[gentoo-security] Re: [gentoo-hardened] Systrace resurrection - gentoo-security

From:	Joshua Brindle <method@g.o>
To:	pageexec@××××××××.hu
Cc:	gentoo-security@l.g.o, Niels Provos <provos@××××××××××.edu>
Subject:	[gentoo-security] Re: [gentoo-hardened] Systrace resurrection
Date:	Wed, 26 Apr 2006 17:46:44
Message-Id:	`444FB010.6070706@gentoo.org`

1

pageexec@××××××××.hu wrote:

2

> On 26 Apr 2006 at 10:58, Joshua Brindle wrote:

3

>

4

>> I don't agree that specific attack vectors are required to determine

5

>> whether a model is broken.

6

>>

7

>

8

> specific examples of attack are needed for people with less specialized

9

> knowledge in security (i might say, sometimes even for the specialists)

10

> but with the ability to understand a demonstration. sometimes the attacks

11

> one thinks of as 'breaking the model' are actually the result of the

12

> misunderstanding of the model.

13

>

14

>

15

That is silly. The model is to essentially sandbox apps. The problem is 

16

that the sandbox is leaky due to the abstractions being used (eg., 

17

paths). There is no way to determine that the policy you wrote is 

18

actually being enforced, and again, escalating privileges and increasing 

19

the potential for misuse.

20

>> The reasons I think the model is broken are pretty clearly laid out in

21

>> the url's posted.

22

>>

23

>

24

> there's not a *single* word about system calls in those posts. second,

25

> those 'pretty clear' reasons are anything but, i'll get to that on the

26

> blog itself though.

27

>

28

>

29

once again, model != implementation. I was talking about the model, and 

30

these particular posts weren't targeting systrace at all, as far as I 

31

knew this crap was off the radar.

32

>> There are also others for this specific implementation. It is a dire

33

>> problem to facilitate non-security aware/minded users to add rules to

34

>> the policy dynamically.

35

>>

36

>

37

> my feeling is that you're looking at the whole world with a rather limited

38

> view, everything that doesn't fit the selinux view (as that's what this is

39

>

40

no.

41

> all about, isn't it) must necessarily be wrong. maybe before you do that,

42

> you should ask the authors about their threat model, use cases, etc and

43

> then evaluate their solution. fwiw, selinux is just as broken as anything

44

> else out there, down to the fundamental design level, and it's even more

45

> dangerous than other systems (gives false sense of security) as pretty much

46

> everyone sells it as The Solution for security. nothing could be further

47

> from the truth, so let's not look down on others just because they don't

48

> fit your particular (mis)understanding of security.

49

>

50

>

51

That is absolutely false. If some person sells selinux as The Solution 

52

that is one thing, I have never said and will never say that SELinux is 

53

any kind of end all for security.

54

55

The false sense of security is also a lie. Unlike path based systems the 

56

SELinux policy can be analyzed and precise (and non-ambiguous) access 

57

vectors can be observed and removed if necessary. Further, you are 

58

confusing the policy with the mechanism. The mechanism is not 

59

fundamentally flawed at the design level (you didn't mention any design 

60

flaws, and I don't know of any, speak up if there are)

61

62

The fact is on _ANY_ path based system you cannot tell if the policy you 

63

wrote (and are running) is actually being enforced by the system because 

64

of ambiguity of filenames. That is not the case with SELinux. Some group 

65

of people blindly trusting the policy we give them is one thing but you 

66

are attacking the very mechanism which is total bullshit.

67

>> "If I don't push yes this won't work", these systems have been shown

68

>> time and time again to fail.

69

>>

70

>

71

> any specific examples?

72

>

73

> and my quiz of the day: how's blindly turning audit2allow into a policy

74

> better than blindly clicking yes on a messagebox? it's not yet that's

75

>

76

And have I ever suggested this? This is not about what someone on 

77

#selinux says, this isn't about what Red Hat says (even though they 

78

don't advocate doing that blindly). The system can be abused, no shit. 

79

Giving users the opportunity to abuse it easier is not a good thing.

80

> exactly what some suggest as a fix for selinux denials. look here for

81

> an example: http://www.linuxsecurity.com/content/view/120837/49/ and

82

>

83

I don't care what some random person says is the way to write policy. 

84

That is NOT what we advocate and that is irrelavent to the discussion 

85

(or we could start talking about how horrible learning mode is, your 

86

choice..)

87

> you can google for more. i'm not saying that user interaction is a good

88

> or bad idea, but i am saying that this cannot be the reason for objecting

89

> against systrace as it applies to selinux as well.

90

>

91

>

92

Who cares? I can write 500 pages about blindly using learning mode to 

93

write "least privilege" pages, that doesn't make it right or 

94

representative of the developer community for that particular system. 

95

Try again.

96

>> And, like I already said, bypassing in-kernel DAC and capability

97

>> restrictions means that there is now a single attack vector to gain

98

>> all system privileges. This means systrace  actually *removes* a layer

99

>> of security from the system, which is clearly a bad idea.

100

>>

101

>

102

> maybe you should give examples here as well, so that the systrace people

103

> can elaborate.

104

>

105

>

106

umm, its pretty obvious, want a picture? here:

107

108

SELinux:

109

attacker --> kernel DAC/capability checks --> selinux access checks --> 

110

capabilities granted.

111

systrace:

112

attacker --> systrace --> capabilities granted.

113

114

>>> it's funny that you mention these as i just came across them and was

115

>>> going to post a rebuttal to many of your claims. do you want them here

116

>>> on the list or on the blog (it will probably take a few days until i

117

>>> have enough free time though)?

118

>>>

119

>>>

120

>> On the blog is fine. Remember that those posts aren't targeting specific

121

>> implementations (eg., grsec is not affected by all of the issues listed)

122

>> but rather the model in general.

123

>>

124

>

125

> you have specifically mentioned apparmor and grsec, and not exactly with

126

> flattering words (not that i expected something else from you but still,

127

> what's with the link to the '6 dumbest ideas' rant by Ranum, which fwiw,

128

> has also been rebuked on the dailydave list?).

129

>

130

Sorry, apparmor isn't even in the same class as grsec in terms of the 

131

security it provides, I probably shouldn't have coupled them like that :)

132

133

> as a reminder, you kicked off with the following:

134

>

135

>> An Anti-Pattern is a commonly reinvented bad solution to a problem. In

136

>> security there are lots of these, The Six Dumbest Ideas in Computer

137

>> Security outlines several that are fairly common but I’m going to go

138

>> into detail about one in particular that several semi-popular security

139

>> mechanisms adopt.

140

>>

141

umm, "rebuked".. if you want to call it that, claiming that "hacking is 

142

cool" is hardly compelling. The ideas on that page are good pointers in 

143

general for security systems, I never saw anything claiming the actual 

144

points were inaccurate *shrug*

145

>

146

> if that's not an invitation for a flamewar, then i don't know what is.

147

> but then, you asked for it, we'll see how smart you(r) selinux folks are.

148

>

149

I have no desire to get into a flameware (or the energy/time). 

150

Professionally grsec, apparmor, systrace are irrelavent, the people I 

151

deal with need analyzable policies and labeled objects (you can make fun 

152

of CC requirements all you want but it doesn't matter in the least bit).

153

154

Personally I'd like to help security in general. Fedora has SELinux 

155

enabled by default and protects several daemons by default. This is 

156

clearly a win for security, MAC in a general use OS is unheard of, we 

157

are breaking new ground here.

158

159

Incase you forgot hardened *does* support grsec, RSBAC and SELinux. 

160

grsec is in no way a second class citizen, when people come to the 

161

channel with problems I try to help them, I don't tell them they are 

162

stupid and need to switch to SELinux. I even suggest that people who 

163

have very lightweight security needs use grsecurity. In practice (eg., 

164

normal systems, normal people, etc) grsec can be very effective. My blog 

165

posts are about security philosophy (as i stated in the first post) and 

166

best practices. As you, and I know security is 100% about tradeoffs. 

