[Cryptography] Can crypto implement OS/FS protections ?
Phillip Hallam-Baker
phill at hallambaker.com
Thu Nov 24 10:49:31 EST 2022
On Wed, Nov 23, 2022 at 2:06 PM Michael Kjörling <9bf3a7ef93bb at ewoof.net>
wrote:
> On 22 Nov 2022 14:56 +0000, from hbaker1 at pipeline.com (Henry Baker):
> > Consider Unix/Linux read/write/execute/owner/group protections.
> >
> > Wouldn't 'execute' be analogous to today's 'trusted boot' chains ?
> >
> > Presumably 'owner' would be connected to a public key for the owner.
> >
> > Are there crypto versions of 'group' ?
>
> A group is just a named set consisting of some (non-negative but
> possibly zero) number of specified users. So if the concept of owner
> (a user) maps to a single public key, then the concept of group would
> likewise map to a set of public keys any one of which is sufficient to
> authorize the action in question.
>
> As long as we ignore performance, that makes it easy: if you already
> have some function authorized_for(action, identity) where action
> represents some action to be taken, identity is a user's public key or
> other identity-bearing token, and the return value somehow indicates
> whether the action is allowed or not; then all you need is a way to
> iterate over a set of values of identity until that function either
> returns "allowed" or you run out of identities to try (the latter
> resulting in an ultimate result of disallowed).
>
> For proper protection you would of course want that to be an atomic
> part of, for example, the I/O code path, not a separate test, but I'm
> simplifying here to illustrate the possible solution given the set of
> building blocks.
>
I have spent quite a bit of time thinking about how to do this in the
cloud. Inside the CPU... well that is another question and the answer is
likely to be 'yes you can meet the technical requirement but not in a
fashion that is actually useful'.
First off, file system protections today are based on 1970s technology and
limited to static access control. If you want good security, you want
dynamic access control and accountability (which is what the Mesh
provides). So no, Chealsea Manning cannot download 90,000 diplomatic cables
because the management system cuts her off at 2,000 (or so) and she is
deterred from attempting to exceed her authority by the knowledge that
every access is logged.
So as far as confidentiality is concerned, I can't see the value. Anyone
who is so deeply into security to care is going to want dynamic access
control.
But let's get back to the attack model, what are we really talking about
here? Prevent SPECTRE or ROWHAMMER type attacks? How about code injection?
I think we can probably do much better with narrower controls. We can
separate ECDH operations onto a separate CPU just for that, poof! SPECTRE
type attacks are gone. And many chips already have that (latent) capability
because they have integrated TPMs.
For ROWHAMMER, some sort of integrity control is more likely to be
effective, no?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20221124/af16b54a/attachment.htm>
More information about the cryptography
mailing list