[Info-vax] Why not reimplement SEVMS into x86 OpenVMS?
Arne Vajhøj
arne at vajhoej.dk
Fri Nov 18 18:51:20 EST 2022
On 11/17/2022 8:12 AM, Simon Clubley wrote:
> On 2022-11-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 11/16/2022 9:47 AM, Michael C wrote:
>>> Offer it free ...
>>>
>>> Would be fast to port ...
>>>
>>> Wouldn't that boost security until other features can be added?
>>
>> If mandatory access control is seen as important for security by
>> customers and potential customers then it would make sense.
>>
>> But I am skeptical.
>>
>> The common threats today are just so much different than the
>> common threats 30 years ago.
>>
>
> One major use is for helping to keep attackers contained after a
> compromise occurs.
>
> A good example is SELinux which applies this mindset to (by default)
> server processes running on a Linux system.
>
> This approach is still _very_ useful, regardless of how the initial
> compromise occurred, and whether it was some new or old technique used
> to carry out the initial compromise.
But what is the specific scenario?
Vulnerability 1 allows an attacker to change DAC protection
on something that the attacker can then utilize via vulnerability 2,
but MAC would prevent that?
I could happen, but I don't see it as a common scenario.
SELinux is certainly useful and relevant, but it does much
more than SEVMS MAC.
Arne
More information about the Info-vax
mailing list