Comodo ?

Yes. And: I was provoking a little bit ;-)

But why should one want a weak IDS if one can have a strong one?

Yours, VB.

Oh yes, you can. It just needs more time. Just read the buffer in RAM while other processes are reading the data. No extra disk access necessary, only a very small amount of CPU cycles, which usually can be easily hided.

Yours, VB.

Indeed, it's pretty hard to circumvent making suspicions, because you don't know exactly what is recorded. What about disk buffer access in RAM? This is where you'd fail.

Beside that, as always, the IDS should run as a privileged service, so it could not be harmed if just a restricted user account is compromised.

Really, most of the malware I can see is terribly incompetent itself. If I'd hack malware, I'd never hack anything else than a root kit.

If so. And how likely is that with a typical Windoze box?

If there would be capability based systems only, it would be very hard to implement malware at all.

If so.

Yours, VB.

RAmen. But, for the sake ob subversion, only a pretty unobstrusive usermode rootkit. ;-)

With a sane administration present: very likely. I conclude this being a reasonable requirement.

Windows is capability-based. So is any security-enhanced Linux with POSIX capabilities. Actually Windows is quite a bit better, because it differs between globally and locally enable-able privileges (thus granted privileges can be disabled by default without grating them to everyone).

No.

No. At least: not completely.

Yours, VB.

The I wonder why every process has a read-only token with bits representing certain privileges (actually one entry for every relevant principal), supports inheritance and allows dropping privileges (as well as increasing, when the relevant privilege is held).

In both systems the problem is the lack of diversity in privileges.

I'm assuming, that you don't know the concept of capability based systems very well. You can easily detect, which systems are not capability based:

- if there are ACLs, then this is not a capability based system

- if persistance is not orthogonal, then it's not a CBS

No.

I meant Linux, because the concept of security attributes of file descriptors (the UNIX concept) is much like a capability based system.

man fork

The POSIX capabilites are not.

Yours, VB.

My understanding is that the checksum checking is what tripwire is about.

-j

The ACLs are merely a management issue. The effective privilege set is determined only once for every role, and only recalculated on privilege change.

Regrading privileges and owners, it's fully orthogonal. Any usage of privilege is determined by what token a process is carrying around, and the possession of such a token is sufficient.

I was referring to the process capabilities only, which are clearly a capability-based security system.

Maybe you've been confused by my claims: None of these systems are fully capability-based, especially not for general object access. But they're fully on a process level, and regarding named pipes and generally any named objects they're a mixture.

Yes, of course. And they're just the opposite of a capability based system.

Sorry, it's not. There are ACLs for files and directories, aren't they?

Sebastian, please have a look onto a capabilities based system like EROS (or one of its successors) first, before talking about this topic again.

You just don't understand.

Yours, VB.

The ACLs are merely served to construct the actual capabilities, which are then used without any back-reference to the constituting ACLs.

As I already told you, it's only capability-based for processes with respect to privileges.

Certain types ob objects (handles to certain objects) are processes using a mixture of ACLs and capabilities, e.g. once the ACLs are determined, the possession of a handle is enough. Same as in Unix - once you hold a file handle, you can write to the file even it was already unlinked, got its ACLs changed or whatsoever, as you hold a handle for writing data to a certain location.

I have the feeling that you've missed the point, where you better should have stopped to argue.

Yours, VB.

Maybe you should differ between how the access matrix is constructed, viewed and evaluated. Yes, it is constructed by ACLs and typically ordered in that way, but it's evaluated as capabilities, by process the access matrix orthogonally into a capability bit set, which is then evaluated against an access mask in SeCheckSinglePrivilege.