OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dailydave] SELinux, was Re: X11 -> Root? (Qubes square rooted)

travis+ml-dailydavesubspacefield.org
Date: Wed Sep 01 2010 - 18:42:03 CDT

Okay, I'll feed him... ;-)

I'm the one who came forward a few years ago - not as saying SELinux
is a silver bullet - but rather that it's not entirely worthless (as
many curmudgeons would have you believe).

That you can defeat a kernel-level protection with a kernel-level
exploit isn't news. Saltzer & Schroeder pointed out that a
"supervisor program" must protect itself long ago. To reliably
enforce a protection mechanism, you need a higher level of privilege
than the (effective control of the) thing that's trying to defeat it.
When stated that way, it's a bit of a yawner, right?

For those who the MAC debate, here's my recollection:

Anti: Writing a 700-line policy is impossible.
Pro: I've done it. It's no more difficult than writing a 700-line program.
     And sometimes, they come with the distro.

Anti: I can get kernel/priv/super/ring0 mode, so MAC is worthless.
Anti: Adding code to the kernel is not the right way to ensure security.

I didn't bother to respond until now, because I thought this was
pretty obvious, but apparently this debate has been decisively
resolved, so I have to ask:

Pro: Then why do any privilege checks in the kernel at all?

While I think I could learn a lot from you on kernel mode exploits
(and prevention) and other topics, I think you're smart enough that
you can come across that way without resorting to straw men and
ridicule, though I thank you for not stooping to ad hominems (against
me, anyway).

I think it also cuts the other way, that software can't reliably hide
from a detection mechanism with the same privileges.

IMHO, if you're on a level playing field, or if your adversary has
more power/privilege than you, you've got to rely on stealth and
surprise. Once you are detected and analyzed, it'll be possible to
write a signature for detection. Prior to that, it's mostly anomaly
detection, or heuristics, because Rice's theorem prevents you from
actually "understanding" arbitrary code.

Application of this to VMMs is quite obvious, but that particular
problem is even more complicated, due to timing attacks (trap
and emulate takes longer than doing it), and basic facts about
hardware (the amount of memory I have available is generally
fixed).

Analogies to other forms of conflict are obvious and numerous.

NB: I don't actually use SELinux any more; I just think it gets
    an unfairly bad rap.
--
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email johnsubspacefield.org to get blacklisted.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iQIcBAEBAgAGBQJMfuTKAAoJEGQVZZEDJt9H8D4P/2gg1dijf2eQ8sIwtJtC54f5
JyvUPJZWNWolErkZ5sMDXmg0NAvXfKLwChw9ShHIMRhH/N6HBIlEfvg9dSZroy4f
ROeP/2v4ECcY/eZWihVmIcz294RcXB6QTCWjCj1j/TPCAmpV/B+7z67Tgbia0qpV
44kZlnRHgLY4ak6eRj8VXFUlygM8cx1zi3wuSWS9CojpxtTsMSYlZTiBYipYTG8f
8xsife8WdHQvsNNc3M9k/BfE03MaSSEGKtYZZ76UuMZn/NblPA/863gj2UauTa5B
MDJ539qPPi8hWYnK7AXO9ib0Pt7NOsHHKdelGKSZsbA4KwzHEn4sURT0QpdGj0Jo
M4zhmekFVnRNkTx4gxYzKu2I8JwvSID0wsioI+WnB16KfWesNGneseNWkFmgQIvo
Xp815DQkc52diq3ukqaFY8pjcRM/98yW8icO7RlUhANtom9LHkRpCB0VIhIXbOhv
N52ZOlzJV2af5rMmgvoTgtzdjK8bFYt6+3/WQn8bKIlmk7BpjPvMCkFpL8/ZEQtA
qcZNjQDAeRx5q8+2gT8dDp/LIwLxhU+JwdcjNgFEB8jexWxjU+OxJkJUv8Wrl8RU
C7YFMGpSwqy/he8LdfpiStAFQoIIR1PZbr7AlnletJXKmFB+bJ4rLFhHv5RBTPpU
/u+EA3zPxQN3uWXT4Ynx
=WrQv
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave