BSD tty security, part 4: What You Can Look Forward To

[Dan Bernstein]

In article <19271 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
> I do know that AT&T has managed to solve the problems with access
> revocation since their new MLS product is either been evaluated at B2

While this is a good indicator of security, it cannot be considered
entirely accurate---apparently the ratings are based on tests rather
than specifications, and one of the NCSC reviewers told me that he
hadn't heard of the tty security problems (hence couldn't test them).

> As for "how reliable they are", in the case of the former, the NCSC
> has blessed it,

See above.

> I know that the IBM, Apple, Sun,
> and SCO UNIX (as well as IBM's old Trusted XENIX) products all provide
> assurances that what you are talking is really what you think you are
> talking to, and that no one else has access to it.

I don't have firsthand experience with the UNIX products from IBM and
Apple, but Sun has never successfully closed the tty security holes.
Comments from others indicate that A/UX is just as insecure. I've only
been talking about BSD-derived systems so I don't want to discuss SCO in
detail, but I'm told that it may have similar problems with /dev/tty.

---Dan