
Security in Plan 9
Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, and Sean Quinlan


Summary (Greg Koenig - koenig@uiuc.edu):

This paper describes the security architecture of the Plan 9 operating
system from Bell Labs.  Plan 9 was designed from the beginning to be a
distributed operating system.  Machines in a Plan 9 group provide
resources such as compute services, file services, and terminal services
to one another.  These resources are named and accessed like files in a
hierarchical file system via an underlying protocol called 9P.  Due to
the inherent distributed nature of Plan 9, security is an important
consideration in the system.

The main component of the Plan 9 security architecture is a per-user
agent called "factotum".  A user's factotum holds a copy of the user's
keys and negotiates authentication protocols on behalf of the user with
services throughout the network.  Factotum is designed not to disclose a
user's keys and to resist attempts at maliciously obtaining a user's keys.
When a user process needs to negotiate an authentication protocol, it
contacts its factotum and passes it the state of the authentication process
currently taking place.  The factotum encapsulates the details of the
authentication protocol.

There are several advantages of having factotum encapsulate the details of
the authentication protocols used within Plan 9.  First, writing correct
security-related code can be quite difficult.  Encapsulating all security
code within factotum allows the intricate details of this code to be
audited more readily.  Second, if a vulnerability is discovered in any of
the Plan 9 authentication protocols, the vulnerability may be repaired  by
modifying only the factotum code and without altering or even re-linking
any application software.    Finally, new authentication protocols may be
added to Plan 9 by augmenting the factotum codebase, and applications can
trivially begin to make use of these new protocols.

A capability system managed by the kernel enables factotum to grant
permission to a process to change its user id to impersonate another user.
In contrast to the traditional UNIX model, a server process needs no special
privileges to authenticate a user since the authentication is carried out
by interacting with factotum.  Once the authentication is successful and
the Plan 9 kernel returns a capability to the server process, the
capability can be used by the server process to impersonate the requesting
user, also without requiring any special privileges.  Thus, it seems likely
that Plan 9 is much less vulnerable to an entire class of attacks that have
plagued UNIX systems in recent years.



Voting:
* strong accept: 1
* accept: 5
* reject: 0
* strong reject: 0