security of drivers vs. net stacks
Jonathan S. Shapiro
jsshapiro@earthlink.net
Sun, 3 May 1998 15:07:03 -0400
Some thoughts on Bill's concerns about security:
Given that EROS is source-required, many security concerns about
drivers go away for two reasons:
1. A concerned user can examine the source
2. A central coordinator can vet the source
3. A digital signature or some such can be used to verify that
the source (or the binary) has been vetted by a central
coordinator.
In the absence of some common mechanism to speak to I/O ports and DMA
chips, and given the sheer number of boards in the PC world, I see no
practical way to take responsibility for writing all possible drivers
centrally. The most I think we can do is vet them for security.
We *might* get away with a carefully thought out kernel-driver API
plus a verifiable intermediate code a la exokernel. I have some ideas
along these lines, and I'ld be very interested to work with someone on
a paper along these lines *after* my thesis is done. Such a solution,
I should add, ought to result in an OS-independent API, so it should
applicable beyond EROS. It is not clear how one avoids a driver that
takes advantage of a hardware bug that is not known to you, however.
At worst, we are talking about "bottom half" drivers only, and the
complexity of these is small enough that they should be fairly
amenable to admission by code review.
shap