Mailing List Archive

Andrea Barisani wrote:
> Hi folks!
>
> I'd like to announce that Systrace is back in the portage tree, it consists
> of two packages:
>
> sys-apps/systrace
>
>
No, remove it.
> the userspace application that now features a ptrace backend in case the
> kernel patch is not installed.
>
> sys-kernel/systrace-sources
>
> this is standard kernel with our base patchset + systrace patch.
>
> We are trying to get this in hardened-sources as well, as I said you don't
> need the kernel patch to try this out, granted that the ptrace backend is
> much slower and really useful only for testing/debugging purposes, in the
> long run the patch is the way to go.
>
>
Absolutely not.
> Testing/feedback is appreciated.
>
>

Systrace has a broken security model which allows, among other things,
privilege escalation. It is our (hardened) opinion that it is harmful to
security and the cause of hardened. I ask you to remove it. If you don't
we cannot and will not support it, and will discourage its use among our
users.
--
gentoo-security@gentoo.org mailing list

On Wed, Apr 26, 2006 at 09:38:02AM -0400, Joshua Brindle wrote:
> Andrea Barisani wrote:
> >Hi folks!
> >
> >I'd like to announce that Systrace is back in the portage tree, it consists
> >of two packages:
> >
> >sys-apps/systrace
> >
> >
> No, remove it.
> >the userspace application that now features a ptrace backend in case the
> >kernel patch is not installed.
> >
> >sys-kernel/systrace-sources
> >
> >this is standard kernel with our base patchset + systrace patch.
> >
> >We are trying to get this in hardened-sources as well, as I said you don't
> >need the kernel patch to try this out, granted that the ptrace backend is
> >much slower and really useful only for testing/debugging purposes, in the
> >long run the patch is the way to go.
> >
> >
> Absolutely not.
> >Testing/feedback is appreciated.
> >
> >
>
> Systrace has a broken security model which allows, among other things,
> privilege escalation. It is our (hardened) opinion that it is harmful to
> security and the cause of hardened. I ask you to remove it. If you don't
> we cannot and will not support it, and will discourage its use among our
> users.
> --
> gentoo-hardened@gentoo.org mailing list
>

*sigh*

I thought that this flamewar was dead. Ok, I kindly ask a hardened team
review of this since I strongly believe this is not an issue, systrace is
*not* a broken security model and yes it allows *controlled* privilege
escalation if you configure it that way for removing the setuid but on some
binaries.

If you have an argument to make please show me the technical details about it
and let's discuss it.

It's *not* part of hardened atm anyway and it won't be unless the hardened
team accepts it. It will remain in the portage tree as long as I support it
unless you show me a clear demonstration of your concerns.

BTW even with your concern the ptrace method (which can be entirely tested
userspace) is still useful for debugging/testing, hence the userspace package
has no reason for going away.

CC'ing systrace author btw (not subscribed to this list).

--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list

Andrea Barisani wrote:
> <snip>
>
> *sigh*
>
> I thought that this flamewar was dead. Ok, I kindly ask a hardened team
> review of this since I strongly believe this is not an issue, systrace is
> *not* a broken security model and yes it allows *controlled* privilege
> escalation if you configure it that way for removing the setuid but on some
> binaries.
>
This is no flamewar. The model is broken by my standards. It bypasses
built-in DAC and capabilities in the kernel making it the single attack
vector to gain all access on the system. Compare to grsecurity, rsbac,
selinux which do not bypass kernel access control or escalate privileges.

Further, the "lets ask the user if they want to allow this" is
inherently flawed. It is a discretionary model, the policy is in no way
analyzable. I suggest you read these articles:
http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/

> If you have an argument to make please show me the technical details about it
> and let's discuss it.
>
> It's *not* part of hardened atm anyway and it won't be unless the hardened
> team accepts it. It will remain in the portage tree as long as I support it
> unless you show me a clear demonstration of your concerns.
>
First it will never be accepted by hardened. Second, I believe that
security critical packages (particularly access control systems) should
go through hardened. Random developers *should not* be putting access
control mechanisms in the tree, users will have security expectations
that they cannot meet.
> BTW even with your concern the ptrace method (which can be entirely tested
> userspace) is still useful for debugging/testing, hence the userspace package
> has no reason for going away.
>
As long as its clearly marked as a debugging tool and not as a security
tool.
> CC'ing systrace author btw (not subscribed to this list)

