Dailydave mailing list archives
Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor?
From: Travis <travis+ml-dailydave () subspacefield org>
Date: Mon, 30 Mar 2009 16:55:03 -0500
On Sat, Mar 28, 2009 at 08:48:36AM +0200, pageexec () freemail hu wrote:
do 'exploitable kernel bugs' count?
Searching the NVD/CVE shows 5 vulns. There were some implementation bugs, apparently, that allowed bypassing some of the MAC controls, and in one case, forcing a NULL pointer dereference in kernel mode. The highest severity is 6.5 (medium), and that bug allows for bypassing some MAC controls on a certain platform, but appears to be no worse than not running MAC at all. The other four are rated low. Are there more? Possibly, I don't know. Sure, it's bad to introduce a vulnerability. Introducing a kernel vulnerability is especially bad. They definitely count. Hopefully, as the code matures, we'll see fewer of them. Yes, it's embarrassing for a security enhancement to actually introduce vulnerabilities. Let's address the (implied) argument here; this is kernel code, in C, designed to limit the scope of damage if someone siezes control of a program's execution context. The argument is that if there are any vulnerabilities introduced by the implementation, it is inherently flawed and must be rejected. Does an exploitable implementation bug invalidate the entire idea/design/system? I'm not convinced that's true. If it were, the same argument would apply against, say, OpenSSH. Even on an implementation level, I think the real question for a security subsystem is whether the net result is going to be an improvement in security or not. I think this is the core of the disagreements here. It's easy to count the vulnerabilities found in the implementation (it's also relatively easy to fix the code, once they are disclosed). But it's harder to quantify the benefit of _containing_ an intruder who manages to pop a vulnerable service. IMHO, this is what I think is really meant by "defense-in-depth"; not band-aids deployed in middleboxes with crossed fingers to hopefully protect crappy code, but a real layer of access control that can really limit an adversary after an intrusion. I'm still not convinced the idea is a bad one, even if the implementation isn't perfect. -- Obama Nation | My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subsubpacefield.org/~travis/ If you are a spammer, please email john () subspacefield org to get blacklisted.
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- In defense of Mandatory Access Control, was Re: No more Novell AppArmor? Travis (Mar 26)
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? pageexec (Mar 28)
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? Travis (Mar 31)
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? Peter Busser (Mar 31)
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? pageexec (Mar 28)