Subject: Re: transparent filtering and bridge(4)?
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Bill Squier <groo@old-ones.com>
List: tech-security
Date: 03/08/2002 13:19:15
On Thu, Mar 07, 2002 at 12:26:48PM -0500, Thor Lancelot Simon wrote:
> On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
> >
> > Even so, that's a lot of machine-dependent code in the kernel.  It 
> > doesn't really strike me as the way to go.  As I said, we already 
> > permit LKM; is there an incremental risk?
> 
> Well, one problem is that lots of firewall configurations effectively
> *don't* permit LKMs, at least not without a manual, attended reboot to
> get the LKMs loaded.
> 
> What about:
> 
> 1) Signed BPF->C->object code toolchain, which signs its output
> 2) Kernel allows signed "BPF modules" to be loaded while running.
> 
> Now you are at the mercy of bugs in your BPF compiler, but otherwise just
> as safe as you were before; the same situation you'd be in if you put the
> BPF translator in the kernel.

BPF is small and restricted enough that you might have a chance of proving
safety properties of the compiled code.

-- 
Bill Squier (groo@old-ones.com)                          http://www.netbsd.org

        I know I don't deserve another chance, but this _is_ America,
        and as an American, aren't I entitled to one?  --Sideshow Bob.