httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter J. Cranstone" <cransto...@comcast.net>
Subject RE: pgp trust for https?
Date Wed, 09 Nov 2005 20:29:28 GMT
Follow up. For those of you who are interested in reading more about how
Itanium supports a secure platform you can read all about it at the US
patent office number: US 2002/0194389 A1

Here's a snip from the abstract..

The combined-hardware-and-software secure-platform interface employs a
hardware platform that provides at least four privilege levels,
non-privileged instructions, non-privileged registers, privileged
instructions, privileged registers, and firmware interfaces. The
combined-hardware-and-software secure-platform interface conceals all
privileged instructions,
privileged registers, and firmware interfaces and privileged registers from
direct access by operating systems and custom control programs, providing to
the operating systems and custom control programs the non-privileged
instructions and non-privileged registers provided by the hardware platform
as well as a set of callable software services. The callable services
provide a set of secure-platform management services for operational control
of hardware resources that neither exposes privileged instructions,
privileged registers, nor firmware interfaces of the hardware nor simulates
privileged instructions and privileged registers. The callable services also
provide a set of security-management services that employ internally
generated secret data, each compartmentalized security-management service
managing internal secret data without exposing the internal secret data to
computational entities other than the security-management service itself.

To solve the security problems you (us, whatever) will have to use a
combination hardware and software architecture. Can't be done in software
alone and it all has to start with Root Trust. If you don't have that then
you have something "else".

Cheers.

Peter
cranstone1@comcast.net  

-----Original Message-----
From: Peter J. Cranstone [mailto:cranstone1@comcast.net] 
Sent: Wednesday, November 09, 2005 1:12 PM
To: dev@httpd.apache.org
Subject: RE: pgp trust for https?

No problem - Itanium has the architecture you need. You can isolate all the
physical memory into compartments controlled by a protection key. Each
compartment has the ability to individually control read, write and execute
privileges.  

Peter
cranstone1@comcast.net 

-----Original Message-----
From: Paul A Houle [mailto:ph18@cornell.edu] 
Sent: Wednesday, November 09, 2005 1:07 PM
To: dev@httpd.apache.org
Subject: Re: pgp trust for https?

Peter J. Cranstone wrote:

>Currently Windows, Linux and Unix only use two levels of privilege - Ring 3
>and Ring 0. Everybody and there uncle's code want to run at Ring 0. Another
>really bad idea, as once I introduce a network/video/keyboard/whatever
>driver at that level I can execute malicious code. From there I can control
>the machine.
>
>  
>
    You'd need a new hardware architecture for ring 1 drivers to be 
worth it.  The trouble is that drivers can initiate DMA operations 
against physical memory.  Unless you devise some system where the OS can 
veto DMA operations,  protection in the CPU is worthless.


Mime
View raw message