1 |
> It would be a good strategy IMHO to recruit graduates to work on security |
2 |
> stuff. It's a really fascinating topic to immerse in the depth of the |
3 |
> toolchain and its security features - for a passionate graduate. Of course |
4 |
> it requires a supervisor... |
5 |
|
6 |
Any PhD supervisors in computer science academia on the list? I dropped out of |
7 |
my PhD due to illness and haven't gone back, so I can't supervise any PhD |
8 |
students in this area, unfortunately. |
9 |
|
10 |
> I think grsec would need some kind of configuration mechanism similar to |
11 |
> SELinux. It could be either implemented on a per-ebuild basis or as a base |
12 |
> policy. |
13 |
|
14 |
I like the idea of the SELinux per-application policies. I've never used them |
15 |
or SELinux, though, so I don't know how effective or simple they are to use |
16 |
IRL. Anyone else care to comment on this? |
17 |
|
18 |
> That could be further extended with additional features according |
19 |
> to the particular box. Using m4 would be a good candidate to generate the |
20 |
> redundant per user stuff. |
21 |
|
22 |
Oh yes, this is the most tedious part of the grsec configuration. A good UI |
23 |
tool of some kind would help gloss over this. (If we're still talking |
24 |
hypothetical features here.) |
25 |
|
26 |
> I think many of us could contribute to the |
27 |
> policy. The hardest task would be to agree on the differences regarding |
28 |
> the security requirements. But that could be made configurable also. |
29 |
> Configuration intelligence could investigate the contents of the conf |
30 |
> directory to tailor the policy to the specific settings... |
31 |
|
32 |
Hmm... configuration-wise, I'm envisioning a directory tree under /etc/grsec |
33 |
with per-user and per-application branches (because detailed grsec policy |
34 |
files get very big very quickly), so that differences or changes in |
35 |
requirements can be managed easily via comparing differences between flat |
36 |
files. |
37 |
|
38 |
You could then provide different sample configurations at install time based |
39 |
on different common security requirements, and make it easy for either manual |
40 |
or (G)UI configuration of the grsec security system. |
41 |
|
42 |
Applying policies post-install then becomes a matter of inserting new |
43 |
configuration files under the appropriate per-application and per-user |
44 |
directories. Conflicts with existing files are then managed by the system |
45 |
administrator running etc-update. |
46 |
|
47 |
> I have to regularly revise my policy to keep the box running. I've also |
48 |
> ended up loosening the security in order to make the system usable. |
49 |
|
50 |
As much maligned as Vista's UAC system is, I feel there's one positive thing |
51 |
about it - it's handy to have a mechanism to notify the user about potential |
52 |
security violations or issues in real time, to avoid usability problems like |
53 |
this from preventing basic system function. It's best if it can be done in a |
54 |
way that notifications can be hidden, filtered, and managed by the |
55 |
user/administrator in an adaptive way that avoids the 'just click allow' |
56 |
mentality, which is where I feel the Vista UAC gets it wrong. (And ends up |
57 |
causing just as many security problems as it's supposed to solve.) |
58 |
|
59 |
How about a user-configurable UI (something that could be run on a bare TTY, |
60 |
like, say, tty11, or on any other command line, for that matter) for the |
61 |
management system - secured from physical intrusion by sudo-style logins for |
62 |
each management decision, if desired - with applicable X/Gnome/KDE/your |
63 |
favourite WM clients for real-time notifications and configuration? |
64 |
|
65 |
(Someone please tell me if I'm reinventing the wheel here, and SELinux has had |
66 |
this for years.) |
67 |
|
68 |
> I think it depends on the type of denial. If it's a textrel, that's not so |
69 |
> serious. However if it's a stack-smashing: I don't want to have a single |
70 |
> piece of those code on my system... |
71 |
|
72 |
Agreed. So expanding on your ideas, with a hypothetical adaptive access |
73 |
control management system, textrels could automatically be filtered out |
74 |
without notification. (Although if it's a GUI application with textrels, and |
