Subject: Re: transparent filtering and bridge(4)?
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Bill Squier <groo@old-ones.com>
List: tech-security
Date: 03/08/2002 13:19:15
On Thu, Mar 07, 2002 at 12:26:48PM -0500, Thor Lancelot Simon wrote:
> On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
> >
> > Even so, that's a lot of machine-dependent code in the kernel. It
> > doesn't really strike me as the way to go. As I said, we already
> > permit LKM; is there an incremental risk?
>
> Well, one problem is that lots of firewall configurations effectively
> *don't* permit LKMs, at least not without a manual, attended reboot to
> get the LKMs loaded.
>
> What about:
>
> 1) Signed BPF->C->object code toolchain, which signs its output
> 2) Kernel allows signed "BPF modules" to be loaded while running.
>
> Now you are at the mercy of bugs in your BPF compiler, but otherwise just
> as safe as you were before; the same situation you'd be in if you put the
> BPF translator in the kernel.
BPF is small and restricted enough that you might have a chance of proving
safety properties of the compiled code.
--
Bill Squier (groo@old-ones.com) http://www.netbsd.org
I know I don't deserve another chance, but this _is_ America,
and as an American, aren't I entitled to one? --Sideshow Bob.