seperate kernel modules

seperate kernel modules

[king killer]

hello
im new here so im sorry if i say something someone else has already proposed
1 (or 2 days ago) i read a text how to infiltrate a linux system thru modules and here comes my idea.
the kernel modules themselves shall be separated.
for example a sound driver does not need to be able to access any other io-ports then the ones needed to use sound.
______________________________________________________________________________
Flug.de  |   Wer oft unterwegs ist, kann keine Zeit verschwenden   
http://flug.de/sb/?PP=0-5-100-105-11


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: seperate kernel modules

[Martin Stricker]

king killer wrote:
> 1 (or 2 days ago) i read a text how to infiltrate a linux system thru
> modules and here comes my idea.
> the kernel modules themselves shall be separated.
> for example a sound driver does not need to be able to access any
> other io-ports then the ones needed to use sound.

You might want to take a look at HURD, a new micro-kernel based unix
kernel from the GNU project. Here only the most basic functions remain
in the kernel, everything else, i. e. file systems or peripheral
hardware, is handled by so-called servers which run in user space, not
in kernel space. A very interesting approach. For a ready-to-install
distribution see http://www.debian.org/hurd/ .

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Registered Linux user #210635: http://counter.li.org/

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: seperate kernel modules

[Jonathan Day]

HURD (as is) uses the Mach microkernel, which (frankly) is the pits.

The L4 microkernel (which you can see in L4Linux) is a better design, but still not briliant. There's still a 14% slow-down for some functions.

About the most extreme design is MIT's Exokernel. This takes everything that a microkernel leaves in, and places it in user space. For security, the Exokernel design looks extremely promising, although MIT seems to have abandoned it.

Another kernel design that looks interesting is EROS, which is designed to be secure from the outset.

IMHO, though, seperation is not the answer. Secure boundaries would be much better, as modules have considerable power. If the scope of a module is confined and pre-determined, you should be able to mathematically prove the security.

To be honest, I think that it's about time that somebody DID audit the entire of the Linux core. Not just run some pre-compiler, such as the Stanford Validator, but formally prove each of the core functions correct.

I'm limiting this to the core, as the boundaries of Linux are expanding just too fast to make it viable to start auditing it.

(The FOLK project, that I maintain, is now almost the same size as the Linux kernel it's supposed to patch! And it doesn't even begin to scratch the surface of what patches exist for Linux.)

Further, if you prove the core (including the module-handling code), then you've proved everything you need to. Any rougue module CANNOT impact any other part of the kernel, simply because that would violate the pre/post conditions of the module-handler.




------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: seperate kernel modules

[king killer]

first
i know the hurd
second
l4 is a great design
third
if you really read the exokernel manual you will see that it
is much more than a microkernel, since it handles network messages, hd blocks etc.
fourth
to seperate kernel modules another instance (a first-level kernel)would be needed that would handle ressource registration, for kernel modules which would then run in ring 1. the problem is that if you want to securely seperate them you have to put them into multiple segments.then a call from one module to another would include a call to the first-level-kernel.for all this stub routines could be made which would be mapped into every module segment and the module calls would point to the stup routine which would do the right call the 1st-lv-kernel.there would be no need to change the modules greatly, but the linux kernel would have to be completely modularized.

_______________________________________________________________________
1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: seperate kernel modules

[Dale Amon]

I think the point of selinux is to prove out certain
security technologies in an environment where it may
have real impact. A large and growing fraction of
servers (primary targets!) are linux based. It seems
good strategy to me to distribute the means of
denying those resources to attackers.

-- 
------------------------------------------------------
Use Linux: A computer        Dale Amon, CEO/MD
is a terrible thing          Village Networking Ltd
to waste.                    Belfast, Northern Ireland
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: seperate kernel modules

[Dale Amon]

If Richard Smalley is about, I'd appreciate
if he'd get in touch with me. I don't know if I had
the correct private email address.

-- 
------------------------------------------------------
Use Linux: A computer        Dale Amon, CEO/MD
is a terrible thing          Village Networking Ltd
to waste.                    Belfast, Northern Ireland
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.