75 |
a suitably integrated window manager is running, I'd like to see a tiny icon |
76 |
like Konqueror's Javascript bug icon appear to shame the program author into |
77 |
tidying up their code.) |
78 |
|
79 |
Stack smashing attacks should continue to automatically trigger an immediate |
80 |
termination of the process and a core dump like they do now - but could also |
81 |
do additional things like quarantine the parent executable so that it can't |
82 |
be easily run again by the user. (Like what good anti-malware software does |
83 |
on Windows.) |
84 |
|
85 |
Evasive procedures would have to be controlled and managed centrally by an |
86 |
administrator, of course, as the whole system could be compromised if the |
87 |
wrong decision is made by a user. But everything else could end up in a file |
88 |
stored for each user - say in ~/.grsec - which would be referenced by any |
89 |
(G)UI access control management clients. |
90 |
|
91 |
Sound reasonable? |
92 |
|
93 |
Okay, enough daydreaming for me now :) |
94 |
|
95 |
Regards, |
96 |
|
97 |
Geoff Kassel. |
98 |
|
99 |
On Wed, 13 Feb 2008, atoth@××××××××××.hu wrote: |
100 |
> On Sze, Február 13, 2008 06:07, Geoff Kassel wrote: |
101 |
> > No problems. My background in QA is primarily regression testing and code |
102 |
> > quality reviews (although it's been ages since I've done any of this with |
103 |
> > C) - my formal methods background is formal specification, model |
104 |
> > checking, theorem proving, and formal derivation of code from formal |
105 |
> > specification. (Yes, I'm a recovering academic :) |
106 |
> |
107 |
> It would be a good strategy IMHO to recruit graduates to work on security |
108 |
> stuff. It's a really fascinating topic to immerse in the depth of the |
109 |
> toolchain and its security features - for a passionate graduate. Of course |
110 |
> it requires a supervisor... |
111 |
> |
112 |
> > While I'm dreaming I'd also like to do something about making GRSEC |
113 |
> > easier to |
114 |
> > set up (an upstream issue, I know) as it has so much promise, and the |
115 |
> |
116 |
> I think grsec would need some kind of configuration mechanism similar to |
117 |
> SELinux. It could be either implemented on a per-ebuild basis or as a base |
118 |
> policy. That could be further extended with additional features according |
119 |
> to the particular box. Using m4 would be a good candidate to generate the |
120 |
> redundant per user stuff. I think many of us could contribute to the |
121 |
> policy. The hardest task would be to agree on the differences regarding |
122 |
> the security requirements. But that could be made configurable also. |
123 |
> Configuration intelligence could investigate the contents of the conf |
124 |
> directory to tailor the policy to the specific settings... |
125 |
> |
126 |
> > basic |
127 |
> > configuration isn't nearly as paranoid as I'd like it to be :) and it's |
128 |
> > very |
129 |
> > difficult and time-consuming to make it so. I gave up doing so, and I |
130 |
> > like to |
131 |
> > think I'm not a complete n00b. PaX, PIE and SSP are practically |
132 |
> > fire-and-forget in comparison. |
133 |
> |
134 |
> I have to regularly revise my policy to keep the box running. I've also |
135 |
> ended up loosening the security in order to make the system usable. |
136 |
> |
137 |
> > Speaking of PaX, another great, impossible thing would be to have a |
138 |
> > kernel-level feature for handling PaX violations in a less violent manner |
139 |
> > (core dumps are violent, in my mind) - perhaps suspension of the process |
140 |
> > in |
141 |
> > question until investigated, with the possibility of resumption or |
142 |
> > termination by someone with sufficient security permissions. (Perhaps I'm |
143 |
> > just unaware of an already existing feature.) Again, an upstream issue. |
144 |
> |
145 |
> I think it depends on the type of denial. If it's a textrel, that's not so |
146 |
> serious. However if it's a stack-smashing: I don't want to have a single |
147 |
> piece of those code on my system... |
148 |
> |
149 |
> Regards, |
150 |
> Dw. |
151 |
> -- |
152 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
153 |
> 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
154 |
> +36-30-5962-962 |
155 |
-- |
156 |
gentoo-hardened@l.g.o mailing list |