> > Honestly, that is not much of an answer. There are going to be flaws
> > in any sufficiently complex system. This is just the fundamental
> > nature of things; the bigger a system is, the more possible states it
> > has, so the more possible error states there are.
>
> When you wrote that, were you also considering
>
> > A capabilities-based system can go a long way to solving this
> > problem.
>
> ?
>
> Are you assuming that your "capabilities" can be perfectly implemented,
> without any additional vulnerabilities being introduced by the
> complexities of that capabilities system? That seems a pretty dubious
> assumption, to me.
Actually that is part of the beauty of the system. The part that
manages capabilities (ie, makes sure that no process can acquire
additional capabilities and makes sure that no capability can do stuff
that it shouldn't do) can be made very small. It can be made much
smaller than the OpenBSD kernel itself, and so it can be exhaustively
verified. As long as that small (tiny) section of the whole system is
correct, then breaches in other parts of the system will be
contained. This is a very good thing.
The logic you are using is this: "Complexity introduces more room for
errors (security holes) and adding capabilities adds complexity, and
therefore adds more room for errors." This misses the idea behind a
capabilities system. Yes, if there are any bugs in the capabilities
subsystem, you are hosed, but by adding this small piece of auditable
code, it means that all your other stuff is damage-limited.
|