LWN.net Logo

Advertisement

Netronome is hiring!

Interested in hardware, diags, validation, Linux, C, ARM, Microcode and low level programming and blazing networks?

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Style and form

Style and form

Posted Oct 24, 2005 0:29 UTC (Mon) by njhurst (guest, #6022)
In reply to: Style and form by mmarq
Parent article: Ballmer: Microsoft to go after Linux strongholds (ZDNet)

I think it is a dangerous plan to re-implement everything from scratch on the premise that the new design will be more robust or secure. Security comes as much from years of harsh real-world testing as it does from special models. We can probably achieve all that is suggested here by putting the same amount of work into fixing up the existing kernel interfaces and designing tools for detecting bad code patterns.

Auditing also helps, and everytime we build from scratch we lose all the previous auditing work. I say this having spent considerable time working on a security from the ground up system using capabilities (the real ones, not the fake capes that linux has). Time heals many security holes.

I think the general consensus is that we like your posts, but they are a struggle to read. If you wish, I am happy to read your posts before you post and correct the language. (Nevertheless, one word)

I don't think that we have a serious problem with group think here, several times people have corrected popular pro-linux myths and brough us back to reality. If anything I think lwn is one of the least biased linux related sources around. things like newsforge are just full of drivel, slashdot suffers from groupthink to a larger extent and most commercial rags are too heavily dependant on advertising dollars to stay NPOV.

(Log in to post comments)

Style and form

Posted Oct 24, 2005 17:28 UTC (Mon) by mmarq (guest, #2332) [Link]

"" I think it is a dangerous plan to re-implement everything from scratch on the premise that the new design will be more robust or secure ""

I belive the "Grand Beauty" of putting an exokernel beneath the present Linux kernel, is doing it without having to re-invent the wheel.It could go even to a Single Adress Space design with the Linux synchronization mechanisms, locks, semaphores, because the adress space is mandatory handled by a dynamic library in an exokernel design... as in XOK/ExOS(could be XOK/Linux)
http://www.disy.cse.unsw.edu.au/papers/disy/Deller_Heiser...(mungi)
http://pdos.csail.mit.edu/exo/exo-internals/internals.html(XOK/ExOS)

Full *POSIX* support can be achieved in this type of designs as in Meshix and Angel http://citeseer.ist.psu.edu/cache/papers/cs/294/ftp:zSzzS...
, and the Unix file systems dosent have to go away.

"" Security comes as much from years of harsh real-world testing as it does from special models.""

No. I belive its simply proved, so simply that it hurts, that the present model is inherently *INSECURE*, no matter what. http://www.skyhunter.com/marcs/capabilityIntro/index.html

"" We can probably achieve all that is suggested here by putting the same amount of work into fixing up the existing kernel interfaces and designing tools for detecting bad code patterns. ""

Not likely. Building good interfaces and detecting bad code patterns also has to be applyed, but in less extense and without "crazy hacks", to an exokernel/Linux design with capabilities, or better, to an exokernel/Linux with the actual Unix file acess list protection design on top of capabilities, beying it a SASOS or not.

That is an exokernel/Linux design could be full POSIX, have the Unix file acess list protection style available and yet the ensemble behave like a monolithic Single Adress Sapce Kernel... only much much more secure, to the point a * virus and crackers prove* LABEL can be arguably applyed.

"" Auditing also helps, and everytime we build from scratch we lose all the previous auditing work.""

I belive auditing would also be necessary, and even more because in a exokernel design, you could have as exemple the Apache server having its own virtual memory and file system directly on top of the exokernel (achieving perhaps more than 1 order of magnitude more performance) , and so everything from the OS and every application and service as to be audit to *guaranty* safety. Many of Previous work, and followed disasters, *could* be an example of where and why stating secure a system that is *inherently INSECURE* is a bad policy.

Sincerely thanks for the offer, but one of beautys of posting is learning how to write properly and not get lazy.

I also belive group thinking could be much more enhanced then today, by people losing fear of posting more radical ideas.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds