Xref: utzoo comp.unix.internals:2402 comp.unix.admin:1370 Newsgroups: comp.unix.internals,comp.unix.admin Path: utzoo!telly!eci386!woods From: woods@eci386.uucp (Greg A. Woods) Subject: Re: Unix security additions Message-ID: <1991Mar22.024124.3238@eci386.uucp> Reply-To: woods@eci386.UUCP (Greg A. Woods) Organization: Elegant Communications Inc. References: <39950@cup.portal.com> <1991Mar14.230944.9184@eci386.uucp> Date: Fri, 22 Mar 1991 02:41:24 GMT In article pcg@test.aber.ac.uk (Piercarlo Antonio Grandi) writes: pcg> On 14 Mar 91 23:09:44 GMT, woods@eci386.uucp (Greg A. Woods) said: pcg> woods> In article <39950@cup.portal.com> PLS@cup.portal.com (Paul L pcg> woods> Schauble) writes: [....] pcg> I would disagree with both statements; Unix was not designed for a pcg> secure environment or for security, but some security mechanisms were pcg> built in anyhow, probably as a result of the author's exposure to pcg> Multics. [....] pcg> woods> Excuse me, but IMHO, when UNIX was first developed, *more* pcg> woods> attention was put into careful consideration of security issues pcg> woods> than with almost any other system of its time (except maybe for pcg> woods> MULTICS). pcg> pcg> This is a fairly counterfactual statement. There were systems pcg> (capability based systems for example) designed for much greater pcg> security at the time than Unix could possibly have, and Multics and pcg> these other systems are simply in entirely another league from Unix. Perhaps you haven't read Ritchie's paper about UNIX Security recently? [ Neither have I actually :-) ] Just because the first tape out of the Labs didn't implement a great deal of security doesn't mean that careful forethought didn't go into designing the security mechanisms of UNIX. pcg> woods> A significant patent was even granted to one of the inventors for pcg> woods> a very innovative systems security technique. pcg> pcg> If you really believe what you have written (significant, very pcg> innovative, systems security), I have this nice patent on moving cursors pcg> on a screen using XOR that I can let you have for a song :-( :-( :-(. I'm not advocating patents BTW. In fact, I think this particular patent (the setuid patent) has been placed into the public domain by AT&T, which IMHO was a very good gesture, though their recent behavior w.r.t. X-11 leaves me with many reservations about their good intentions. pcg> Unix is a terribly insecure system, if by security we mean something pcg> substantial, like the military think about it. If we mean security as in pcg> not letting hackers have free rein in an office environment, then with pcg> effort and care, once *can* achieve some effective very basic security, pcg> thanks to the thoughtful provision of minimal security primitives. Yes, I mean security in terms of how it might be effectively applied for a system in a business environment. UNIX provides for this much security *easily*, though not often "out-of-the-box". Although the "military" definition of security has its merits, it is not entirely relevant to the average MIS department. In fact, I would argue that very few MIS departments have anywhere near enough discipline to implement anything like what the "Orange book" defines for the higher levels of security. "Orange book" security (of any significance) *requires* far more than just software. Strict implementation of policy, both inside the TCB and outside (i.e. by the personnel) is necessary to have a secure *system*. Some of the highest levels even imply you require armed guards on the machine room! As you said, much of the more extensive security that MIS types might need can be implemented at the applications level (eg. database security by field/record). If done intelligently, this can even be integrated into standard UNIX security, such that a true TCB exists. IMHO, this is where object-level security belongs in the first place! I have in the past argued that UNIX can be made C2 secure *without* kernel changes, i.e *easily*. Of course that argument hinges on one's interpretation of the "Orange book". I admit that since I do not have a background emphasising military security, my interpretation is probably quite "loose". In addition though, I'll even go so far as to say the "Orange book" is out of date. Yes, higher levels of security do require some of the features you mentioned (such as removing the concept of a "superuser"). However, I have a hard time believing such systems are still UNIX. I believe POSIX 1003.1 has still a dependence upon uid-0, though POSIX 1003.2-draft has carefully avoided such dependence. I stand by my original statement that there has been more obscurity and myth about security thrown at UNIX than there have been significant enhancements (such as SecureWare's C2-targeted stuff that SCO is pushing, or AT&T's SysV/MLS, or Gould's port); and that eliminating this layer of myth and using the existing features in UNIX in an organised way will be the most significant thing "we" can do for UNIX security, even when networks are involved. Remember, the level of a TCB [Trusted Computing Base] (as defined by the "Orange book") can be measured by evaluating the following criteria: Availability, Confidentiality, Accountability, Integrity, and Trustworthiness. What many people think of when they are talking about "security", and what the "Orange book" spends the most amount of time on, are confidentiality and accountability. The other criteria are often ignored. Traditional UNIX provides a reasonable level in all of these criteria, when managed carefully. Enhancing only the two criterea I previously mentioned does not, in my books, result in a higher level TCB. -- Greg A. Woods woods@{eci386,gate,robohack,ontmoh,tmsoft}.UUCP ECI and UniForum Canada +1-416-443-1734 [h] +1-416-595-5425 [w] VE3TCP Toronto, Ontario CANADA Political speech and writing are largely the defense of the indefensible-ORWELL