steve@basser.oz (Stephen Russell) (03/06/87)
Here's a topic close to my current interests. What opinions are there regarding security in interprocess communication in message-passing systems? I'm not concerned with encryption of messages (a reasonably well understood area), but rather how protected the communication channels should be. One approach is to provide no protection at all, as in the V kernel. Since process id's are small integers, any process can send to any other process. This means that any validation of the right of the sender to communicate with the receiver must be done by the receiver process. This seems to have the advantage of simplifying the kernel, and makes IPC faster, and protection is optional, depending on the paranoia of the receiver or the criticality of the operation requested. However, what are the disadvantages? Many other systems rely on secure kernels, and establish more tightly controlled links between processes (a virtual circuit approach). The disadvantage seems to be the overhead of creating using and destroying such links. Also, can we really trust the kernels in a distributed system? Amoeba's use of get and put ports prevents processes receiving messages not intended for them, but at the cost of specialised hardware. It does seem a good approach, though, for a campus-wide system, where students can hook any arbitrary machine to a wall socket, and hack away to their heart's content. Are there better (that is, cheaper) approaches? The system I am currently developing protects process id's by adding a large (64 bit) random number to the normal pid. This `signature' makes it much more unlikely that you can send to a process without permission, in the same way as provided by the sparseness of Amoeba's port numbers. This adds some cost to all IPC functions, in that the signature must be validated. However, it removes the need to do validation by the receiving process. Of course, it doesn't protect against interlopers receiving any messages they like - this would require Amoeba style hardware protection (or does it?). Does this approach seem reasonable? On a related issue, consider a process acting as an intermediary between a root owned process and some other server. How does the intermediary gain root privileges for its requests to the other server? That is, how does the server verify that the request from the intermediary is on behalf of a privileged process? Looking forward to some discussion on this topic.