[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is this mail list dead?

To: securedistros@nl.linux.org
Subject: Re: Is this mail list dead?
From: Casey Schaufler <casey@sgi.com>
Date: Fri, 16 Mar 2001 08:45:06 -0800
Organization: Silicon Graphics
References: <Pine.LNX.4.21.0103160929460.5790-100000@imladris.rielhome.conectiva> <3AB22644.9090202@ksu.ru>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

Pedro Rosa wrote:

> Enforcing such
> things like C2 into the kernel from start, can give a huge cost in
> performance and may hinder other security schemes.

What makes you think that meeting the C2 (CAPP in CCese)
requirements is going to have a "huge cost" in performance?
What makes you think it will hinder other security schemes?
I've been building C2 and B1 systems since the 80's and
although I've seen bad implementations have performance
impact, I've also seen good ones that do not.

> C2 is one and only
> one of the possible security schemes one may consider for his tasks.

True.

> And, by itself, C2 is quite costy to be implemented (time, performance,
> stability and money are the factors).

The kernel bit (security audit trail) is not so bad.
What are your stability issues?

> Frankly, I would apply C2 only and
> exclusively in a very few cases.

C2 provides basic system functionality. UserIDs, Descretionary
Access Control (e.g. mode bits) are things U2X users don't
even think about.

> A C2 implementation should be something like how we see LIDS, FreeSWAN
> and other systems now - a patch. And give sysadmins/users the right to
> choose what they need.  Don't think that such thing becomes only
> valuable once Linus implements it as a main kernel feature.

In Irix audit is a module you can choose at installation time.
On Linux, we expect to make it available as a loadable module.
Or, if you prefer, you can compile any trace of it out.

Any pervasive kernel facility, and audit will be, no
question about that, that you try to maintain on the side
gets broken every time someone changes anything. I have years
of experiance on this, and can show you the scars.

> I do prefer
> its relative "marginalisation" as this will force people to concentrate
> their efforts in the specificities of the task. It is preferable to
> figth incompatibilities rather than security breaches. When a security
> tool becomes too broad for use and development, it will have a bigger
> chance to be attacked, broken or bugged.  Setting C2 at the level of the
> main kernel development will surely give ground to such danger.

I do not find this argument at all compelling

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: Is this mail list dead?
  - From: "David L. Nicol" <david@kasey.umkc.edu>
- Re: Is this mail list dead?
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>

References:
- Re: Is this mail list dead?
  - From: Rik van Riel <riel@conectiva.com.br>
- Re: Is this mail list dead?
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>

Prev by Date: Re: Is this mail list dead?
Next by Date: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Prev by thread: Re: Is this mail list dead?
Next by thread: Re: Is this mail list dead?
Index(es):
- Date
- Thread