Unix security additions

Greg A. Woods woods at eci386.uucp
Fri Mar 22 12:41:24 AEST 1991


In article <PCG.91Mar17174428 at aberdb.test.aber.ac.uk> pcg at test.aber.ac.uk (Piercarlo Antonio Grandi) writes:
pcg> On 14 Mar 91 23:09:44 GMT, woods at eci386.uucp (Greg A. Woods) said:
pcg> woods> In article <39950 at cup.portal.com> PLS at cup.portal.com (Paul L
pcg> woods> Schauble) writes:
[....]
pcg> I would disagree with both statements; Unix was not designed for a
pcg> secure environment or for security, but some security mechanisms were
pcg> built in anyhow, probably as a result of the author's exposure to
pcg> Multics.
[....]
pcg> woods> Excuse me, but IMHO, when UNIX was first developed, *more*
pcg> woods> attention was put into careful consideration of security issues
pcg> woods> than with almost any other system of its time (except maybe for
pcg> woods> MULTICS).
pcg> 
pcg> This is a fairly counterfactual statement. There were systems
pcg> (capability based systems for example) designed for much greater
pcg> security at the time than Unix could possibly have, and Multics and
pcg> these other systems are simply in entirely another league from Unix.

Perhaps you haven't read Ritchie's paper about UNIX Security recently?
[ Neither have I actually :-) ]

Just because the first tape out of the Labs didn't implement a great
deal of security doesn't mean that careful forethought didn't go into
designing the security mechanisms of UNIX.

pcg> woods> A significant patent was even granted to one of the inventors for
pcg> woods> a very innovative systems security technique.
pcg> 
pcg> If you really believe what you have written (significant, very
pcg> innovative, systems security), I have this nice patent on moving cursors
pcg> on a screen using XOR that I can let you have for a song :-( :-( :-(.

I'm not advocating patents BTW. In fact, I think this particular
patent (the setuid patent) has been placed into the public domain by
AT&T, which IMHO was a very good gesture, though their recent behavior
w.r.t. X-11 leaves me with many reservations about their good intentions.

pcg> Unix is a terribly insecure system, if by security we mean something
pcg> substantial, like the military think about it. If we mean security as in
pcg> not letting hackers have free rein in an office environment, then with
pcg> effort and care, once *can* achieve some effective very basic security,
pcg> thanks to the thoughtful provision of minimal security primitives.

Yes, I mean security in terms of how it might be effectively applied
for a system in a business environment.  UNIX provides for this much
security *easily*, though not often "out-of-the-box".

Although the "military" definition of security has its merits, it is
not entirely relevant to the average MIS department.  In fact, I would
argue that very few MIS departments have anywhere near enough
discipline to implement anything like what the "Orange book" defines
for the higher levels of security.

"Orange book" security (of any significance) *requires* far more than
just software.  Strict implementation of policy, both inside the TCB
and outside (i.e. by the personnel) is necessary to have a secure
*system*.  Some of the highest levels even imply you require armed
guards on the machine room!

As you said, much of the more extensive security that MIS types might
need can be implemented at the applications level (eg. database
security by field/record).  If done intelligently, this can even be
integrated into standard UNIX security, such that a true TCB exists.
IMHO, this is where object-level security belongs in the first place!

I have in the past argued that UNIX can be made C2 secure *without*
kernel changes, i.e *easily*.  Of course that argument hinges on one's
interpretation of the "Orange book".  I admit that since I do not have
a background emphasising military security, my interpretation is
probably quite "loose".  In addition though, I'll even go so far as to
say the "Orange book" is out of date.

Yes, higher levels of security do require some of the features you
mentioned (such as removing the concept of a "superuser").  However, I
have a hard time believing such systems are still UNIX.  I believe
POSIX 1003.1 has still a dependence upon uid-0, though POSIX
1003.2-draft has carefully avoided such dependence.

I stand by my original statement that there has been more obscurity
and myth about security thrown at UNIX than there have been
significant enhancements (such as SecureWare's C2-targeted stuff that
SCO is pushing, or AT&T's SysV/MLS, or Gould's port); and that
eliminating this layer of myth and using the existing features in UNIX
in an organised way will be the most significant thing "we" can do for
UNIX security, even when networks are involved.

Remember, the level of a TCB [Trusted Computing Base] (as defined by
the "Orange book") can be measured by evaluating the following
criteria:  Availability, Confidentiality, Accountability, Integrity,
and Trustworthiness.  What many people think of when they are talking
about "security", and what the "Orange book" spends the most amount of
time on, are confidentiality and accountability.  The other criteria
are often ignored.  Traditional UNIX provides a reasonable level in
all of these criteria, when managed carefully.  Enhancing only the two
criterea I previously mentioned does not, in my books, result in a
higher level TCB.
-- 
							Greg A. Woods
woods@{eci386,gate,robohack,ontmoh,tmsoft}.UUCP		ECI and UniForum Canada
+1-416-443-1734 [h]  +1-416-595-5425 [w]  VE3TCP	Toronto, Ontario CANADA
Political speech and writing are largely the defense of the indefensible-ORWELL



More information about the Comp.unix.internals mailing list