NetBSD's veriexec port

Bill Hacker wbh at conducive.org
Tue Oct 13 20:19:19 PDT 2009


Matthew Dillon wrote:
    I'm only luke-warm on the concept.  I would much rather see improvements
    in the virtual kernel technology w/ regards to ease of use, features,
    and performance.  I think we risk serious fragmentation of the security
    space by implementing all these weird little security features that 
    we are more likely to trip over then anything else.

    One thing that would be very cool would be a system call that locks out
    all new file descriptor-creating system calls (like open, socket, etc),
    and also locks out namespace functions like remove(), chmod(), and
    functions like fork() and exec*().  The idea being that you would be
    able to start a vkernel and the vkernel would make this system call
    after setting up its virtual network and disk, but before starting the
    init process.
'vkernsecurelevel' perhaps?

    Another cool feature would be a similar system call which does a 
    soft-chroot (I just made up that name)...  Modifying filesystem
    calls would only be allowed within the soft-chroot, but the real
    root of the filesystem would still be whatever it was before.  The
    idea here is that you might have an application which you'd rather
    not trust but which performs important functions on your behalf, and
    you want an easy way to run it without giving it the ability to mess
    around with your entire account.

'anklebracelet'

;-)

						-Matt

There's plenty of prior art for the first.

The second? - is that akin to applying (v)kernel-class restrictions at a 
userspace level? Restricting access to API's?  Snifing calls for safety?

Or?  (spawning an ephemeral vkernel on-the-fly?)

Bill





More information about the Kernel mailing list