Re: Debian Server Compromise -- A Fire Drill ??

To: debian-user@lists.debian.org
Subject: Re: Debian Server Compromise -- A Fire Drill ??
From: Isaac To <kkto@csis.hku.hk>
Date: Fri, 05 Dec 2003 09:55:17 +0800
Message-id: <[🔎] 7ihe0ggha2.fsf@enark.csis.hku.hk>
In-reply-to: <[🔎] 5.2.1.1.0.20031204102930.02b8c948@mail.gain.com> (dmq@gci-net.com's message of "Thu, 04 Dec 2003 10:32:32 -0700")
References: <[🔎] 5.2.1.1.0.20031204102930.02b8c948@mail.gain.com>

>>>>> "Dave" == Dave  <dmq@gci-net.com> writes:

    Dave> So how many daemons and kernel routines need both root access and
    Dave> input from a user process?

Remember that *all* kernel routines are running in kernel-mode of the
processor, i.e., having even higher permission than a normal root process.
And most of the inputs taken by system calls are tainted with user inputs.
Even worse, the kernel is performance critical.  Adding all of these, you'll
understand why it is so hard to make sure everything is correct.  That's why
some people advocate micro-kernels, to reduce the "source of power" to a
very small code base that can be monitored in an easier way.  But we are not
at that point yet, so the race between white-hat and black-hat hackers
*will* continue.  In any case, even if we are in a micro-kernel like Hurd, a
bug in the core servers (e.g., the authentication server, the filesystem
server or the Unix API server) can easily give out arbitrary power to the
user, so it is important to make sure core servers are bug-free in any case.
The only question is "how many code are in the core servers".

Regards,
Isaac.

Reply to:

References:
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: Dave <dmq@gci-net.com>

Prev by Date: apt question
Next by Date: Re: Removal of packages from woody/main
Previous by thread: Re: Debian Server Compromise -- A Fire Drill ??
Next by thread: Re: Debian Server Compromise -- A Fire Drill ??
Index(es):
- Date
- Thread