Great.
--
gentoo-security@gentoo.org mailing list

On Wed, Apr 26, 2006 at 10:01:54AM -0400, Joshua Brindle wrote:

> This is no flamewar. The model is broken by my standards. It bypasses
> built-in DAC and capabilities in the kernel making it the single attack
> vector to gain all access on the system. Compare to grsecurity, rsbac,
> selinux which do not bypass kernel access control or escalate privileges.
>
> Further, the "lets ask the user if they want to allow this" is
> inherently flawed. It is a discretionary model, the policy is in no way
> analyzable. I suggest you read these articles:
> http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
> http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
>

Thanks for the links.

It appears we have different standards. I don't find it "broken" at all while
I still see why it's not compatible with yours standards. I can see the
design issue maybe, but that's far from considering it "broken" or a security
issue imho.

This is just a matter of perspective. And anyway one thing are design issues,
one is a real security problem. As it is now sys-apps/systrace and/or
sys-kernel/systrace are not a security issue from a
vulnerability/exploitability POV. So I'm going to keep it there as a
standalone thing, regarding Hardened inclusion we'll discuss this (since I'd
like to hear other hardened team opinions) and if the team doesn't agree then
fine it won't be supported.

> First it will never be accepted by hardened. Second, I believe that
> security critical packages (particularly access control systems) should
> go through hardened. Random developers *should not* be putting access

I completely disagree with this, security critical packages should not go
through hardened by default and anyway there is no policy for that. This case
is an example of why the policy is broken. I want to provide the *choice* of
using/installing systrace, if this doesn't appeal your standards it doesn't necessarily
mean it should be removed from the tree (unless it's a security issue, which is clearly
not).

Btw we are not advertising/documenting this as the perfect security solution,
so let's not make a big fuss about a unstable ebuild. This *random* developer
(member of the Gentoo Security team) would just like to provide a choice to
our users.

Cheers

--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list

pageexec@freemail.hu wrote:
> On 26 Apr 2006 at 10:01, Joshua Brindle wrote:
>
>> This is no flamewar. The model is broken by my standards. It bypasses
>> built-in DAC and capabilities in the kernel making it the single attack
>> vector to gain all access on the system. Compare to grsecurity, rsbac,
>> selinux which do not bypass kernel access control or escalate privileges.
>>
>
> it'd help the discussion/review (which is what Andrea asked for) if
> you/others were more precise and cited specific attacks. generic hand-
> waving of 'this is broken' doesn't help it. this is not to say that
> i disagree with your opinion (fwiw, you and spender are on the same
> side for once ;-).
>
>
I don't agree that specific attack vectors are required to determine
whether a model is broken. The reasons I think the model is broken are
pretty clearly laid out in the url's posted. There are also others for
this specific implementation. It is a dire problem to facilitate
non-security aware/minded users to add rules to the policy dynamically.
"If I don't push yes this won't work", these systems have been shown
time and time again to fail. And, like I already said, bypassing
in-kernel DAC and capability restrictions means that there is now a
single attack vector to gain all system privileges. This means systrace
actually *removes* a layer of security from the system, which is clearly
a bad idea.
>> http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
>> http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
>>
>
> it's funny that you mention these as i just came across them and was
> going to post a rebuttal to many of your claims. do you want them here
> on the list or on the blog (it will probably take a few days until i
> have enough free time though)?
>
On the blog is fine. Remember that those posts aren't targeting specific
implementations (eg., grsec is not affected by all of the issues listed)
but rather the model in general.
--
gentoo-security@gentoo.org mailing list

On Wed, Apr 26, 2006 at 10:58:17AM -0400, Joshua Brindle wrote:
> pageexec@freemail.hu wrote:
> >
> >it'd help the discussion/review (which is what Andrea asked for) if
> >you/others were more precise and cited specific attacks. generic hand-
> >waving of 'this is broken' doesn't help it. this is not to say that
> >i disagree with your opinion (fwiw, you and spender are on the same
> >side for once ;-).
> >
> >

thanks :)

> I don't agree that specific attack vectors are required to determine
> whether a model is broken. The reasons I think the model is broken are
> pretty clearly laid out in the url's posted. There are also others for
> this specific implementation. It is a dire problem to facilitate
> non-security aware/minded users to add rules to the policy dynamically.

