Re: Challenge: Find potential use cases for non-trivial confinement

[Bas Wijnen]

On Mon, May 01, 2006 at 05:14:41PM -0600, Christopher Nelson wrote:
> > No, it isn't, and yes, it may need to be replaced.  IMO this 
> > should only be possible when the OS isn't running, but 
> > mounted on a different system.
> > Theoretically it can be done while it is running as well, of course.
> 
> Do not take this offensively, but don't you think it's a little silly to
> require a person to mount the storage on another system before
> upgrading?

As I said, it is possible to do it while running.  But this is about the TCB:
that's the part that Jonathan is hoping to verify formally for correctness, if
I understood things correctly.  This is a very limited piece of code, which is
extremely well debugged.  It is unlikely that it needs fixing or upgrading
after a period of stabalizing.  No features are added to this part.  The few
bugs that may initially be in it will be fixed.  Upgrades to it are extremely
rare.  And extremely dangerous.  This is exactly the reason I want to demand a
reboot: when rebooting, it cannot be prevented anyway, and people will notice
a reboot, so it's harder to sneak things in.  Also, I think it's a good idea
if there really aren't any capabilities in the system for this task.  If they
don't exist, they cannot be caught by malicious parties.

> Or do you mean that the upgrader would simply be the new
> version of the OS, perhaps running off of a CD?

Possibly, but I was thinking of a special upgrade program, which knows how to
modify a snapshot image.  Running off of a CD is likely, to avoid the need of
a special partition for it.

> Still, patching an OS shouldn't require a reboot.  Not even MS requires
> a reboot for most patches anymore.

This isn't just the OS.  This is the TCB.  That is only the central part,
which is extremely sensitive.  If something goes wrong there, the whole system
is compromised.  This is not something that should be risked for a triviality
such as convenience, IMO.

Any other part of the OS (and that's almost everything) can indeed be upgraded
without a reboot.

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature