ljknews writes: > >Date: Mon, 20 Dec 2004 13:16:59 -0500 >From: ljknews <[EMAIL PROTECTED]> >Subject: [SC-L] Re: DJB's students release 44 poorly-worded, overblown adv= >isories > >At 11:09 AM -0500 12/20/04, Paco Hope wrote: > >>I mean, if these things are "remote exploits," I could say "The entire >>OpenBSD operating system is remotely exploitable: if I email you an OpenBS= >D >>binary and you execute it, I 0wn you." Well, duh. > >That risk is mitigated when an operating system has mandatory access >controls (MAC) arranged so that users are not permitted to execute >programs which they create or import. That capability is not quite >within the Biba Integrity Extensions to the Bell-Lapadula model, but >it is close. > >On most important systems there is no need for the users to be able >to provide executable which they then run. Executables are provided >by the system manager. >- -- >Larry Kilgallen >
This should be no surprise. The Bell and Lapadula model and the Biba model were explicitly designed to deal with precisely this kind of Trojan horse threat. They both presume the presence of arbitrarily malicious applications code. Bell and LaPadula prevents the malicious code from leaking copies of secret information to people who are not properly authorized. Biba prevents prevents a process that is handling data that requires high integrity from either executing untrusted code or from reading untrusted data that could facilitate a data-driven attack. Biba constrains such a process to only executing trusted code and reading trusted data. Of course, deciding which code and data should be trusted is a much harder problem! See this paper for some ideas on that handling that harder problem: Schellhorn, G., W. Reif, A. Schairer, P. Karger, V. Austel, and D. Toll. Verification of a Formal Security Model for Multiapplicative Smart Cards. in 6th European Symposium on Research in Computer Security (ESORICS 2000). 4-6 October 2000, Toulouse, France:Lecture Notes in Computer Science Vol. 1895. Springer-Verlag. p. 17-36. - Paul
