Regarding the security of the keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 21, 2015 at 9:46 PM, Salz, Rich <rsalz at akamai.com> wrote:

>
> > Actually that isn't quite right.  A properly configured and
> tuned RBAC policy, when combined with PaX, can very effectively limit all
> userspace activity (including root access!).
>
> How do you know that the module is installed and actually doing things?
> How do you know what kernel is actually booted?
>

Of course you're right.  One might also consider attack vectors from an
unsecured BMC or the IME - they probably have undetectable DMA access to
the host, after all.  But that isn't the point ... steps can and should be
taken to lock down the host operating system.


>
> > It helps if you can also use a hardware security module to protect your
> key material.
>
> How do you know that the operations that YOU request are actually the ones
> being performed?  How do you know that the operating system isn't making
> additional requests of its own?
>
> You have to trust root.  No two ways about it.
>

The first question has no bearing on the second statement.  With or without
grsecurity/selinux, you have no way to guarantee that the kernel is
operating the way you expect it to at any given time.  I suppose it boils
down to the threat model.  However, limiting root's power is a good idea,
and grsecurity provides an excellent framework in which to do so.  Caveat
emptor.


>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/113ff07a/attachment.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux