Dailydave mailing list archives
Re: Media Excitement!
From: Cody Hatch <bytejump () gmail com>
Date: Sun, 24 Apr 2005 13:31:45 -0600
I completely agree with pageexec here. RBAC is good - no doubt - but the difficulty of implementing a proper and secure policy seems almost insurmountable. Foolproof doesn't exis because fools have proven far too clever in the past. It seems to me to be a better approach to use PaX, grsecurity, and systrace to make the kernel and applications behave appropriately rather than build a monolithic set of policies that govern the permissions (roles) of users and processes. Don't get me wrong - I see the benefits or RBAC - but I view complexity as the law of averages working against you - the more complex something gets, the more likely it is that mistakes will be made. Regards, Cody On 4/22/05, pageexec () freemail hu <pageexec () freemail hu> wrote:
On 22 Apr 2005 at 10:09, robert () dyadsecurity com wrote:The goal here wasn't to say "This one is more secure than that one". It's to say "We have this level of sensitivity and require these particular security mechanisms, and need this assurance level as to the effectiveness of the security mechanisms". Basically, choose the right technology for your environment.i understood this much ;-), the real question is, which of the solutions in the mentioned URL gives *appropriate assuarance* against exploitation (remember the original question about alternatives to patching)? based on my experience and instinct, none of them does (EAL 4 is little more than a joke), but i'd like to be *proven* wrong.side question, which one of those didn't have security patches since their evaluation?I believe every product listed has had patches since their evaluation. As I pointed out though in an earlier post, the containment of the compromise, or rather the inherent ability to limit intrusion should be designed into the TCB, not bolted on afterwards.does any of the mentioned products at that URL contain a compromise (thinking of kernel bugs)? or to be more precise, does any real-life policy (since any deployed MAC system implements one) exclude the compromise of the TCB? if not (which would match my experience), then what's the real point (of getting certified at EAL<7)? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ISEAGE Competetion, (continued)
- ISEAGE Competetion Arun Koshy (Apr 22)
- RE: ISEAGE Competetion Chris Eagle (Apr 22)
- RE: Media Excitement! Kohlenberg, Toby (Apr 21)
- RE: Media Excitement! Anton A. Chuvakin (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 21)
- Re: Media Excitement! robert (Apr 21)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! pageexec (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 24)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! Cody Hatch (Apr 25)
- Re: Media Excitement! Jack (Apr 25)
- Re: Media Excitement! Cody Hatch (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! Jack (Apr 27)
- Re: Media Excitement! pageexec (May 09)
- Re: Media Excitement! robert (May 09)
- ISEAGE Competetion Arun Koshy (Apr 22)
- Laptop Abuse halvar (Apr 25)
- Re: Media Excitement! robert (Apr 24)