| |||||||||||||
|
| |||||||||||||
That's not the only meaning of that statementThat's not the only meaning of that statementPosted Feb 1, 2006 2:34 UTC (Wed) by Ross (subscriber, #4065)In reply to: VERY interesting - but security implications to others?!? by elanthis Parent article: Van Jacobson's network channels
I sure hope that no application which I run as a normal user is able to reboot the system into another operating system in order to use raw sockets and low port numbers.
If it could, that's what I'd call a gaping security hole.
(Log in to post comments)
protocol validity checks Posted Feb 1, 2006 3:57 UTC (Wed) by xoddam (subscriber, #2322) [Link] can imagine an internal 'firewall' inspecting the header of each packet traversing a channel from userspace to ensure the app has sufficient privilege to send it. A pipeline stage with negligible performance impact -- it wouldn't thrash the cache, and if it's in the kernel it would involve no extra context switches.
protocol validity checks Posted Feb 1, 2006 6:38 UTC (Wed) by cventers (subscriber, #31465) [Link] Yeah, since you're writing into mapped memory, the kernel can check itout in place. And since there's no copy, it's going to be hanging out in the cache when the check has to take place.
protocol validity checks Posted Feb 3, 2006 4:15 UTC (Fri) by zblaxell (subscriber, #26385) [Link] kernel can check it out in place...while the user, maybe on another CPU, switches a few bits just after the kernel check but before the network card picks up the data.
Sneaky indeed! Posted Feb 3, 2006 5:48 UTC (Fri) by xoddam (subscriber, #2322) [Link] Ok, freely mapped memory doesn't cut it then. I wonder what theperformance impact of changing packet buffers' page permissions would be, relative to copying (and relative to keeping the TCP implementation in kernel space)?
That's not the only meaning of that statement Posted Feb 1, 2006 12:15 UTC (Wed) by smitty_one_each (subscriber, #28989) [Link] I think parent's point was about a living user doing a cold boot with a live CD, and then comitting mischief, not about an existing application you're running somehow warm booting and doing that.Clearly, unprotected ON/OFF switches and promiscuous BIOS boot settings can be a gaping security hole.
That's not the only meaning of that statement Posted Feb 1, 2006 13:54 UTC (Wed) by Ross (subscriber, #4065) [Link] Yes and my point what is equivalent with physical security is not the totality of the problem. Of course if someone has physical access to your network they can any packets they like on it. But unpriviledged processes running on your server don't have physical access, but in the same scenario they would have the same level of access.
That's not the only meaning of that statement Posted Feb 2, 2006 4:05 UTC (Thu) by elanthis (subscriber, #6227) [Link] And my point remains... what is that unprivileged process going to do that you couldn't do by plugging in a laptop or some other device onto the network?
If you are implicitly trusting every packet sent by some 'trusted' host (which, if it were truly trusted, would never be running any malicious code anyhow), or trusting anything running on port 1024 down, you're not running a very secure network at all.
There is no security at the IP level at all. If you want trust and security, you have to put it all in higher layers.
That's not the only meaning of that statement Posted Feb 2, 2006 5:28 UTC (Thu) by Ross (subscriber, #4065) [Link] If you're only point is that security shouldn't depend on the network not being compromised I agree. However malicious users with unfettered physical access are not at all equivalent to malicious processes running under unpriviledged ids and that anything which makes them equivalent is decreasing security. Does it matter for well designed programs? No. But unfortunately tons of commonly used software is not well designed. If you can't trust IPs, port numbers, etc. many things break down. If you can't trust a program a user downloaded you should worry, but your network is not automatically compromised unless there is something which can be exploited on the system.
|
|
||||||||||||