[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setuid vs. EROS constructor
From: |
Jonathan S. Shapiro |
Subject: |
Re: setuid vs. EROS constructor |
Date: |
Mon, 24 Oct 2005 22:29:21 -0400 |
On Mon, 2005-10-24 at 23:25 +0200, Bas Wijnen wrote:
> On Mon, Oct 24, 2005 at 04:00:05PM -0400, Jonathan S. Shapiro wrote:
> > The predictor needs access to the file system to make its prediction,
> > and this is *precisely* the access that we must not give it! Even
> > disclosing the *names* of my files to the hostile code must not occur.
>
> This is where confinement comes in. Since constructors can guarantee this, we
> can know that the predictor cannot communicate with anyone, in particular with
> the program it predicts for. We give it read only access to the whole file
> system, and simply ignore everything it does except the prediction.
It doesn't work. Even if the file system is read-only, the files
themselves are not. Remember that in a persistent system many entities
named in the directory space are actually processes. The kernel has no
way to enforce the read-only restriction for IPC's to those processes,
because it does not know what they do.
shap
- Re: Server granularity, (continued)
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/13
- Re: setuid vs. EROS constructor, Marcus Brinkmann, 2005/10/13
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor,
Jonathan S. Shapiro <=
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/25
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/25
Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/25
Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/25