This is the mail archive of the systemtap@sources.redhat.com mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: safety paper redux


Hi -


On Wed, Apr 06, 2005 at 05:30:22PM -0700, Chen, Brad wrote:
> > > [compile with -O0, hope this exposes control constructs]
> > [and this trick will help elsewhere?]
> [...]
> If we assume relatively vanilla compilation, the hardest problem is
> confirming constraints on external data references.  Others are
> relatively straightforward.

Then again, how can we assume vanilla compilation, if we're
contemplating untrustworthy shared .ko's?


> >> [how to] make a user more comfortable he/she was protected from
> >> division by zero bugs? Asking them to read a bunch of src or asm will
> >> leave many users unsatisfied.
> >
> >But in the interpreter case, aren't they asking them to trust it
> >blindly, or else read *its* source?

> Not exactly. They trust that the community could read the source
> and that gives them some degree of confidence, even if they don't
> read it themselves. They also trust that interpreters aren't made 
> to execute priviledged instructions, in the same way that shoes 
> aren't made to explode. [...]

None of that is qualitatively different from reading the translator's
source.  Or even better, they can read translator's output, where all
the checks would be spelled out in black and white.


> >> The raison d'etre would be to allow for late binding of the safety 
> >> policy. Checkability is a secondary benefit.
> >
> >This is an interesting idea, but any sort of "lateness" seems to occur
> >temporally only if users store/distribute/reuse compiled probe .ko's.
>
> I had been assuming that store/reuse/etc was a requirement. 
> It would certainly simplify a few things if it were not, but
> then everyone would have to have the compiler installed...

There is sharing, as in moving .ko's between two of your own computers
(one with, one without a compiler).  Then there is sharing, as in
downloading a .ko from the web.  The safety and especially security
concerns couldn't be more different.


> The late bind of security would also be useful if you wanted
> to expand the policy for a script but not enable all of guru
> mode. [...]

But if we're not talking about shared untrusted .ko's, then why would
we want to enforce this at load/static-check time, rather than
earlier, during translation?  If, within a single session, the
translator is emitting politically-incorrect function calls which the
hypothetical static-checker is offended by, then this is a bug in the
tools.


- FChE

Attachment: pgp00000.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]