[Savannah-hackers] [ 100653 ] What SSE should do

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] [ 100653 ] What SSE should do

From:	nobody
Subject:	[Savannah-hackers] [ 100653 ] What SSE should do
Date:	Tue, 26 Mar 2002 07:08:49 -0500

Support Request #100653, was updated on 2002-Mar-26 12:11
You can respond by visiting: 
http://savannah.gnu.org/support/?func=detailsupport&support_id=100653&group_id=11

Category: None
Status: Closed
Priority: 5
Summary: What SSE should do

By: yeupou
Date: 2002-Mar-26 13:08

Message:
Logged In: YES 
user_id=1896
Browser: Mozilla/5.0 Galeon/1.2.0 (X11 ; GNU / Linux 2.4.17 i686 ; fr_FR)

I'm sorry but I dont understand the connection between what
you are talking about and the savannah project.

This forum is only about the savannah project, not about
each project hosted by savannah.
Sorry.

Discuss about this to the proper mailing-list or forum.

----------------------------------------------------------------------

By: grrp
Date: 2002-Mar-26 12:11

Message:
Logged In: NO 
Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; AxtelNet2)

Hello,

I've read almost all the gnudotnet, and pnet websites. 
All that sounds great. I have ideas, and I'm not sure 
if they are suitable, so, think of it as a brain-
storm. I am not a security consultant, so, read rather 
sceptically, but may be... Well, to the point.

I think of the SSE as the main daemon that should be 
(almost) the same on servers and clients, so you can 
execute the same code into both boxes. As a secure 
space, it must restrict the potential damages to the 
system and user areas. The system can be "easily" 
protected, but the user areas are more exposed, 
because the programs sometimes should "touch" the user 
data, to handle it.

I have already a secure box embeeded into my insecure 
windows. This secure box is a macintosh emulator. It 
provides a hardware emulation (wow!), including:
- Memory space
- Disk space
- CPU cycles & architecture
- ROM and other stuff
- Network interface (it really does not provide this, 
but think of it as if it were)
- etc. (think here any virtual device you want)

You got it. This approach is simpler, maybe slow, 
memory-consuming and has the inherent problems of 
emulators. But effective, programs surely will never 
have access to my windows files, other than the 
assigned loopback-device file. We can think on how to 
merge advantages of an emulator and a daemon, on how 
to provide a mini-kernel-with-plugins to our secure 
box, and so on.

Ok, for now, forget the emulator idea, and go on with 
more important things about SSE. The implementation, 
must contain, from my point of view:

- Its own file-system for protecting the system and 
user data (only for data). This implementation must 
discard sysadmin intervention, because the vast 
majority of home users -rather home sysadmins- doesn't 
care about it. This may be a (variable-size) loopback 
device. It would be possible to let the user restrict 
or grant access to his files to a program. If the user 
had deny access to his files, the daemon should 
provide an empty loopback disk space to the app, so 
the app should still work, but without seeing any 
existing file, and still can write something. The user 
should be able to copy files from his main space to 
the new loopback space, in order to let him modify 
some files using (or testing) the app. That would be 
totally safe. Each user (including the system-assigned 
user) could have its own loopback device. That way, 
replication could use some kind of raid-arrays 
algorithm.

- A memory manager, that: create a unique space for 
each process. That should be limited by a safe maximum.

- SSE may run its own authentication engine. This way, 
accounts data (user name, password, etc.) should be in 
the system special space (memory and disk), totally 
unaccesible from a user program or any plugin. That 
way, it should be nearly impossible to miss a 
configuration. "Do not hire a cop for giving 
permissions, assign it yourself". Otherwise, how will 
authenticate the security plugin itself? This engine 
should forbid by default any inter-process 
comunication for client-processes having diffent 
access levels.

- Each never-executed program should automatically 
obtain a new user account, that contains the username, 
for logging purposes. You will figure out more closely 
what happened in that failed attack :)

- The network interfaces should be limitable by the 
daemon, and it should take some precautions about 
attacking. Any communication should be encrypted, 
avoiding network sniffings.

- All the underlying bytecode plugins should execute 
their processes passing all the system calls through 
the SSE daemon, allowing it to: 1) create 
disk/memory/process spaces on-demand, 2) autenticate 
actions, 3) limit resources, 4) log, 5) integrate 
configurations. An example of the configuration 
integration should be: The client code request a new 
object of class "fooclass", but it does not know at 
which machine it is hosted. The daemon knows that it 
is located in the "abc.foo.com", and it will pass the 
encrypted request to "abc.foo.com", providing the user 
autentication data. All that will be transparent to 
the application, but more interesting, will be 
transparent to the bytecode engines.

Special care should be taken with the last point. 
Without concentrating system calls in the SSE daemon, 
will cause that the bytecode engines have to do each 
check itself using libs, or to pass calls to the 
indicated plugin, in order to address disk/filesystem, 
memory, network, process and/or auth operations. Then, 
for what is the Security Environment? Other unwanted 
side effects if you don't keep together that things 
would be: 1) you couldn't be able to modify security 
issues easily, and 2) in case you do, you had not be 
able to distribute the SSE independently of the other 
gnudotnet components (something like this happens with 
gnome or kde: I can't install only the new core 
components, and stay running successfully the apps. I 
have to download all the daemons, libraries and apps 
together, because very often the components become 
incompatible between them).

Apps should be that: apps. VMs should be only bytecode 
interpreters, not other. And the security layer should 
control ALL security issues, centralized in one place.

My ideas sounds like a new operating system, but it 
isn't. I think of it only as a portable 
framework/server that will provide safety to a running 
and existing environment.



Well, sorry, very much if all that was boring, but I'm 
very interested in the project, and think I cannot 
write such an advanced code (yet :-)

Regards,



----------------------------------------------------------------------
You can respond by visiting: 
http://savannah.gnu.org/support/?func=detailsupport&support_id=100653&group_id=11

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers] [ 100653 ] What SSE should do, nobody, 2002/03/26
- [Savannah-hackers] [ 100653 ] What SSE should do, nobody <=

Prev by Date: [Savannah-hackers] Re: Removal of modules in CVS
Next by Date: [Savannah-hackers] Cron <address@hidden> sf_stat
Previous by thread: [Savannah-hackers] [ 100653 ] What SSE should do
Next by thread: [Savannah-hackers] savannah.gnu.org: submission of Alqua
Index(es):
- Date
- Thread