Subject: re: Non executable mappings and compatibility options bugs
To: matthew green <mrg@eterna.com.au>
From: Curt Sampson <cjs@cynic.net>
List: tech-kern
Date: 06/23/2004 08:13:10
On Tue, 22 Jun 2004, matthew green wrote:

>    Some people might prefer to have the emulation break, rather than the
>    security break. I would generally prefer that, since it's obvious
>    breakage, rather than subtle breakage.
>
> then they should turn the emulation off.

The question is, how do they know to turn emulation off? In the case
where a program doesn't run, you are *forced* to make a conscious
decision to work in a less safe mode. In the other case, you must know
in advance what actions you must take to run in a more secure, rather
than less secure, mode. (In this case, watch your boot messages.)

I'd like to say that I think asking someone to check boot messages is
a pretty bad way of informing the user, especially on the i386 port,
where they tend to scroll off pretty quickly. A moment's inattention can
easily cause that message to be missed. And, as a read through of any
few issues of the RISKS digest will show, we should expect that, humans
being humans, they *will* have moments of inattention, and design our
system to deal with that.

> i think you've missed my point. currently, we have a regression -
> programs that used to run fine no longer run.

The programs run just fine if you reconfigure your kernel specifically
to ask for these programs to run. So I wouldn't call this a regression
in terms of functionality; it's just a change in what we offer in the
default configuration. We've done this before; one example is when we
changed the default configuration to have all daemons, including ssh,
turned off.

> since when has it been acceptable to break significant functionality
> in the name of security?

If you mean, "since when has it been acceptable to make the user
reconfigure his software in order to get functionality he had by default
in a previous version?" well, even Microsoft is doing that now. I
started using a new install of Windows the other day (don't ask me which
one--it's just a host I rdesktop to once in a while) and discovered,
for example, that I can no longer by default view PDF files in Internet
Explorer. It stops me and says they're not insecure. I have also heard
many calls for forcing MS Outlook users to explicitly ask for HTML
rendering, previews, and various other features that older versions do
by default.

> also, maybe it's "obvious breakage" for those who are familiar with it
> - it wasn't for the N people who had this issue before it became well
> known, nor will it be for users.

Oh, the breakage was always obvious; it was the reason for it that was
not. But I would say that at this point we can get it in CHANGES, get it
in the FAQ, mention it in comments in the kernel config, and so-on, and
a web search will turn it up pretty quickly.

> we ship GENERIC will all working emulations enabled - our default
> install shouldn't break that should it?

I'm not sure.

> i agree with thor that config and/or the kernel should warn about
> this but surely everyone can agree that the default should be for
> "programs to continue to work"?

When the default is that "exploits should continue to work"?

Anyway, perhaps another solution is to have two GENERIC kernels:
SECURE_GENERIC and INSECURE_GENERIC. If we ask the user to choose one
at install time, he'll at least have a pretty good idea of what he's in
for.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
    Don't you know, in this new Dark Age, we're all light.  --XTC