Subject: Re: transparent filtering and bridge(4)?
To: Bill Squier <groo@old-ones.com>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 03/08/2002 14:55:51
In message <20020308131915.A19126@yog-sothoth.old-ones.com>, Bill Squier writes
:
>On Thu, Mar 07, 2002 at 12:26:48PM -0500, Thor Lancelot Simon wrote:
>> On Wed, Mar 06, 2002 at 11:17:20PM -0500, Steven M. Bellovin wrote:
>> >
>> > Even so, that's a lot of machine-dependent code in the kernel.  It 
>> > doesn't really strike me as the way to go.  As I said, we already 
>> > permit LKM; is there an incremental risk?
>> 
>> Well, one problem is that lots of firewall configurations effectively
>> *don't* permit LKMs, at least not without a manual, attended reboot to
>> get the LKMs loaded.
>> 
>> What about:
>> 
>> 1) Signed BPF->C->object code toolchain, which signs its output
>> 2) Kernel allows signed "BPF modules" to be loaded while running.
>> 
>> Now you are at the mercy of bugs in your BPF compiler, but otherwise just
>> as safe as you were before; the same situation you'd be in if you put the
>> BPF translator in the kernel.
>
>BPF is small and restricted enough that you might have a chance of proving
>safety properties of the compiled code.
>
Might be an interesting use for proof-carrying code.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com