Dailydave mailing list archives

Re: Media Excitement!

From: robert () dyadsecurity com
Date: Sun, 24 Apr 2005 22:09:22 -0700

Cody Hatch(bytejump () gmail com)@Sun, Apr 24, 2005 at 01:31:45PM -0600:

It seems to me to be a better approach to use PaX, grsecurity, and
systrace to make the kernel and applications behave appropriately


These steps may or may not prove useful in decreasing the success of
certain attack vectors, but they do not represent the same goals of
projects like SE Linux.

Don't get me wrong - I see the benefits or RBAC - but I view
complexity as the law of averages working against you - the more
complex something gets, the more likely it is that mistakes will be
made.


I would argue that discretion in the hands of the novice is more
complicated than using a MAC/DTE machine for pre-agreed usage.  If you
wanted to, you could set up an SE Linux box for a secretary that could
use an Email program, Web Browser, Printer, and Word Processor.  If she
went to the wrong website that wanted to exploit her browser, it would
only be able to do things from the security context you allowed for her
browser.  It wouldn't have access to her sensitive documents, or her gpg
keys, or your internal network, etc.  She would be able to open those
dirty attachments from email and not get compromised with a DDoS zombie
client.  She would have these protections because what is and what is
not allowed is clearly defined in the policy, and the policy is
enforced.

Policy weaknesses can expose you to vulnerability, but that's because
computers do what you tell them to do, which isn't always what you want
them to do. That's why you leave discretion in the capable hands of
those qualified to make policies.

Also, RBAC actually makes systems easier to manage in a DTE environment. 
We're working on an SE Linux policy set that we'll eventually share back
that will show case the use of RBAC.  But that won't be out until
sometime after Black Hat.

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

RE: ISEAGE Competetion, (continued)
- - RE: ISEAGE Competetion Chris Eagle (Apr 22)
- RE: Media Excitement! Kohlenberg, Toby (Apr 21)
  - RE: Media Excitement! Anton A. Chuvakin (Apr 21)
  - Re: Media Excitement! robert (Apr 21)
    - Re: Media Excitement! Cody Hatch (Apr 21)
    - Re: Media Excitement! robert (Apr 21)
    - Re: Media Excitement! pageexec (Apr 22)
    - Re: Media Excitement! robert (Apr 22)
    - Re: Media Excitement! pageexec (Apr 22)
    - Re: Media Excitement! Cody Hatch (Apr 24)
    - Re: Media Excitement! robert (Apr 24)
    - Re: Media Excitement! Cody Hatch (Apr 25)
    - Re: Media Excitement! Jack (Apr 25)
    - Re: Media Excitement! Cody Hatch (Apr 26)
    - Re: Media Excitement! pageexec (Apr 26)
    - Re: Media Excitement! Jack (Apr 27)
    - Re: Media Excitement! pageexec (May 09)
    - Re: Media Excitement! robert (May 09)
    - Laptop Abuse halvar (Apr 25)
    - Re: Media Excitement! robert (Apr 24)
    - Re: Media Excitement! pageexec (Apr 26)

(Thread continues...)