| 1 |
> It would be a good strategy IMHO to recruit graduates to work on security |
| 2 |
> stuff. It's a really fascinating topic to immerse in the depth of the |
| 3 |
> toolchain and its security features - for a passionate graduate. Of course |
| 4 |
> it requires a supervisor... |
| 5 |
|
| 6 |
Any PhD supervisors in computer science academia on the list? I dropped out of |
| 7 |
my PhD due to illness and haven't gone back, so I can't supervise any PhD |
| 8 |
students in this area, unfortunately. |
| 9 |
|
| 10 |
> I think grsec would need some kind of configuration mechanism similar to |
| 11 |
> SELinux. It could be either implemented on a per-ebuild basis or as a base |
| 12 |
> policy. |
| 13 |
|
| 14 |
I like the idea of the SELinux per-application policies. I've never used them |
| 15 |
or SELinux, though, so I don't know how effective or simple they are to use |
| 16 |
IRL. Anyone else care to comment on this? |
| 17 |
|
| 18 |
> That could be further extended with additional features according |
| 19 |
> to the particular box. Using m4 would be a good candidate to generate the |
| 20 |
> redundant per user stuff. |
| 21 |
|
| 22 |
Oh yes, this is the most tedious part of the grsec configuration. A good UI |
| 23 |
tool of some kind would help gloss over this. (If we're still talking |
| 24 |
hypothetical features here.) |
| 25 |
|
| 26 |
> I think many of us could contribute to the |
| 27 |
> policy. The hardest task would be to agree on the differences regarding |
| 28 |
> the security requirements. But that could be made configurable also. |
| 29 |
> Configuration intelligence could investigate the contents of the conf |
| 30 |
> directory to tailor the policy to the specific settings... |
| 31 |
|
| 32 |
Hmm... configuration-wise, I'm envisioning a directory tree under /etc/grsec |
| 33 |
with per-user and per-application branches (because detailed grsec policy |
| 34 |
files get very big very quickly), so that differences or changes in |
| 35 |
requirements can be managed easily via comparing differences between flat |
| 36 |
files. |
| 37 |
|
| 38 |
You could then provide different sample configurations at install time based |
| 39 |
on different common security requirements, and make it easy for either manual |
| 40 |
or (G)UI configuration of the grsec security system. |
| 41 |
|
| 42 |
Applying policies post-install then becomes a matter of inserting new |
| 43 |
configuration files under the appropriate per-application and per-user |
| 44 |
directories. Conflicts with existing files are then managed by the system |
| 45 |
administrator running etc-update. |
| 46 |
|
| 47 |
> I have to regularly revise my policy to keep the box running. I've also |
| 48 |
> ended up loosening the security in order to make the system usable. |
| 49 |
|
| 50 |
As much maligned as Vista's UAC system is, I feel there's one positive thing |
| 51 |
about it - it's handy to have a mechanism to notify the user about potential |
| 52 |
security violations or issues in real time, to avoid usability problems like |
| 53 |
this from preventing basic system function. It's best if it can be done in a |
| 54 |
way that notifications can be hidden, filtered, and managed by the |
| 55 |
user/administrator in an adaptive way that avoids the 'just click allow' |
| 56 |
mentality, which is where I feel the Vista UAC gets it wrong. (And ends up |
| 57 |
causing just as many security problems as it's supposed to solve.) |
| 58 |
|
| 59 |
How about a user-configurable UI (something that could be run on a bare TTY, |
| 60 |
like, say, tty11, or on any other command line, for that matter) for the |
| 61 |
management system - secured from physical intrusion by sudo-style logins for |
| 62 |
each management decision, if desired - with applicable X/Gnome/KDE/your |
| 63 |
favourite WM clients for real-time notifications and configuration? |
| 64 |
|
| 65 |
(Someone please tell me if I'm reinventing the wheel here, and SELinux has had |
| 66 |
this for years.) |
| 67 |
|
| 68 |
> I think it depends on the type of denial. If it's a textrel, that's not so |
| 69 |
> serious. However if it's a stack-smashing: I don't want to have a single |
| 70 |
> piece of those code on my system... |
| 71 |
|
| 72 |
Agreed. So expanding on your ideas, with a hypothetical adaptive access |
| 73 |
control management system, textrels could automatically be filtered out |
| 74 |
without notification. (Although if it's a GUI application with textrels, and |
| 75 |
