Unix (In)Security

[Derek Andrew]

I have just returned from a security seminar.  The speaker made some 
comments about Unix and security.  It seems that the last two issues 
of Unix Review carried some comments from someone at Purdue.  Purdue
had been working on a secure kernel implementation of Unix.  A spokes-
person had stated that: using an ordinary guest account, a member of
their team could obtain superuser status within 5 minutes.  On their
secure system, it would take at least 40 minutes.  

This comment bothers me a little.  I would really like to speak with
someone at Purdue about this.  Would some kind soul that receives
Unix Review kindly send me the name of the person at Purdue that made
that statement?  Of course, I won't post the results of my conversation
if it is indeed true until we move to VMS :-).

Another comment made by the speaker was that there have been 5 attempts
at generating secure Unix kernels.  All attempts have not been successful
and 4 have been aborted.  If anyone knows about any of these attempts,
please send me the details.  I will post a summary.

So what kind of flaw exist in Unix?  I am not talking about things 
that can be done on other operating systems, like stealing backup
tapes, mounting Unix disks on systems which you know the root password,
running a program to simulate the login procedure or using micros
for an exhaustive search for the root password.

Are there any flaws which have no way to be plugged?

Maybe this is not the place to discuss such security issues, but as
the speaker said, "having no security on a system is better than
thinking that your system is secure".  

-- 
Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0
{ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek  306-966-4820  0900-1630 CST
	"I ain't afraid o' no bugs." - Bugbusters