167

Sometimes the more secure solution is not the best for the situation.

168

169

I'm not sure what "you asked for it, we'll see how smart you(r) selinux 

170

folks are" is suppose to mean, is that a threat? Are you going to make 

171

fun of us on blogs and mailing lists?

172

173

174

--

175

gentoo-security@g.o mailing list

1	pageexec@××××××××.hu wrote:
2	> On 26 Apr 2006 at 10:58, Joshua Brindle wrote:
3	>
4	>> I don't agree that specific attack vectors are required to determine
5	>> whether a model is broken.
6	>>
7	>
8	> specific examples of attack are needed for people with less specialized
9	> knowledge in security (i might say, sometimes even for the specialists)
10	> but with the ability to understand a demonstration. sometimes the attacks
11	> one thinks of as 'breaking the model' are actually the result of the
12	> misunderstanding of the model.
13	>
14	>
15	That is silly. The model is to essentially sandbox apps. The problem is
16	that the sandbox is leaky due to the abstractions being used (eg.,
17	paths). There is no way to determine that the policy you wrote is
18	actually being enforced, and again, escalating privileges and increasing
19	the potential for misuse.
20	>> The reasons I think the model is broken are pretty clearly laid out in
21	>> the url's posted.
22	>>
23	>
24	> there's not a single word about system calls in those posts. second,
25	> those 'pretty clear' reasons are anything but, i'll get to that on the
26	> blog itself though.
27	>
28	>
29	once again, model != implementation. I was talking about the model, and
30	these particular posts weren't targeting systrace at all, as far as I
31	knew this crap was off the radar.
32	>> There are also others for this specific implementation. It is a dire
33	>> problem to facilitate non-security aware/minded users to add rules to
34	>> the policy dynamically.
35	>>
36	>
37	> my feeling is that you're looking at the whole world with a rather limited
38	> view, everything that doesn't fit the selinux view (as that's what this is
39	>
40	no.
41	> all about, isn't it) must necessarily be wrong. maybe before you do that,
42	> you should ask the authors about their threat model, use cases, etc and
43	> then evaluate their solution. fwiw, selinux is just as broken as anything
44	> else out there, down to the fundamental design level, and it's even more
45	> dangerous than other systems (gives false sense of security) as pretty much
46	> everyone sells it as The Solution for security. nothing could be further
47	> from the truth, so let's not look down on others just because they don't
48	> fit your particular (mis)understanding of security.
49	>
50	>
51	That is absolutely false. If some person sells selinux as The Solution
52	that is one thing, I have never said and will never say that SELinux is
53	any kind of end all for security.
54
55	The false sense of security is also a lie. Unlike path based systems the
56	SELinux policy can be analyzed and precise (and non-ambiguous) access
57	vectors can be observed and removed if necessary. Further, you are
58	confusing the policy with the mechanism. The mechanism is not
59	fundamentally flawed at the design level (you didn't mention any design
60	flaws, and I don't know of any, speak up if there are)
61
62	The fact is on _ANY_ path based system you cannot tell if the policy you
63	wrote (and are running) is actually being enforced by the system because
64	of ambiguity of filenames. That is not the case with SELinux. Some group
65	of people blindly trusting the policy we give them is one thing but you
66	are attacking the very mechanism which is total bullshit.
67	>> "If I don't push yes this won't work", these systems have been shown
68	>> time and time again to fail.
69	>>
70	>
71	> any specific examples?
72	>
73	> and my quiz of the day: how's blindly turning audit2allow into a policy
74	> better than blindly clicking yes on a messagebox? it's not yet that's
75	>
76	And have I ever suggested this? This is not about what someone on
77	#selinux says, this isn't about what Red Hat says (even though they
78	don't advocate doing that blindly). The system can be abused, no shit.
79	Giving users the opportunity to abuse it easier is not a good thing.
80	> exactly what some suggest as a fix for selinux denials. look here for
81	> an example: http://www.linuxsecurity.com/content/view/120837/49/ and
82	>
83	I don't care what some random person says is the way to write policy.
84	That is NOT what we advocate and that is irrelavent to the discussion
85	(or we could start talking about how horrible learning mode is, your
86	choice..)
87	> you can google for more. i'm not saying that user interaction is a good
88	> or bad idea, but i am saying that this cannot be the reason for objecting
89	> against systrace as it applies to selinux as well.
90	>
91	>
92	Who cares? I can write 500 pages about blindly using learning mode to
93	write "least privilege" pages, that doesn't make it right or
94	representative of the developer community for that particular system.
95	Try again.
96	>> And, like I already said, bypassing in-kernel DAC and capability
97	>> restrictions means that there is now a single attack vector to gain
98	>> all system privileges. This means systrace actually removes a layer
99	>> of security from the system, which is clearly a bad idea.
100	>>
101	>
102	> maybe you should give examples here as well, so that the systrace people
103	> can elaborate.
104	>
105	>
106	umm, its pretty obvious, want a picture? here:
107
108	SELinux:
109	attacker --> kernel DAC/capability checks --> selinux access checks -->
110	capabilities granted.
111	systrace:
112	attacker --> systrace --> capabilities granted.
113
114	>>> it's funny that you mention these as i just came across them and was
115	>>> going to post a rebuttal to many of your claims. do you want them here
116	>>> on the list or on the blog (it will probably take a few days until i
117	>>> have enough free time though)?
118	>>>
119	>>>
120	>> On the blog is fine. Remember that those posts aren't targeting specific
121	>> implementations (eg., grsec is not affected by all of the issues listed)
122	>> but rather the model in general.
123	>>
124	>
125	> you have specifically mentioned apparmor and grsec, and not exactly with
126	> flattering words (not that i expected something else from you but still,
127	> what's with the link to the '6 dumbest ideas' rant by Ranum, which fwiw,
128	> has also been rebuked on the dailydave list?).
129	>
130	Sorry, apparmor isn't even in the same class as grsec in terms of the
131	security it provides, I probably shouldn't have coupled them like that :)
132
133	> as a reminder, you kicked off with the following:
134	>
135	>> An Anti-Pattern is a commonly reinvented bad solution to a problem. In
136	>> security there are lots of these, The Six Dumbest Ideas in Computer
137	>> Security outlines several that are fairly common but I’m going to go
138	>> into detail about one in particular that several semi-popular security
139	>> mechanisms adopt.
140	>>
141	umm, "rebuked".. if you want to call it that, claiming that "hacking is
142	cool" is hardly compelling. The ideas on that page are good pointers in
143	general for security systems, I never saw anything claiming the actual
144	points were inaccurate shrug
145	>
146	> if that's not an invitation for a flamewar, then i don't know what is.
147	> but then, you asked for it, we'll see how smart you(r) selinux folks are.
148	>
149	I have no desire to get into a flameware (or the energy/time).
150	Professionally grsec, apparmor, systrace are irrelavent, the people I
151	deal with need analyzable policies and labeled objects (you can make fun
152	of CC requirements all you want but it doesn't matter in the least bit).
153
154	Personally I'd like to help security in general. Fedora has SELinux
155	enabled by default and protects several daemons by default. This is
156	clearly a win for security, MAC in a general use OS is unheard of, we
157	are breaking new ground here.
158
159	Incase you forgot hardened does support grsec, RSBAC and SELinux.
160	grsec is in no way a second class citizen, when people come to the
161	channel with problems I try to help them, I don't tell them they are
162	stupid and need to switch to SELinux. I even suggest that people who
163	have very lightweight security needs use grsecurity. In practice (eg.,
164	normal systems, normal people, etc) grsec can be very effective. My blog
165	posts are about security philosophy (as i stated in the first post) and
166	best practices. As you, and I know security is 100% about tradeoffs.
167	Sometimes the more secure solution is not the best for the situation.
168
169	I'm not sure what "you asked for it, we'll see how smart you(r) selinux
170	folks are" is suppose to mean, is that a threat? Are you going to make
171	fun of us on blogs and mailing lists?
172
173
174	--
175	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security