I re-read your blog entries and I still fail to see how's systrace affected
by this. So just assume that I'm Dumb (tm) and please show me a
implementation-specific example of this, also consider that systrace is *not*
a MAC and it doesn't want to be one, we are systracing processes explicitely
here.

> "If I don't push yes this won't work", these systems have been shown
> time and time again to fail. And, like I already said, bypassing
> in-kernel DAC and capability restrictions means that there is now a
> single attack vector to gain all system privileges. This means systrace
> actually *removes* a layer of security from the system, which is clearly
> a bad idea.

It can only if you don't know how to configure/use it, which is something
that applies to SELinux, grsecurity, RSBAC and every other system. Feel free
to prove me wrong here with examples ;).

> >>http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
> >>http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
> >>
> >
> On the blog is fine. Remember that those posts aren't targeting specific
> implementations (eg., grsec is not affected by all of the issues listed)
> but rather the model in general.

I'm curious, why's grsec not affecteced by this?

Cheers

--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list

Andrea Barisani wrote:
> I re-read your blog entries and I still fail to see how's systrace affected
> by this. So just assume that I'm Dumb (tm) and please show me a
> implementation-specific example of this, also consider that systrace is *not*
> a MAC and it doesn't want to be one, we are systracing processes explicitely
> here.
>
>
Well, systrace is path based so you can apply all those arguments
directly. I don't understand what you mean by systrace is not MAC, what
is it? It has a policy, it enforces access control. I guess choosing to
run the app under it directly makes it discretionary. It still has all
the issues that my blog such as ambiguous paths, problems in shared
directories, etc.
>> "If I don't push yes this won't work", these systems have been shown
>> time and time again to fail. And, like I already said, bypassing
>> in-kernel DAC and capability restrictions means that there is now a
>> single attack vector to gain all system privileges. This means systrace
>> actually *removes* a layer of security from the system, which is clearly
>> a bad idea.
>>
>
> It can only if you don't know how to configure/use it, which is something
> that applies to SELinux, grsecurity, RSBAC and every other system. Feel free
> to prove me wrong here with examples ;).
>
What you are doing in essence is making all binaries setuid by allowing
privilege escalation. Think about it, setuid tells the linux kernel to
change the uid when this app is run, so you "remove" the setuid bit and
let systrace escalate the capabilities by bypassing the kernel, this is
not different from just having the binary be setuid and then only
allowing whichever caps it needs and is more dangerous since there is a
single layer controlling capabilities for an attack vector.

Neither grsecurity nor SELinux allow any kind of bypass of standard
linux kernel permissions. They cannot lower the security level of the
system whereas systrace can by granting capabilities that processes
would not have had otherwise.

>>>> http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/
>>>> http://securityblog.org/brindle/2006/04/19/security-anti-pattern-path-based-access-control/
>>>>
>>>>
>> On the blog is fine. Remember that those posts aren't targeting specific
>> implementations (eg., grsec is not affected by all of the issues listed)
>> but rather the model in general.
>>
>
> I'm curious, why's grsec not affecteced by this?
>
grsec's access control is affected by many of them. Most grsec users
don't use the access control, however, they use the other protections
(the 80% attack vector thing..)
--
gentoo-security@gentoo.org mailing list

