[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] Security again

To: mint@fishpool.com
Subject: Re: [MiNT] Security again
From: Johan Klockars <rand@cd.chalmers.se>
Date: Thu, 2 Dec 1999 16:20:39 +0100 (MET)
In-reply-to: <Pine.MNT.4.10.9912021548220.120-100000@milan> from "Frank Naumann" at Dec 2, 99 03:57:36 pm
Sender: owner-mint@fishpool.com

> > > And in what way you decide if such a program have the right permissions?
> > 
> > Have a special flag, like the ones for memory mentioned, only allow it
> > for programs run as 'root' (well, IIRC that doesn't help much if you use an
> > AES, but...), or only allow it for 'AUTO-folder' programs.
> > Or any combination thereof.
> 
> Everybody can then set his own flags.

Note that I mentioned two other ways as well, but anyway:
- anyone can become root on his own machine
- whatever program you want can be put in the AUTO-folder before MiNT
- you can build your own kernel
- you can press the reset button   ;-)

> > > And it don't solve the problem itself. It only workaround some
> > > sideeffects.
> > 
> > I don't think I follow you there.
> 
> Such a program can override every system function. You loose any security
> and system control.
> 
> Where do you know what the program do?

The same way you know what Freedom, NVDI, WiNX, CKBD, etc do.
That is, you don't. But this is the system we already have.

I know certain people would want MiNT to be like Linux, but then you would
loose a very large portion of the programs we have for this machine.

> > My point was that you can't prevent current applications from using their
> > own vectors (or they will stop working), so the applications can get into
> > supervisor mode. End of story.
> 
> This is in general a problem that every application can get Super(). Bad
> concept.

Yes, but it is a concept we have and can do very little about without
breaking thousands of programs. I'm not happy about that myself, and I
would have run Linux instead on my Atari if I'd considered it fast enough.

> > I don't see how you can defend the current mechanism with absolutely _no_
> > control. Nothing can possibly be a more severe threat to stability than
> > completely unchecked vector bending, which is going on now.
> 
> You only see it from the point that you will control TRAP chaining. But

Well, that is the main benefit, but...

> there are also lot of other aspects and point of views.

...it wouldn't make things any worse for those.
Sure it isn't good to begin with, but most of us are aware of that.

> With control I don't mean the TRAP chaining control. I mean control over
> the system and the systemcalls.

Which this wouldn't change in any way if you only allow it for 'AUTO-folder'
programs. 

> > If you could only name one thing that you would loose, it would be easier
> > to understand your reasoning.
> 
> system control, stability, system call control and so on.

See above, below and in most of my other letters about this.
I'm __not__ advocating this for application use!!

> > Perhaps you haven't read what I've written here?
> 
> Do you think so?

I don't know. It certainly sounds that way.
You've consitently managed to avoid every single sentence where I've mentioned
that I see that as a replacement for the unchecked vector bending that takes
place _before MiNT runs_.
That is after all where most such things happen. Especially when it comes to
hooking into actual system call vectors.

> > TraPatch wasn't that, it was a TSR that implemented some functionality by
> > itself. It certainly had nothing to do with MiNT (although I gues it could be
> > used together with it).
> 
> That's why I said you can look into the Trapatch src module that was
> integrated in MiNT in one beta version (1.15.3).

Thanks, but I'm not interested in that implementation since it has no bearing
on what I'm talking about.

> > Since MiNT isn't running when those program are started, it doesn't have
> > any kind of control over what they do.
> 
> Yes, you don't need this control. Such control improve nothing.

I agree that it doesn't improve system security/stability much. It does a
little since MiNT could potentially unlink something by itself, in some cases,
rather than letting the system crash due to a vector pointing into the blue.

> > > Your idea is to (explicitly) give up that control.
> > 
> > I'm not giving up _any_ control.
> 
> Sorry, you give explicitly up any system control if applications can
> override system calls.

It seems I was right in assuming that you don't read what I write.
I've _never_ claimed that this was something applications should use.
It's _very_ simple for MiNT to prevent that from happening. Just make
the function unusable as soon as the last 'AUTO-folder' program has loaded.

-- 
  Chalmers University   | Why are these |  e-mail:   rand@cd.chalmers.se
     of Technology      |  .signatures  |            johan@rand.thn.htu.se
                        | so hard to do |  WWW/ftp:  rand.thn.htu.se
   Gothenburg, Sweden   |     well?     |            (MGIFv5, QLem, BAD MOOD)

References:
- Re: [MiNT] Security again
  - From: Frank Naumann <fnaumann@csmd2.cs.uni-magdeburg.de>

Prev by Date: RE: [MiNT] Security again
Next by Date: RE: [MiNT] Security again
Previous by thread: RE: [MiNT] Security again
Next by thread: [MiNT] Security again
Index(es):
- Date
- Thread