2000-03-27-14:32:41 Paul D. Robertson:
> > If I wanted to build a secure server, I'd have more confidence
> > in a well-seasoned open source OS running suitably-chosen
> > components, like e.g. openssh, postfix or qmail, dnscache, and
> > so forth.
>
> So what about an open-source OS with sort-of-B1ish security built
> in?
The best of all possible worlds!
> http://www.rsbac.de/
Thanks for the ptr; I'll check that out.
> Or are you of the opinion that real ACLs, MAC, role-based access,
> etc. aren't useful to restrict compromise to the subset of
> suitably-chosen components which may still have bugs, or the list
> of not-as-suitably-chosen as you would have liked people?
Not at all. Such bits (mjr coined a lovely phrase "orange book fairy
dust blown onto an operating system") are a great idea, I've been
looking forward to using them for many applications for some time.
Basically, I think of their use in terms of sandboxing. The first
thing I'll do when I can get 'em is wrap every web browser, every
MUA, every other complex multi-media-handling gizmo that deals with
untrusted input, so when they blow the schrapnel can't take out the
entire system.
The other thing I'll be doing immediately is trying to come up with
ways to express intended security models for software subsystem
interactions, so I can tell it to the security features of the OS,
so they can keep an eye out and make sure nothing slips up.
One of my favourite examples is PCASSO, where the architectural
design of the system was cast in such terms that the communication
assumptions could be enforced by the OS and trusted database
implementation. That sort o' stuff is _cool_.
Has nothing to do with certification, though, and that's where I was
grousing.
-Bennett
PGP signature
