From owner-freebsd-net@FreeBSD.ORG Fri Aug 9 19:20:25 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F039CCFA for ; Fri, 9 Aug 2013 19:20:25 +0000 (UTC) (envelope-from smb@cs.columbia.edu) Received: from tarap.cc.columbia.edu (tarap.cc.columbia.edu [128.59.29.7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B10BA2C1A for ; Fri, 9 Aug 2013 19:20:25 +0000 (UTC) Received: from [10.9.0.138] (fireball.cs.columbia.edu [128.59.13.10]) (user=smb2132 mech=PLAIN bits=0) by tarap.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id r79ImYql025193 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 9 Aug 2013 14:48:35 -0400 (EDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: BPF_MISC+BPF_COP and BPF_COPX From: Steven Bellovin In-Reply-To: <5203535D.2040508@netbsd.org> Date: Fri, 9 Aug 2013 14:48:34 -0400 Content-Transfer-Encoding: 7bit Message-Id: <38CDC9BB-09C7-4241-8746-163BD15B80EC@cs.columbia.edu> References: <20130804191310.2FFBB14A152@mail.netbsd.org> <5202693C.50608@netbsd.org> <20130807175548.1528014A21F@mail.netbsd.org> <5203535D.2040508@netbsd.org> To: darrenr@NetBSD.org X-Mailer: Apple Mail (2.1508) X-No-Spam-Score: Local X-Scanned-By: MIMEDefang 2.68 on 128.59.29.7 Cc: tech-net@NetBSD.org, Mindaugas Rasiukevicius , guy@alum.mit.edu, freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Aug 2013 19:20:26 -0000 On Aug 8, 2013, at 4:14 AM, Darren Reed wrote: > > No. It's not about calling a function, it is about proving the BPF > program is correct and secure. > > BPF today is essentially assembly language operations that are all > easily tested and verified. There's a one-word summary: *assurance*. With the current design, it's easy to *know* what can happen. With a Turing-complete extension, it isn't. Assurance is often what separates actually secure systems from ones that are merely claimed to be secure. --Steve Bellovin, https://www.cs.columbia.edu/~smb