1 |
pageexec@××××××××.hu wrote: |
2 |
> On 26 Apr 2006 at 10:01, Joshua Brindle wrote: |
3 |
> |
4 |
>> This is no flamewar. The model is broken by my standards. It bypasses |
5 |
>> built-in DAC and capabilities in the kernel making it the single attack |
6 |
>> vector to gain all access on the system. Compare to grsecurity, rsbac, |
7 |
>> selinux which do not bypass kernel access control or escalate privileges. |
8 |
>> |
9 |
> |
10 |
> it'd help the discussion/review (which is what Andrea asked for) if |
11 |
> you/others were more precise and cited specific attacks. generic hand- |
12 |
> waving of 'this is broken' doesn't help it. this is not to say that |
13 |
> i disagree with your opinion (fwiw, you and spender are on the same |
14 |
> side for once ;-). |
15 |
> |
16 |
> |
17 |
I don't agree that specific attack vectors are required to determine |
18 |
whether a model is broken. The reasons I think the model is broken are |
19 |
pretty clearly laid out in the url's posted. There are also others for |
20 |
this specific implementation. It is a dire problem to facilitate |
21 |
non-security aware/minded users to add rules to the policy dynamically. |
22 |
"If I don't push yes this won't work", these systems have been shown |
23 |
time and time again to fail. And, like I already said, bypassing |
24 |
in-kernel DAC and capability restrictions means that there is now a |
25 |
single attack vector to gain all system privileges. This means systrace |
26 |
actually *removes* a layer of security from the system, which is clearly |
27 |
a bad idea. |
28 |
>> http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/ |
29 |
>> http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/ |
30 |
>> |
31 |
> |
32 |
> it's funny that you mention these as i just came across them and was |
33 |
> going to post a rebuttal to many of your claims. do you want them here |
34 |
> on the list or on the blog (it will probably take a few days until i |
35 |
> have enough free time though)? |
36 |
> |
37 |
On the blog is fine. Remember that those posts aren't targeting specific |
38 |
implementations (eg., grsec is not affected by all of the issues listed) |
39 |
but rather the model in general. |
40 |
-- |
41 |
gentoo-security@g.o mailing list |