security of drivers vs. net stacks

Bill Frantz frantz@netcom.com
Mon, 4 May 1998 10:48:57 -0800 

At 11:07 AM -0800 5/3/98, Jonathan S. Shapiro wrote:
>Some thoughts on Bill's concerns about security:
>
>Given that EROS is source-required, many security concerns about
>drivers go away for two reasons:
>
>	1. A concerned user can examine the source
>	2. A central coordinator can vet the source
>	3. A digital signature or some such can be used to verify that
>	   the source (or the binary) has been vetted by a central
>	   coordinator.
>
>In the absence of some common mechanism to speak to I/O ports and DMA
>chips, and given the sheer number of boards in the PC world, I see no
>practical way to take responsibility for writing all possible drivers
>centrally.  The most I think we can do is vet them for security.
>
>We *might* get away with a carefully thought out kernel-driver API
>plus a verifiable intermediate code a la exokernel.  I have some ideas
>along these lines, and I'ld be very interested to work with someone on
>a paper along these lines *after* my thesis is done.  Such a solution,
>I should add, ought to result in an OS-independent API, so it should
>applicable beyond EROS.  It is not clear how one avoids a driver that
>takes advantage of a hardware bug that is not known to you, however.
>
>At worst, we are talking about "bottom half" drivers only, and the
>complexity of these is small enough that they should be fairly
>amenable to admission by code review.

With security issues, the best you can do is all you can do.  I remember
discussing microcoded I/O controllers with the NCSC people, and they
essentially hid their heads and said they didn't what to think about that.
Being able to vet the source is a much better answer.

BTW Isn't one or another of these I/O device interfaces based on a Forth
like language some where in the cards or the "hardware" of the PC?


-------------------------------------------------------------------------
Bill Frantz       | If hate must be my prison  | Periwinkle -- Consulting
(408)356-8506     | lock, then love must be    | 16345 Englewood Ave.
frantz@netcom.com | the key.     - Phil Ochs   | Los Gatos, CA 95032, USA