a suitably integrated window manager is running, I'd like to see a tiny icon |
| 76 |
like Konqueror's Javascript bug icon appear to shame the program author into |
| 77 |
tidying up their code.) |
| 78 |
|
| 79 |
Stack smashing attacks should continue to automatically trigger an immediate |
| 80 |
termination of the process and a core dump like they do now - but could also |
| 81 |
do additional things like quarantine the parent executable so that it can't |
| 82 |
be easily run again by the user. (Like what good anti-malware software does |
| 83 |
on Windows.) |
| 84 |
|
| 85 |
Evasive procedures would have to be controlled and managed centrally by an |
| 86 |
administrator, of course, as the whole system could be compromised if the |
| 87 |
wrong decision is made by a user. But everything else could end up in a file |
| 88 |
stored for each user - say in ~/.grsec - which would be referenced by any |
| 89 |
(G)UI access control management clients. |
| 90 |
|
| 91 |
Sound reasonable? |
| 92 |
|
| 93 |
Okay, enough daydreaming for me now :) |
| 94 |
|
| 95 |
Regards, |
| 96 |
|
| 97 |
Geoff Kassel. |
| 98 |
|
| 99 |
On Wed, 13 Feb 2008, atoth@××××××××××.hu wrote: |
| 100 |
> On Sze, Február 13, 2008 06:07, Geoff Kassel wrote: |
| 101 |
> > No problems. My background in QA is primarily regression testing and code |
| 102 |
> > quality reviews (although it's been ages since I've done any of this with |
| 103 |
> > C) - my formal methods background is formal specification, model |
| 104 |
> > checking, theorem proving, and formal derivation of code from formal |
| 105 |
> > specification. (Yes, I'm a recovering academic :) |
| 106 |
> |
| 107 |
> It would be a good strategy IMHO to recruit graduates to work on security |
| 108 |
> stuff. It's a really fascinating topic to immerse in the depth of the |
| 109 |
> toolchain and its security features - for a passionate graduate. Of course |
| 110 |
> it requires a supervisor... |
| 111 |
> |
| 112 |
> > While I'm dreaming I'd also like to do something about making GRSEC |
| 113 |
> > easier to |
| 114 |
> > set up (an upstream issue, I know) as it has so much promise, and the |
| 115 |
> |
| 116 |
> I think grsec would need some kind of configuration mechanism similar to |
| 117 |
> SELinux. It could be either implemented on a per-ebuild basis or as a base |
| 118 |
> policy. That could be further extended with additional features according |
| 119 |
> to the particular box. Using m4 would be a good candidate to generate the |
| 120 |
> redundant per user stuff. I think many of us could contribute to the |
| 121 |
> policy. The hardest task would be to agree on the differences regarding |
| 122 |
> the security requirements. But that could be made configurable also. |
| 123 |
> Configuration intelligence could investigate the contents of the conf |
| 124 |
> directory to tailor the policy to the specific settings... |
| 125 |
> |
| 126 |
> > basic |
| 127 |
> > configuration isn't nearly as paranoid as I'd like it to be :) and it's |
| 128 |
> > very |
| 129 |
> > difficult and time-consuming to make it so. I gave up doing so, and I |
| 130 |
> > like to |
| 131 |
> > think I'm not a complete n00b. PaX, PIE and SSP are practically |
| 132 |
> > fire-and-forget in comparison. |
| 133 |
> |
| 134 |
> I have to regularly revise my policy to keep the box running. I've also |
| 135 |
> ended up loosening the security in order to make the system usable. |
| 136 |
> |
| 137 |
> > Speaking of PaX, another great, impossible thing would be to have a |
| 138 |
> > kernel-level feature for handling PaX violations in a less violent manner |
| 139 |
> > (core dumps are violent, in my mind) - perhaps suspension of the process |
| 140 |
> > in |
| 141 |
> > question until investigated, with the possibility of resumption or |
| 142 |
> > termination by someone with sufficient security permissions. (Perhaps I'm |
| 143 |
> > just unaware of an already existing feature.) Again, an upstream issue. |
| 144 |
> |
| 145 |
> I think it depends on the type of denial. If it's a textrel, that's not so |
| 146 |
> serious. However if it's a stack-smashing: I don't want to have a single |
| 147 |
> piece of those code on my system... |
| 148 |
> |
| 149 |
> Regards, |
| 150 |
> Dw. |
| 151 |
> -- |
| 152 |
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, |
| 153 |
> 06-30-5962-962 Attila Toth MD, Radiologist in Training, +36-20-825-8057, |
| 154 |
> +36-30-5962-962 |
| 155 |
-- |
| 156 |
gentoo-hardened@l.g.o mailing list |
Archives