[EROS-Arch] Error logging
Bill Frantz
frantz@pwpconsult.com
Mon, 24 Sep 2001 14:13:26 -0700
At 2:24 PM -0700 9/23/01, Jonathan S. Shapiro wrote:
><DIV><FONT face=Arial size=2>FIrst, t</FONT><FONT face=Arial size=2>here
>are at
>least two parties who need to consent for an error log entry to be disclosed:
>the developer of the program and the party in control of the program
>instance.
>The second is typically the user, but might (e.g.) be a system
>administrator. In
>some environments a third party, the security officer, may also need to
>consent.</FONT></DIV>
While I can see that the Apache developers, and the web site administrator
need to consent, I don't see a technical way for me as a visitor to that
web site to have a say in log disclosure.
><DIV><FONT face=Arial size=2>Since the two-party consent rule can only be
>implemented with trusted code, I propose that the EROS logging facility be
>implemented as part of the TCB. The general idea is that there is a single
>system-wide log manager, and that it is trusted in the same sense that the
>space
>bank is trusted. A developer can send a message to the log in confidence
>that it
>will not be improperly disclosed. A user can later obtain this message
>only if
>the developer agrees.</FONT></DIV>
This is only true on machines where the user is not able to sweet talk the
system administrator. How, in general, the developer is assure that his
program is installed on only such systems is well beyond technical
enforcement.
><DIV><FONT face=Arial size=2>Doing this requires per-component log
>tagging. The
>only party in an effective position to do this is the constructor of the
>component, which is why I propose that the log agent key be supplied by the
>constructor. Note that the constructor is also in a position to determine who
>received initial access to each newly constructed component (by examining the
>resume key).</FONT></DIV>
An even more important reason for per-component log tagging is to prevent
spoofing of log entries.
><DIV><FONT face=Arial size=2>I have not yet worked out in this proposal the
>matter of storage allocation in the log and who should pay for it. At the
>moment
>I am contemplating a bounded, circular log.</FONT></DIV>
It seems likely with this kind of design that the system's administrator
should pay for the storage.
><DIV><FONT face=Arial size=2>However, the main question is: is a unified
>logger
>a reasonable part of a secure system design?</FONT></DIV>
Many sites work quite hard to build logging facilities that intruders can't
erase. They use the log entries to analyse attacks and build defenses.
This kind of tamper resistant logging seems to be an essential part of a
secure system.
><DIV><FONT face=Arial size=2>1. Disclose the death notice of a failed
>application (name and register set).</FONT></DIV>
A stack trace is most useful at this level of disclosure. I do remember
hearing stories of people examining OS failures on the CIA's machines. It
was done over the telephone in the form, "What is at location 0x7c9988?"
... after that location has been declassified ... "0x41101008". You might
need similar release for stack traces.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | My heart goes out to | Periwinkle -- Consulting
(408)356-8506 | those directly affected| 16345 Englewood Ave.
frantz@pwpconsult.com | by the 9/11/01 attack. | Los Gatos, CA 95032, USA