From owner-freebsd-security Tue Oct 14 08:50:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA25546 for security-outgoing; Tue, 14 Oct 1997 08:50:14 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from obie.softweyr.ml.org ([199.104.124.49]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA25541 for ; Tue, 14 Oct 1997 08:50:10 -0700 (PDT) (envelope-from wes@xmission.com) Received: (from wes@localhost) by obie.softweyr.ml.org (8.7.5/8.6.12) id JAA10419; Tue, 14 Oct 1997 09:56:38 -0600 (MDT) Date: Tue, 14 Oct 1997 09:56:38 -0600 (MDT) Message-Id: <199710141556.JAA10419@obie.softweyr.ml.org> From: Wes Peters To: Christopher Petrilli CC: security@freebsd.org Subject: Re: C2 Trusted FreeBSD? In-Reply-To: <199710132110.RAA29578@dworkin.amber.org> References: <199710132110.RAA29578@dworkin.amber.org> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Christopher Petrilli writes: > It is not "mandatory," however the following paragraph exerpted from the > TCSEC does make it clear that the exisintg group mechanism is NOT > acceptable: > > "The access controls shall be capable of including or excluding > access > to the granulairty of a single user." > > This exclusion part is what makes it very difficult. You must be capable > of giving access to everyone BUT a specific user. While theoretically I > guess you could do it by managing billions of sepereate groups, I think > it would fail none the less because of practical enforcement concerns. Nope. The Sun C2 security system used only group controls. This is the U.S. government, there are *no* concerns about practical enforcement. In their view, if any mechanism is provided, their slaves can be beaten into writing procedures that will correctly use the supplied mechanism, clumsy as it may be. > THat having been said, there is one other requirement that would need to > be addressed: > > * Object Reuse (2.2.1.2) > > THis is defined as follows: > > "All authorizations to the information contained iwthin a storage object > shall be revoked prior to initial assignment, allocation or reallocation > to a subject from the TCB's pool of unused storage objects. No > information, including encrypted representations of information, produced > by a prior subject's actions is to be available to any subject that > obtains access to an object that has been released back to the system." > > Basically, we need to purge all memor when it is allocated, or > deallocated. Has to be deallocated, unless you want to maintain ownership credentials of the deallocated pools. The act of returning a block of memory to the "free" pool changes its ownership. There is an existing standard for reclaiming memory in C2 systems. If I remember correctly, you have to overwrite each bit with successive 1 and 0 for 100 cycles. This is pretty cpu intensive, but can be done pretty easily by modify sbrk and friends. I guess in the post 2.2 world, it would be munmap that gets mangled, right? > Other than that, it's mostly documentation, and audit. I would really > prefer to do an ACL extension to the file system, as I think it's useful > as it is :-) Agreed. A simple but useful ACL system, like the one in HP-UX, is a very nice system administration tool. It also makes for amusing jokes, where you can put an ACL on a user's file so he can read it but not write it. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com