[E-Lang] defense in depth

Ben Laurie ben@algroup.co.uk
Fri, 26 Jan 2001 13:09:13 +0000


"Jonathan S. Shapiro" wrote:
> 
> David Wagner wrote:
> 
> > I have to admit: Now I'm curious.  Which features of Apache are
> > inherently insecure?  Can you give any examples?
> 
> The entire notion of CGI scripts as currently formatted. On request from
> the system administrator, Apache will gleefully punt responsibility for
> security to some other program whose environment is not under the
> control of Apache.

Woah! The environment _is_ under the control of Apache - the issue is
that the current definition of "environment" is not appropriate to the
task at hand. :-)
 
> Also, module configuration is designed such that the introduction of one
> module can alter the environment perceived by a subsequent module, and
> the current interface specification practice does not allow the
> administrator to fully understand the resulting dependencies.

I suspect you are going to find Apache 2.0 very scary, then! OTOH, maybe
not - it may be fairly simple to decompose modules into processes and
core system interfaces into capabilities. Hmmmm ... well, I'm not going
there until EROS can at least _run_ an Apache!

I have to say that an Apache designed for a capability system would
probably be a very different beast from the Apache we have today. But
there are things capabilities can do as a bolt-on that are still vastly
superior to what we can do today without making huge changes to Apache.
CGI confinement being the easiest example to explain and think about.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff