nil.enroll(aetheric_username, quantum_class_id) (adric) wrote,
nil.enroll(aetheric_username, quantum_class_id)
adric

  • Location:
  • Mood:
  • Music:

Please read the spec and the discussion first, thanks. Was: Re: [OLPC Security] A mom's worries

Hi,

Please read the spec, the wiki discussion page, and the previous posts to this list before trying to discuss perceived flaws in the system that is being built. http://wiki.laptop.org/go/BitFrost , http://wiki.laptop.org/go/Talk:Bitfrost , and http://lists.laptop.org/pipermail/security/, respectively.

Discussion of weaknesses in standard Linux or UNIX systems are not necessarily applicable to the OLPC Bitfrost platform. Also, the spec is not fully implemented in the software, but the spec makes pretty clear what features are intended.

An example:

But any infected activity gets access to system resources in the same
way as the
"host" user. Last time I checked, rainbow/service.py didn't do
anything special
to try and really hunt-down any background processes created by an
activity,
so to say that the spam-bot (or any other unintended malware-type-thing)
dies when the activity gets cleaned up is horribly misleading.


Since, as you acknowledge earlier, each Activity is started in it's own UID, then it is trivial to make sure that all processes started by that user and all of their children die when the Activity is terminated, eg `slay 1003`. So, pointing out that 'weakness' is not particularly helpful, but submitting a patch that adds that command to activity tear-down might be.

Similarly, discussion of spamming is hopefully mitigated by the default network rate limiting and cpu usage limiting of the platform. If you see weakness in this plan that are not already discussed, please share. Or submit patches :)

Thanks,
Adric Net

Yes, again. *sigh*

Tags: bug
Subscribe

  • Scripting, iSight, madness, ruby

    So, I banged around in irb and Google working on this whole automate my Mac's built-in camera thing. I'm not averse to buying one of the neat-o cam…

  • Success?! (Yes, more Windows Scripting crap)

    PS C:\Users\Administrator> Get-WmiObject -namespace "root/WebAdministration" -query "select * from VirtualDirectory" | Select-Object…

  • WMI, IIS, CIM and other cursewords

    Finally, after hours of reading through mind-numbingly overcomplicated documentation about the incredible plural architectures for Windows system…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments