From owner-freebsd-net@FreeBSD.ORG  Fri Aug  9 19:20:25 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id F039CCFA
 for <freebsd-net@freebsd.org>; Fri,  9 Aug 2013 19:20:25 +0000 (UTC)
 (envelope-from smb@cs.columbia.edu)
Received: from tarap.cc.columbia.edu (tarap.cc.columbia.edu [128.59.29.7])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id B10BA2C1A
 for <freebsd-net@freebsd.org>; Fri,  9 Aug 2013 19:20:25 +0000 (UTC)
Received: from [10.9.0.138] (fireball.cs.columbia.edu [128.59.13.10])
 (user=smb2132 mech=PLAIN bits=0)
 by tarap.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id r79ImYql025193
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
 Fri, 9 Aug 2013 14:48:35 -0400 (EDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: BPF_MISC+BPF_COP and BPF_COPX
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <5203535D.2040508@netbsd.org>
Date: Fri, 9 Aug 2013 14:48:34 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <38CDC9BB-09C7-4241-8746-163BD15B80EC@cs.columbia.edu>
References: <20130804191310.2FFBB14A152@mail.netbsd.org>
 <5202693C.50608@netbsd.org> <20130807175548.1528014A21F@mail.netbsd.org>
 <5203535D.2040508@netbsd.org>
To: darrenr@NetBSD.org
X-Mailer: Apple Mail (2.1508)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.7
Cc: tech-net@NetBSD.org, Mindaugas Rasiukevicius <rmind@NetBSD.org>,
 guy@alum.mit.edu, freebsd-net@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 19:20:26 -0000


On Aug 8, 2013, at 4:14 AM, Darren Reed <darrenr@NetBSD.org> wrote:
> 
> No. It's not about calling a function, it is about proving the BPF
> program is correct and secure.
> 
> BPF today is essentially assembly language operations that are all
> easily tested and verified.


There's a one-word summary: *assurance*.  With the current design,
it's easy to *know* what can happen.  With a Turing-complete extension,
it isn't.

Assurance is often what separates actually secure systems from ones that
are merely claimed to be secure.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb