Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor?

[Travis <travis+ml-dailydave () subspacefield org>]

On Sat, Mar 28, 2009 at 08:48:36AM +0200, pageexec () freemail hu wrote:
> do 'exploitable kernel bugs' count?

Searching the NVD/CVE shows 5 vulns.  There were some implementation
bugs, apparently, that allowed bypassing some of the MAC controls, and
in one case, forcing a NULL pointer dereference in kernel mode.  The
highest severity is 6.5 (medium), and that bug allows for bypassing
some MAC controls on a certain platform, but appears to be no worse
than not running MAC at all.  The other four are rated low.  Are there
more?  Possibly, I don't know.

Sure, it's bad to introduce a vulnerability.  Introducing a kernel
vulnerability is especially bad.  They definitely count.  Hopefully,
as the code matures, we'll see fewer of them.  Yes, it's embarrassing
for a security enhancement to actually introduce vulnerabilities.

Let's address the (implied) argument here; this is kernel code, in C,
designed to limit the scope of damage if someone siezes control of a
program's execution context.  The argument is that if there are any
vulnerabilities introduced by the implementation, it is inherently
flawed and must be rejected.

Does an exploitable implementation bug invalidate the entire
idea/design/system?  I'm not convinced that's true.  If it were, the
same argument would apply against, say, OpenSSH.

Even on an implementation level, I think the real question for a
security subsystem is whether the net result is going to be an
improvement in security or not.  I think this is the core of the
disagreements here.  It's easy to count the vulnerabilities found in
the implementation (it's also relatively easy to fix the code, once
they are disclosed).  But it's harder to quantify the benefit of
_containing_ an intruder who manages to pop a vulnerable service.

IMHO, this is what I think is really meant by "defense-in-depth"; not
band-aids deployed in middleboxes with crossed fingers to hopefully
protect crappy code, but a real layer of access control that can
really limit an adversary after an intrusion.  I'm still not convinced
the idea is a bad one, even if the implementation isn't perfect.
-- 
Obama Nation | My emails do not have attachments; it's a digital signature
that your mail program doesn't understand. | http://www.subsubpacefield.org/~travis/ 
If you are a spammer, please email john () subspacefield org to get blacklisted.

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave