1 |
pageexec@××××××××.hu wrote: |
2 |
> On 26 Apr 2006 at 10:58, Joshua Brindle wrote: |
3 |
> |
4 |
>> I don't agree that specific attack vectors are required to determine |
5 |
>> whether a model is broken. |
6 |
>> |
7 |
> |
8 |
> specific examples of attack are needed for people with less specialized |
9 |
> knowledge in security (i might say, sometimes even for the specialists) |
10 |
> but with the ability to understand a demonstration. sometimes the attacks |
11 |
> one thinks of as 'breaking the model' are actually the result of the |
12 |
> misunderstanding of the model. |
13 |
> |
14 |
> |
15 |
That is silly. The model is to essentially sandbox apps. The problem is |
16 |
that the sandbox is leaky due to the abstractions being used (eg., |
17 |
paths). There is no way to determine that the policy you wrote is |
18 |
actually being enforced, and again, escalating privileges and increasing |
19 |
the potential for misuse. |
20 |
>> The reasons I think the model is broken are pretty clearly laid out in |
21 |
>> the url's posted. |
22 |
>> |
23 |
> |
24 |
> there's not a *single* word about system calls in those posts. second, |
25 |
> those 'pretty clear' reasons are anything but, i'll get to that on the |
26 |
> blog itself though. |
27 |
> |
28 |
> |
29 |
once again, model != implementation. I was talking about the model, and |
30 |
these particular posts weren't targeting systrace at all, as far as I |
31 |
knew this crap was off the radar. |
32 |
>> There are also others for this specific implementation. It is a dire |
33 |
>> problem to facilitate non-security aware/minded users to add rules to |
34 |
>> the policy dynamically. |
35 |
>> |
36 |
> |
37 |
> my feeling is that you're looking at the whole world with a rather limited |
38 |
> view, everything that doesn't fit the selinux view (as that's what this is |
39 |
> |
40 |
no. |
41 |
> all about, isn't it) must necessarily be wrong. maybe before you do that, |
42 |
> you should ask the authors about their threat model, use cases, etc and |
43 |
> then evaluate their solution. fwiw, selinux is just as broken as anything |
44 |
> else out there, down to the fundamental design level, and it's even more |
45 |
> dangerous than other systems (gives false sense of security) as pretty much |
46 |
> everyone sells it as The Solution for security. nothing could be further |
47 |
> from the truth, so let's not look down on others just because they don't |
48 |
> fit your particular (mis)understanding of security. |
49 |
> |
50 |
> |
51 |
That is absolutely false. If some person sells selinux as The Solution |
52 |
that is one thing, I have never said and will never say that SELinux is |
53 |
any kind of end all for security. |
54 |
|
55 |
The false sense of security is also a lie. Unlike path based systems the |
56 |
SELinux policy can be analyzed and precise (and non-ambiguous) access |
57 |
vectors can be observed and removed if necessary. Further, you are |
58 |
confusing the policy with the mechanism. The mechanism is not |
59 |
fundamentally flawed at the design level (you didn't mention any design |
60 |
flaws, and I don't know of any, speak up if there are) |
61 |
|
62 |
The fact is on _ANY_ path based system you cannot tell if the policy you |
63 |
wrote (and are running) is actually being enforced by the system because |
64 |
of ambiguity of filenames. That is not the case with SELinux. Some group |
65 |
of people blindly trusting the policy we give them is one thing but you |
66 |
are attacking the very mechanism which is total bullshit. |
67 |
>> "If I don't push yes this won't work", these systems have been shown |
68 |
>> time and time again to fail. |
69 |
>> |
70 |
> |
71 |
> any specific examples? |
72 |
> |
73 |
> and my quiz of the day: how's blindly turning audit2allow into a policy |
74 |
> better than blindly clicking yes on a messagebox? it's not yet that's |
75 |
> |
76 |
And have I ever suggested this? This is not about what someone on |
77 |
#selinux says, this isn't about what Red Hat says (even though they |
78 |
don't advocate doing that blindly). The system can be abused, no shit. |
79 |
Giving users the opportunity to abuse it easier is not a good thing. |
80 |
> exactly what some suggest as a fix for selinux denials. look here for |
81 |
> an example: http://www.linuxsecurity.com/content/view/120837/49/ and |
82 |
> |
83 |
I don't care what some random person says is the way to write policy. |
84 |
That is NOT what we advocate and that is irrelavent to the discussion |
85 |
(or we could start talking about how horrible learning mode is, your |
86 |
choice..) |
87 |
