[EROS-Arch] Error logging

[Jonathan S. Shapiro]

> > This is not an absolute impediment, but it presents to the user a level
of
> > both technical difficulty and practical risk that for many developers it
> > constitutes an acceptable disincentive to discovery.
>
> I'm all for pragmatism, but basing your security primitives on such
> ideas seems erroneous to me.

I understand what you are saying, but I think you are misunderstanding
something about the nature of security. Any security can be broken at a
cost. I am not proposing that the need to do disk forensics is a sufficient
barrier in all cases. Rather, I'm proposing that it is a sufficient
impediment for many applications, and that for most users it is much much
harder than bringing up the log viewer.

Whether this impediment is good enough is something the application designer
needs to decide. In some cases the answer will be "you can only run my app
on a machine where the disk is encrypted." For most general-purpose
applications, however, the developer is concerned only to avoid casual
disclosure. It's either that or they demand an encrypted disk.

At the next level up in security enforcement, disk-level forensics is an
interesting impediment threshold because now (given tamperproofing) we can
encrypt the disk to close the exposure.

shap