[EROS-Arch] Error logging
Joerg Bornschein
joerg@zilium.de
Wed, 26 Sep 2001 01:06:14 +0200
On Tue, Sep 25, 2001 at 01:46:53PM -0400, Jonathan S. Shapiro wrote:
> > OK, I see what you are saying - but since the TCB is in the hands of
> > (one of) the user(s), all the inner workings are surely already
> > available to the user(s), are they not?
>
> This is not an absolute impediment, but it presents to the user a level of
> both technical difficulty and practical risk that for many developers it
> constitutes an acceptable disincentive to discovery.
I see....
I don't think developers will trust a log system not to reveal data.
People are smart, if there's something interesting in theese
logmessages, somebody will come along and present a TCB with a
tampered logging component...
So in fact a developer must trust the system administrator to play nice.
He must even trust the person which installs the component.
To me ist seems there are three entities involved:
- security officer (TCB administrator)
- person installing the software
(person building constructors and populating the
constituents node(s) )
- user
If you say: "the developer must agree to reveal a log message" this
seems to be equivalent to "the security officer gets all log messages
and decides which to pass on".
joerg