[E-Lang] defense in depth
Fri, 26 Jan 2001 13:09:13 +0000
"Jonathan S. Shapiro" wrote:
> David Wagner wrote:
> > I have to admit: Now I'm curious. Which features of Apache are
> > inherently insecure? Can you give any examples?
> The entire notion of CGI scripts as currently formatted. On request from
> the system administrator, Apache will gleefully punt responsibility for
> security to some other program whose environment is not under the
> control of Apache.
Woah! The environment _is_ under the control of Apache - the issue is
that the current definition of "environment" is not appropriate to the
task at hand. :-)
> Also, module configuration is designed such that the introduction of one
> module can alter the environment perceived by a subsequent module, and
> the current interface specification practice does not allow the
> administrator to fully understand the resulting dependencies.
I suspect you are going to find Apache 2.0 very scary, then! OTOH, maybe
not - it may be fairly simple to decompose modules into processes and
core system interfaces into capabilities. Hmmmm ... well, I'm not going
there until EROS can at least _run_ an Apache!
I have to say that an Apache designed for a capability system would
probably be a very different beast from the Apache we have today. But
there are things capabilities can do as a bolt-on that are still vastly
superior to what we can do today without making huge changes to Apache.
CGI confinement being the easiest example to explain and think about.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff