Dailydave mailing list archives
SELinux, was Re: X11 -> Root? (Qubes square rooted)
From: travis+ml-dailydave () subspacefield org
Date: Wed, 1 Sep 2010 16:42:03 -0700
Okay, I'll feed him... ;-)
I'm the one who came forward a few years ago - not as saying SELinux
is a silver bullet - but rather that it's not entirely worthless (as
many curmudgeons would have you believe).
That you can defeat a kernel-level protection with a kernel-level
exploit isn't news. Saltzer & Schroeder pointed out that a
"supervisor program" must protect itself long ago. To reliably
enforce a protection mechanism, you need a higher level of privilege
than the (effective control of the) thing that's trying to defeat it.
When stated that way, it's a bit of a yawner, right?
For those who the MAC debate, here's my recollection:
Anti: Writing a 700-line policy is impossible.
Pro: I've done it. It's no more difficult than writing a 700-line program.
And sometimes, they come with the distro.
Anti: I can get kernel/priv/super/ring0 mode, so MAC is worthless.
Anti: Adding code to the kernel is not the right way to ensure security.
I didn't bother to respond until now, because I thought this was
pretty obvious, but apparently this debate has been decisively
resolved, so I have to ask:
Pro: Then why do any privilege checks in the kernel at all?
While I think I could learn a lot from you on kernel mode exploits
(and prevention) and other topics, I think you're smart enough that
you can come across that way without resorting to straw men and
ridicule, though I thank you for not stooping to ad hominems (against
me, anyway).
I think it also cuts the other way, that software can't reliably hide
from a detection mechanism with the same privileges.
IMHO, if you're on a level playing field, or if your adversary has
more power/privilege than you, you've got to rely on stealth and
surprise. Once you are detected and analyzed, it'll be possible to
write a signature for detection. Prior to that, it's mostly anomaly
detection, or heuristics, because Rice's theorem prevents you from
actually "understanding" arbitrary code.
Application of this to VMMs is quite obvious, but that particular
problem is even more complicated, due to timing attacks (trap
and emulate takes longer than doing it), and basic facts about
hardware (the amount of memory I have available is generally
fixed).
Analogies to other forms of conflict are obvious and numerous.
NB: I don't actually use SELinux any more; I just think it gets
an unfairly bad rap.
--
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john () subspacefield org to get blacklisted.
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- X11 -> Root? dave (Aug 18)
- Re: X11 -> Root? (Qubes square rooted) Brad Spengler (Aug 19)
- SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- Re: SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
- Re: X11 -> Root? (Qubes square rooted) Brad Spengler (Aug 19)