[Cryptography] Are dynamic libs compatible with security? was: Apple and OpenSSL

Bear bear at sonic.net
Sun Apr 20 12:53:44 EDT 2014 

On Sun, 2014-04-20 at 11:45 -0400, Bill Cox wrote:


> The right way to do applications is much like this, where we also run
> each application in it's own security jail.

Agreed, and possibly in an even more radical form than you were 
considering.  I'm more and more sold on the idea that ABI's are a 
bad idea.  This is kind of a radical notion, and would not be as 
performant, but hardware is faster now and, especially for the 
desktop, we still have security needs our current methodology 
doesn't address and underutilized hardware capabilities we can 
devote to them.  This wouldn't work for compute-bound or I/O bound 
servers, but on the desktop the current hardware represents an 
embarrassment of riches for doing things better than we have.

Consider as an alternative a system in which pretty much everything 
is a discrete application with no shared address space, and if 
something needs a service provided by other code it needs to ask 
for it via the sockets layer - which is locked down hard and possibly 
encrypted, does its own bounds checking, etc.  Depending on the 
service and the timeframe, that request is either a request to a 
running daemon that handles it just like it handles any other 
request, or a request to the kernel to start an instance of a 
process just to serve the current program's needs.

Procedure calls are just too unchecked and mapping things into 
the same address space where machine code can read data you 
wanted private is not something we have to do.  So why are we 
doing it?

> In addition, to save on space, identical binaries should only exist on
> disk once.  This can be done trivially with hard links.  

It can also be done trivially with separate processes.  But let's 
face it; an entry level machine these days has a terabyte drive, 
and development boxes are a dozen terabytes.  Saving space is no 
longer as important as design simplicity, because design simplicity 
has gotten cheaper with current hardware.  And the most complex 
machines - where security issues hurt the most - are desktops, 
which have underutilized hardware capabilities.  

Bear

More information about the cryptography mailing list