Dailydave mailing list archives
SELinux, was Re: X11 -> Root? (Qubes square rooted)
From: travis+ml-dailydave () subspacefield org
Date: Wed, 1 Sep 2010 16:42:03 -0700
Okay, I'll feed him... ;-) I'm the one who came forward a few years ago - not as saying SELinux is a silver bullet - but rather that it's not entirely worthless (as many curmudgeons would have you believe). That you can defeat a kernel-level protection with a kernel-level exploit isn't news. Saltzer & Schroeder pointed out that a "supervisor program" must protect itself long ago. To reliably enforce a protection mechanism, you need a higher level of privilege than the (effective control of the) thing that's trying to defeat it. When stated that way, it's a bit of a yawner, right? For those who the MAC debate, here's my recollection: Anti: Writing a 700-line policy is impossible. Pro: I've done it. It's no more difficult than writing a 700-line program. And sometimes, they come with the distro. Anti: I can get kernel/priv/super/ring0 mode, so MAC is worthless. Anti: Adding code to the kernel is not the right way to ensure security. I didn't bother to respond until now, because I thought this was pretty obvious, but apparently this debate has been decisively resolved, so I have to ask: Pro: Then why do any privilege checks in the kernel at all? While I think I could learn a lot from you on kernel mode exploits (and prevention) and other topics, I think you're smart enough that you can come across that way without resorting to straw men and ridicule, though I thank you for not stooping to ad hominems (against me, anyway). I think it also cuts the other way, that software can't reliably hide from a detection mechanism with the same privileges. IMHO, if you're on a level playing field, or if your adversary has more power/privilege than you, you've got to rely on stealth and surprise. Once you are detected and analyzed, it'll be possible to write a signature for detection. Prior to that, it's mostly anomaly detection, or heuristics, because Rice's theorem prevents you from actually "understanding" arbitrary code. Application of this to VMMs is quite obvious, but that particular problem is even more complicated, due to timing attacks (trap and emulate takes longer than doing it), and basic facts about hardware (the amount of memory I have available is generally fixed). Analogies to other forms of conflict are obvious and numerous. NB: I don't actually use SELinux any more; I just think it gets an unfairly bad rap. -- It asked me for my race, so I wrote in "human". -- The Beastie Boys My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email john () subspacefield org to get blacklisted.
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- X11 -> Root? dave (Aug 18)
- Re: X11 -> Root? (Qubes square rooted) Brad Spengler (Aug 19)
- SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- Re: SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- Re: X11 -> Root? (Qubes square rooted) Brad Spengler (Aug 19)