Dailydave mailing list archives
Re: Media Excitement!
From: robert () dyadsecurity com
Date: Tue, 26 Apr 2005 22:35:51 -0700
byte_jump(bytejump () gmail com)@Tue, Apr 26, 2005 at 10:34:38PM -0600:
A kernel patch is "bolton on" and SELinux is a kernel patch, just as PaX is.
It has been integrated into the main branch for a little while now.
You believe kernel-level bugs will "come about"? I believe there have been upwards of 20 security patches to the 2.6 kernel just this year.
I meant in addition to what we have already seen. And not all of the kernel bugs have attack vectors that are going to be available from the context that a subject is running in.
I intend on digging a bit deeper with SELinux, but I have serious concerns with the scalability of it. When I'm hearing that I'll need to take _years_ to understand SELinux, there's too much complexity.
It's not fair to simply say SE Linux is more complex than other alternatives. They do different things. The amount of time elapsed to get comfortable will vary.
When I hear that I need to change everything that I've learned about security in order to understand it, that's not a good sign.
There's a lot that is taught in security that differs greatly from the traditional formal security world. Go sit for the CISSP, CEH, Security +, SANS tests some time. If you have had a lot of education from those places, you'll have to relearn a lot of what you thought you knew to understand what is trying to be accomplished by projects like SE Linux.
It's also not a good sign that policy analysis tools exist to tell me when I have what they say is an accurate policy. Why aren't the policies human-readable? How much do you trust those policy analysis tools? I'm pretty paranoid...
The policies are human readable. What we haven't gone into yet is that the policies can also control domain transitions, relabeling, type relationships, information flow, etc. Since the number of possible variations can be very high, these policy analysis tools help you simulate all of the different paths to make sure you're implementing what you intended to implement.
Everything I'm hearing says "complex" and "error-prone" from an administrative standpoint.
Change complex to configurable. I suppose it's just semantics. Also, as I (unfortunately - sorry about that) started this silly thread, let me finish it by saying that my intent was not to get everyone using SE Linux/TSOL. It was to express the thought that a lot of money and time from people a lot smarter than me has been spent figuring out ways to securely use computers. They were nice enough to document their findings and publish them for us all (in places like http://www.radium.ncsc.mil/tpep/library/rainbow/, http://www.commoncriteriaportal.org/, etc). I believe their findings to be accurate. Yet I still see us floundering around as we ignore most things they've already proven to be true. This is unfortunate, and the source of a lot of really silly products made by people who don't really understand the problems they're trying to solve. I think most people here would agree that what we're currently doing isn't really working. My hope is that we can learn from the work that has gone on before us and continue to make valid, meaningful improvements. Time will tell if I am right or I am just a radical (and ultimately useless) idealist. Either way, we're going to demonstrate how to break a lot of these security mechanisms this summer. Should be loads of fun. Anyhow .. enough. Let's talk about something else :). "A priest, a rabbi, and a nun walk into a bar...." Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Media Excitement!, (continued)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! Jack (Apr 27)
- Re: Media Excitement! pageexec (May 09)
- Re: Media Excitement! robert (May 09)
- Laptop Abuse halvar (Apr 25)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! byte_jump (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! Anton A. Chuvakin (Apr 21)
- RE: Media Excitement! Ben Nagy (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! Roman Medina-Heigl Hernandez (Apr 22)
- Message not available
- RE: Media Excitement! Ron Gula (Apr 21)
- Re: Media Excitement! Brian (Apr 21)
- Re: Media Excitement! Brian Caswell (Apr 21)