Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor?

[Joanna Rutkowska <joanna () invisiblethingslab com>]

Brad Spengler wrote:

> It is cool to be dismissive and aloof about "new" (9 year old) 
> technologies.  Otherwise you're just the SELinux version of the "year of 
> Linux on the desktop!" guy.  Regarding ineffectiveness (and specifically in
> regards to "proofs" and words such as "can't" and complexity/usability 
> trade-offs) I won't repeat myself, since everything that needed to be 
> said or demonstrated was done 2 years ago:
> http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
<cut>

Let me also point out to Rafal's SELinux exploit from 2003(!):

http://www.nsa.gov/research/selinux/list-archive/0306/4468.shtml

...as well as his recent exercise in SELinux default policy bypassing on
Xenified FC8:

http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf

These were not kernel exploits, but rather something taking advantage of an
overcomplexity of the system.

Of course, the main argument against all those SELinux-like-academic-systems are
kernel exploits, as pageexec and Brand correctly pointed out. I see that people
can only argue about *how* to address that very problem (of kernel exploits),
not about whether it *is* a problem.

So, whether to use "Security by Obscurity" approach (e.g. ASLR) or "Security by
Isolation" approach, that requires isolation of drivers (think VT-d). I guess we
all know that "Security by Correctenss" has not, and will not work for kernel
and drivers code.

joanna.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave