From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from nm19-vm7.access.bullet.mail.bf1.yahoo.com (nm19-vm7.access.bullet.mail.bf1.yahoo.com [216.109.115.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 5DA0121F100 for ; Mon, 14 Apr 2014 12:51:46 -0700 (PDT) Received: from [66.196.81.158] by nm19.access.bullet.mail.bf1.yahoo.com with NNFMP; 14 Apr 2014 19:51:44 -0000 Received: from [98.139.221.157] by tm4.access.bullet.mail.bf1.yahoo.com with NNFMP; 14 Apr 2014 19:51:44 -0000 Received: from [127.0.0.1] by smtp117.sbc.mail.bf1.yahoo.com with NNFMP; 14 Apr 2014 19:51:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; s=s1024; t=1397505104; bh=JQfNicVqCohAcKKEh65JS+W696ICRXjruY1mPP6xE9s=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:Reply-To:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding; b=QjZREp4HT6LIIq3FjhNtSyhtKCoAaYYO5K6g+MyLVUQHQY7U+tqCrwm40sJXDpHQO2AFRSEYiZwTNK4Rk4ntNL2SQynWaWWjWv+7l2Yt58ndkPIyo50zkQkCDPRf3pjQenKJX+n6i3QXpi1ahoH0yzaf2dvvQ4+LZKqTwK1ZDIw= X-Yahoo-Newman-Id: 43551.31966.bm@smtp117.sbc.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: M9J9bMEVM1mWGIOGJdlGuLIFRMnGStswbsKHPUCVLlGieDY kG1eQ5rZpl0xeUrGRzbftbz3ovhDdBJDh77jj8L7ezp9T92oQr0pO_ldATZy cK7y4Eqb4ROsJR__cIu5hpAZ7BoRYPRf8IulZjeshRztZiGerywgCL5KHNUv 9m29cHbGklFc4W7uCZnJtSBMjPcx8oIFLd2aIotPPehmNEtYalDcX2gK.WeZ O8NbERD3C1dT1B.qQMVcnyP2JJxX0T9vsj9sYqN1BqTLz5ewbl9s2pZyUEoo nceJ7p5sDdRcGmOIlxWf6HC68emiNumY.Pz2sryCqw75e9DFUKFt8pYcf.r5 z0fd.rgt.2mQOZis98Uf4UnWcZIw2Di.f8oG7lQt5lgie8vVHb9lv0c8lN_t ZJWVRsQVeKlFWErR7YFeGa13DZ2udeCD1YLuxYKlEziPchytEzuGQH6dPiYt 5tbiSIKrEQCbW2fPvloVloPg4Da9nG01cc43lsqVsBEEwfFQ_6iCKkM7X.QD BmMy7rNQo4tHDjECmFBh7AEfTqnEvg_aadAc- X-Yahoo-SMTP: sltvjZWswBCRD.ElTuB1l9j6s9wRYPpuyTNWOE5oEg-- X-Rocket-Received: from [10.111.100.146] (davec-b@74.213.188.46 with plain [98.139.221.125]) by smtp117.sbc.mail.bf1.yahoo.com with SMTP; 14 Apr 2014 19:51:44 +0000 UTC Message-ID: <534C3C4E.2000903@rogers.com> Date: Mon, 14 Apr 2014 15:51:42 -0400 From: David Collier-Brown User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: bloat@lists.bufferbloat.net References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [Bloat] [Cerowrt-devel] wired article about bleed and, bloat and underfunded critical infrastructure X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list Reply-To: davecb@spamcop.net List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 19:51:47 -0000 From: Dave Taht wrote: >> in the 80's, we've >> known that security-based code should not be exposed to user code and vice >> versa. Yet the SSL libraries are linked in, in userspace, with the >> application code. > I note that I am glad that they are mostly dynamically linked in - > something that wasn't the case for some other crypto libs - because > finding applications > that linked statically would be even more difficult. > > Arguably, one shouldn't have security-critical code in an space addressable by the application program. In the specific case of a complicated encryption engine, I'd wish to have a fairly stupid system service to do the time-sensitive part, on the other side of a system call with limited options. A ring-crossing if I could, an ioctl if I must (;-)) Most of the rest I'd have in a daemon, with some syntactic sugar in a callable library, but with no privilege attached to the sugar. Application calls sugar, sugar calls ioctl, fast but stupid service sends data. On certain hardware, the fast-but-stupid stuff is a crypto accelerator the CPU board. I'd *strongly* want using that hardware to be privileged. This isn't sufficient, mind you: bugs will still happen. What I really want is a defence in depth to mitigate the effects of bad code, bad requirements and bad schedules. --dave [One smallish part might be a funded attack team, possibly named MI5 (not 6!)] -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain