Re: Proxy and Stateful together ??

[Crispin Cowan <crispin () wirex com>]

Bennett Todd wrote:

> Given the difficulty finding really first-rack top quality secure
> application-layer proxies, I think SELinux is coming to be an
> exceedingly attractive platform for building these gizmos, since it
> offers some helpful tools for sandboxing less-perfectly-trusted
> daemons. I'd also be tempted to mix in some of the canary stuff from
> Immunix (StackGuard and all that).
Immunix was designed to build these kinds of secure appliances. Our 
SubDomain feature does the same kind of sandboxing that SELinux does, 
but the sandboxing abstraction is much simpler:

   * SELinux: general purpose framework for mandatory access control
     (MAC) including features such as role-based access control (RBAC).
   * SubDomain: appliance-oriented MAC that lets you specify the file
     access that should be granted to each program.

SubDomain's simplicity makes it faster and easier to profile 
applications. This allowed us to very quickly profile a bunch of highly 
vulnerable and undocumented applications and CGI scripts in the 2002 
Defcon Capture-the-Flag game http://news.com.com/2100-1001-948404.html

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"

Attachment: _bin
Description: