Re: Debian Server Compromise -- A Fire Drill ??
>>>>> "Dave" == Dave <email@example.com> writes:
Dave> So how many daemons and kernel routines need both root access and
Dave> input from a user process?
Remember that *all* kernel routines are running in kernel-mode of the
processor, i.e., having even higher permission than a normal root process.
And most of the inputs taken by system calls are tainted with user inputs.
Even worse, the kernel is performance critical. Adding all of these, you'll
understand why it is so hard to make sure everything is correct. That's why
some people advocate micro-kernels, to reduce the "source of power" to a
very small code base that can be monitored in an easier way. But we are not
at that point yet, so the race between white-hat and black-hat hackers
*will* continue. In any case, even if we are in a micro-kernel like Hurd, a
bug in the core servers (e.g., the authentication server, the filesystem
server or the Unix API server) can easily give out arbitrary power to the
user, so it is important to make sure core servers are bug-free in any case.
The only question is "how many code are in the core servers".