid; /* offset to owner sid */
>         uint32 off_grp_sid  ; /* offset to group sid */
>         uint32 off_sacl     ; /* offset to system list of permissions */
>         uint32 off_dacl     ; /* offset to list of permissions */
> 
>         SEC_ACL *dacl; /* user ACL */
>         SEC_ACL *sacl; /* system ACL */
>         DOM_SID *owner_sid;
>         DOM_SID *grp_sid;
> 
> } SEC_DESC;

 hey, i wrote that - five years ago! :)

 thanks for the reminder, and the correction, richard.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

On Thu, May 27, 2004 at 01:43:44PM -0400, Dr. Eugene D. Myers wrote:

> In NetTop, each virtual machine is assigned a specific type (for example,
> vm1_d) and the files that contain the virtual disks are assigned a different
> type (for example, vm1_t).  Each virtual machine type vmX_d (where X is an
> arbitrary number) can only access files (virtual disks) of type vmX_t.
> 
> The restriction means that each virtual machine can only access only its
> virtual disks.
> 
> In NetTop, the SELinux policy is written such that -->Only<-- only a VM can
> access a virtual disk and only its associated virtual disk.  No other
> process (including other VM's) have permission to access a VM's virtual
> disk.  This includes processes that execute with root permission.
> 

 ... so, just because i'm curious, what am i missing.  
 
 i joked that there _is_ a link between linux and this
 secure windows XP: are you saying that that is in fact true?

 that microsoft is recommending that their operating system
 run as an application under a hosted secure OS (SE/Linux)???

 [that sounds like a slashdot "laugh it's funny" story to me]

 or, is it that the SElinux policies are available under windows
 xp (native OS) and that the version of vmware for windows XP
 is in fact being used to run more (secure) windows xp sessions?

 or, other?

 sincerely,

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FW: XP as a base for NetTop

[Stephen Smalley]

Just FYI, there was a recent episode of the Screen Savers on TechTV
where NetTop and the role of SELinux was explained.  It will likely air
again later this week; you might try seaching for NSA tour on the TechTV
web site.

As Gene explained, SELinux serves as the host OS in NetTop and its
mandatory access controls play an important role in reinforcing the
separation of the VMs.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: FW: XP as a base for NetTop

[Luke Kenneth Casson Leighton]

On Wed, May 26, 2004 at 04:49:00PM -0700, Chris Babcock wrote:
> > Stephen Smalley wrote:
> >> Looks like Microsoft is indeed pushing an XP-based NetTop
> >> called Trusted Multi-Net/Typhon XP, e.g.:
> >>
> >> http://www.computerweekly.com/Article123730.htm
> >>
> > http://download.microsoft.com/download/4/f/8/4f89f896-f020-46d1-adc0-08a18c8432d
> > 5/Trusted%20Multi-Net%20for%20SSE%202003.ppt
> >
> 
> Interesting.
> 
> The slides indicate that in their system threads are able to change what
> context they run in.
> 
> It makes me wonder if they have some magic to prevent threads from
> poluting shared data (unlikely), or if it is just a hack to avoid process
> vs. thread design issues on windows.

NT's security model uses DCE/RPC applications to compartmentalise
pretty much everything.

the creation of new processes therefore takes a stunningly long time
(relatively speaking) due to having to go in and out of another
application in order to vet the user's access rights.

the advantage is that process creation can in theory be vetted
and controlled by a remote and centralised NT "primary domain
controller", with the obvious implications:

1) you always have to have a connection to \\yourpdc\PIPE\NETLOGON

2) process creation could be severely delayed if that connection is
   disrupted.

consequently, to avoid any significant delays, threading is highly
recommended in NT "services".

i presume that it is possible to cache security contexts and then
make a rapid switch to them?

makes me wonder why they didn't do the same sort of thing for processes.

oh well.

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.