Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Joshua Brindle <method@g.o>
To: pageexec@××××××××.hu
Cc: gentoo-hardened@l.g.o, gentoo-security@l.g.o, Niels Provos <provos@××××××××××.edu>
Subject: [gentoo-security] Re: [gentoo-hardened] Systrace resurrection
Date: Wed, 26 Apr 2006 15:06:53
Message-Id: 444F8A89.7090106@gentoo.org
1 pageexec@××××××××.hu wrote:
2 > On 26 Apr 2006 at 10:01, Joshua Brindle wrote:
3 >
4 >> This is no flamewar. The model is broken by my standards. It bypasses
5 >> built-in DAC and capabilities in the kernel making it the single attack
6 >> vector to gain all access on the system. Compare to grsecurity, rsbac,
7 >> selinux which do not bypass kernel access control or escalate privileges.
8 >>
9 >
10 > it'd help the discussion/review (which is what Andrea asked for) if
11 > you/others were more precise and cited specific attacks. generic hand-
12 > waving of 'this is broken' doesn't help it. this is not to say that
13 > i disagree with your opinion (fwiw, you and spender are on the same
14 > side for once ;-).
15 >
16 >
17 I don't agree that specific attack vectors are required to determine
18 whether a model is broken. The reasons I think the model is broken are
19 pretty clearly laid out in the url's posted. There are also others for
20 this specific implementation. It is a dire problem to facilitate
21 non-security aware/minded users to add rules to the policy dynamically.
22 "If I don't push yes this won't work", these systems have been shown
23 time and time again to fail. And, like I already said, bypassing
24 in-kernel DAC and capability restrictions means that there is now a
25 single attack vector to gain all system privileges. This means systrace
26 actually *removes* a layer of security from the system, which is clearly
27 a bad idea.
28 >> http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
29 >> http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
30 >>
31 >
32 > it's funny that you mention these as i just came across them and was
33 > going to post a rebuttal to many of your claims. do you want them here
34 > on the list or on the blog (it will probably take a few days until i
35 > have enough free time though)?
36 >
37 On the blog is fine. Remember that those posts aren't targeting specific
38 implementations (eg., grsec is not affected by all of the issues listed)
39 but rather the model in general.
40 --
41 gentoo-security@g.o mailing list

Replies

Subject Author
[gentoo-security] Re: [gentoo-hardened] Systrace resurrection Andrea Barisani <lcars@g.o>
Report Message
Find on MARC Find on Google Groups