[Cryptography] how reliably do audits spot backdoors?

Theodore Ts'o tytso at mit.edu
Sun Dec 29 13:19:29 EST 2013 

On Sun, Dec 29, 2013 at 08:42:25AM -0500, Phillip Hallam-Baker wrote:
> So even though I have 4Gb of RAM on my 7 year old machine, I am having to
> consider upgrading because Chrome will grab 2Gb all by itself.
> 
> Oh they do things like ensure that they never take more than 50% of the
> memory on the machine but that strategy does not work when you have three
> programs running.
> 
> This should not be a problem on an O/S with fine grained security. But it
> is because the security mechanisms don't actually control what I want them
> to control. I want to give memory quotas to particular applications. I want
> to limit access to data in ways that ACLs don't support.

It is possible to use Linux containers (via the memory cgroup) to
control how much memory is used by a particular task.  Some of the
newer Linux distributions will be shipping user-friendly access to
this technology (which has been in use for a while to control memory
usage in Google's production servers and at most web hosting services
which use containers to efficiently run many virtual machines on a
single host).

That being said, Chrome is using that memory to cache graphics and to
prefetch web pages and other web assets.  And you will really notice
if you try to constrain Chrome to use less than 2GB of memory,
especially if you like to keep a large number of tabs open.

Personally, I don't see that as a security problem, at least not on a
single user workstation, but rather as a system
adminsitration/management.  It certainly can be seen as a security
problem, but the problem is that this would require a fundamental
change in how we specify ACL's.  It's not enough to name a userid for
the ACL, but the combination of a userid and some application (i.e.,
chrome), for example.  And the instead of the traditional read, write,
execute, etc. permissions, we would now need to add resource
constraints for memory, disk, CPU, network quotas, etc.

Worse yet, ACL's are a usability nightmare.  Users have consistently
been shown to be unable to properly manage a simple set of Unix
permissions, never mind ACL's --- and adding resource management as
being within the scope of ACL's would increase their complexity by at
least tenfold.

So I'm not convinced that ACL's are the right tool of choice for
managing file access, let alone the resource management problem.  It's
great to have low-level controls for people who really know what they
are doing, but we need something simpler for civilians to use.

    	       	       		 	 - Ted

More information about the cryptography mailing list