From owner-freebsd-chat  Fri Oct 17 21:32:36 1997
Return-Path: <owner-freebsd-chat>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA26730
          for chat-outgoing; Fri, 17 Oct 1997 21:32:36 -0700 (PDT)
          (envelope-from owner-freebsd-chat)
Received: from obie.softweyr.ml.org ([199.104.124.49])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA26724
          for <chat@freebsd.org>; Fri, 17 Oct 1997 21:32:25 -0700 (PDT)
          (envelope-from wes@xmission.com)
Received: (from wes@localhost) by obie.softweyr.ml.org (8.7.5/8.6.12) id WAA14607; Fri, 17 Oct 1997 22:39:16 -0600 (MDT)
Date: Fri, 17 Oct 1997 22:39:16 -0600 (MDT)
Message-Id: <199710180439.WAA14607@obie.softweyr.ml.org>
From: Wes Peters <softweyr@xmission.com>
To: Terry Lambert <tlambert@primenet.com>
CC: chat@freebsd.org
Subject: Re: C2 Trusted FreeBSD?
In-Reply-To: <199710171817.LAA16458@usr06.primenet.com>
References: <XFMail.971015212530.cdillon@tri-lakes.net>
	<199710171817.LAA16458@usr06.primenet.com>
Sender: owner-freebsd-chat@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Terry Lambert writes:
 > > >Or in other words - C2 or not, we are going to need a modified ffs that
 > > >properly overwrites the freed (via unlink, truncate or other means)
 > > >storage on disk anyways?
 > > 
 > > Not my area of expertise exactly, but from what I gather, yes.  This would
 > > eat tremendous amounts of precious I/O, unless I suppose it was done at
 > > idle times, but that might defeat the purpose of it.
 > 
 > This should be done on a block by block basis, and could be done
 > in a stacking layer on top of a variable granularity block store.

Yes, and there are some strategies that could be adopted to minimize the
impact of this.  Disk blocks are not immediately freed, but rather
returned to a queue of blocks to be overwritten; once overwritten they
are marked as freed.  The overwrites could be interleaved with normal
disk I/O head stepping algorithms, and/or performed during idle I/O
times unless needed in the free store.

It would be advantageous to allow multiple overwrite strategies as well,
specifying no overwrite for low-security situations like my workstation
at home, behind an infrequently connected firewall; single overwrite for
situations where you're not completely paranoid about your user base,
and multiple-overwrite with varying patterns for FreeBSD systems
installed in ballistic missile submarines.  ;^)

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com