> you can google for more. i'm not saying that user interaction is a good |
88 |
> or bad idea, but i am saying that this cannot be the reason for objecting |
89 |
> against systrace as it applies to selinux as well. |
90 |
> |
91 |
> |
92 |
Who cares? I can write 500 pages about blindly using learning mode to |
93 |
write "least privilege" pages, that doesn't make it right or |
94 |
representative of the developer community for that particular system. |
95 |
Try again. |
96 |
>> And, like I already said, bypassing in-kernel DAC and capability |
97 |
>> restrictions means that there is now a single attack vector to gain |
98 |
>> all system privileges. This means systrace actually *removes* a layer |
99 |
>> of security from the system, which is clearly a bad idea. |
100 |
>> |
101 |
> |
102 |
> maybe you should give examples here as well, so that the systrace people |
103 |
> can elaborate. |
104 |
> |
105 |
> |
106 |
umm, its pretty obvious, want a picture? here: |
107 |
|
108 |
SELinux: |
109 |
attacker --> kernel DAC/capability checks --> selinux access checks --> |
110 |
capabilities granted. |
111 |
systrace: |
112 |
attacker --> systrace --> capabilities granted. |
113 |
|
114 |
>>> it's funny that you mention these as i just came across them and was |
115 |
>>> going to post a rebuttal to many of your claims. do you want them here |
116 |
>>> on the list or on the blog (it will probably take a few days until i |
117 |
>>> have enough free time though)? |
118 |
>>> |
119 |
>>> |
120 |
>> On the blog is fine. Remember that those posts aren't targeting specific |
121 |
>> implementations (eg., grsec is not affected by all of the issues listed) |
122 |
>> but rather the model in general. |
123 |
>> |
124 |
> |
125 |
> you have specifically mentioned apparmor and grsec, and not exactly with |
126 |
> flattering words (not that i expected something else from you but still, |
127 |
> what's with the link to the '6 dumbest ideas' rant by Ranum, which fwiw, |
128 |
> has also been rebuked on the dailydave list?). |
129 |
> |
130 |
Sorry, apparmor isn't even in the same class as grsec in terms of the |
131 |
security it provides, I probably shouldn't have coupled them like that :) |
132 |
|
133 |
> as a reminder, you kicked off with the following: |
134 |
> |
135 |
>> An Anti-Pattern is a commonly reinvented bad solution to a problem. In |
136 |
>> security there are lots of these, The Six Dumbest Ideas in Computer |
137 |
>> Security outlines several that are fairly common but I’m going to go |
138 |
>> into detail about one in particular that several semi-popular security |
139 |
>> mechanisms adopt. |
140 |
>> |
141 |
umm, "rebuked".. if you want to call it that, claiming that "hacking is |
142 |
cool" is hardly compelling. The ideas on that page are good pointers in |
143 |
general for security systems, I never saw anything claiming the actual |
144 |
points were inaccurate *shrug* |
145 |
> |
146 |
> if that's not an invitation for a flamewar, then i don't know what is. |
147 |
> but then, you asked for it, we'll see how smart you(r) selinux folks are. |
148 |
> |
149 |
I have no desire to get into a flameware (or the energy/time). |
150 |
Professionally grsec, apparmor, systrace are irrelavent, the people I |
151 |
deal with need analyzable policies and labeled objects (you can make fun |
152 |
of CC requirements all you want but it doesn't matter in the least bit). |
153 |
|
154 |
Personally I'd like to help security in general. Fedora has SELinux |
155 |
enabled by default and protects several daemons by default. This is |
156 |
clearly a win for security, MAC in a general use OS is unheard of, we |
157 |
are breaking new ground here. |
158 |
|
159 |
Incase you forgot hardened *does* support grsec, RSBAC and SELinux. |
160 |
grsec is in no way a second class citizen, when people come to the |
161 |
channel with problems I try to help them, I don't tell them they are |
162 |
stupid and need to switch to SELinux. I even suggest that people who |
163 |
have very lightweight security needs use grsecurity. In practice (eg., |
164 |
normal systems, normal people, etc) grsec can be very effective. My blog |
165 |
posts are about security philosophy (as i stated in the first post) and |
166 |
best practices. As you, and I know security is 100% about tradeoffs. |
167 |
Sometimes the more secure solution is not the best for the situation. |
168 |
|
169 |
I'm not sure what "you asked for it, we'll see how smart you(r) selinux |
170 |
folks are" is suppose to mean, is that a threat? Are you going to make |
171 |
fun of us on blogs and mailing lists? |
172 |
|
173 |
|
174 |
-- |
175 |
gentoo-security@g.o mailing list |