[45] in WWW Security List Archive
Re: GSS API (as a DLL)...
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Aug 17 01:51:48 1994
To: Bernhard.Schneck@physik.tu-muenchen.de
Cc: www-security@ns1.rutgers.edu, John Ludeman <johnl@microsoft.com>
Date: Tue, 16 Aug 1994 22:06:20 EDT
From: Marc Horowitz <marc@MIT.EDU>
>> I apologize for this tangential issue, but somebody has expressed
>> concern that a Dynamic Link Library type mechanism for the GSS APIs (or
>> DLLs in general) are not suitable because there is not wide support on
>> many Unix systems. This is the first time I have heard this concern
>> and I wanted to make sure we're not going down a road of woe and despair.
As someone else has pointed out, both shared libraies and run-time
dynamic loading are possible under most unix implementations. As a
general rule, the more modern the unix, the easier things are.
Another way to interpret your statement is that GSS API does not have
wide support. This is probably true right now, but I think this will
change in the future. And I think I can say with absolute certainty
that there will be no existing base of support for any system which is
written expressly for the Web.
>> Also, I'd like to see a very thorough security analysis of DLLs
>> under Unix of people who know what they are doing before I'd trust
>> them for security related stuff.
I've thought about this issue a little bit. The main problem is
trojan-type attacks, but unix (and every other OS I know) is
susceptible to this sort of attack in a myriad of ways, and will
remain so without hardware support. I plan on thinking about it a bit
more, because I've got some programs which could really benefit from
sharing the kerberos libraries.
Marc