pageexec@freemail.hu wrote:
> On 26 Apr 2006 at 10:58, Joshua Brindle wrote:
>
>> I don't agree that specific attack vectors are required to determine
>> whether a model is broken.
>>
>
> specific examples of attack are needed for people with less specialized
> knowledge in security (i might say, sometimes even for the specialists)
> but with the ability to understand a demonstration. sometimes the attacks
> one thinks of as 'breaking the model' are actually the result of the
> misunderstanding of the model.
>
>
That is silly. The model is to essentially sandbox apps. The problem is
that the sandbox is leaky due to the abstractions being used (eg.,
paths). There is no way to determine that the policy you wrote is
actually being enforced, and again, escalating privileges and increasing
the potential for misuse.
>> The reasons I think the model is broken are pretty clearly laid out in
>> the url's posted.
>>
>
> there's not a *single* word about system calls in those posts. second,
> those 'pretty clear' reasons are anything but, i'll get to that on the
> blog itself though.
>
>
once again, model != implementation. I was talking about the model, and
these particular posts weren't targeting systrace at all, as far as I
knew this crap was off the radar.
>> There are also others for this specific implementation. It is a dire
>> problem to facilitate non-security aware/minded users to add rules to
>> the policy dynamically.
>>
>
> my feeling is that you're looking at the whole world with a rather limited
> view, everything that doesn't fit the selinux view (as that's what this is
>
no.
> all about, isn't it) must necessarily be wrong. maybe before you do that,
> you should ask the authors about their threat model, use cases, etc and
> then evaluate their solution. fwiw, selinux is just as broken as anything
> else out there, down to the fundamental design level, and it's even more
> dangerous than other systems (gives false sense of security) as pretty much
> everyone sells it as The Solution for security. nothing could be further
> from the truth, so let's not look down on others just because they don't
> fit your particular (mis)understanding of security.
>
>
That is absolutely false. If some person sells selinux as The Solution
that is one thing, I have never said and will never say that SELinux is
any kind of end all for security.

The false sense of security is also a lie. Unlike path based systems the
SELinux policy can be analyzed and precise (and non-ambiguous) access
vectors can be observed and removed if necessary. Further, you are
confusing the policy with the mechanism. The mechanism is not
fundamentally flawed at the design level (you didn't mention any design
flaws, and I don't know of any, speak up if there are)

The fact is on _ANY_ path based system you cannot tell if the policy you
wrote (and are running) is actually being enforced by the system because
of ambiguity of filenames. That is not the case with SELinux. Some group
of people blindly trusting the policy we give them is one thing but you
are attacking the very mechanism which is total bullshit.
>> "If I don't push yes this won't work", these systems have been shown
>> time and time again to fail.
>>
>
> any specific examples?
>
> and my quiz of the day: how's blindly turning audit2allow into a policy
> better than blindly clicking yes on a messagebox? it's not yet that's
>
And have I ever suggested this? This is not about what someone on
#selinux says, this isn't about what Red Hat says (even though they
don't advocate doing that blindly). The system can be abused, no shit.
Giving users the opportunity to abuse it easier is not a good thing.
> exactly what some suggest as a fix for selinux denials. look here for
> an example: http://www.linuxsecurity.com/content/view/120837/49/ and
>
I don't care what some random person says is the way to write policy.
That is NOT what we advocate and that is irrelavent to the discussion
(or we could start talking about how horrible learning mode is, your
choice..)
> you can google for more. i'm not saying that user interaction is a good
> or bad idea, but i am saying that this cannot be the reason for objecting
> against systrace as it applies to selinux as well.
>
>
Who cares? I can write 500 pages about blindly using learning mode to
write "least privilege" pages, that doesn't make it right or
representative of the developer community for that particular system.
Try again.
>> And, like I already said, bypassing in-kernel DAC and capability
>> restrictions means that there is now a single attack vector to gain
>> all system privileges. This means systrace actually *removes* a layer
>> of security from the system, which is clearly a bad idea.
>>
>
> maybe you should give examples here as well, so that the systrace people
> can elaborate.
>
>
umm, its pretty obvious, want a picture? here:

SELinux:
attacker --> kernel DAC/capability checks --> selinux access checks -->
capabilities granted.
systrace:
attacker --> systrace --> capabilities granted.

>>> it's funny that you mention these as i just came across them and was
>>> going to post a rebuttal to many of your claims. do you want them here
>>> on the list or on the blog (it will probably take a few days until i
>>> have enough free time though)?
>>>
>>>
>> On the blog is fine. Remember that those posts aren't targeting specific
>> implementations (eg., grsec is not affected by all of the issues listed)
>> but rather the model in general.
>>
>
> you have specifically mentioned apparmor and grsec, and not exactly with
> flattering words (not that i expected something else from you but still,
> what's with the link to the '6 dumbest ideas' rant by Ranum, which fwiw,
> has also been rebuked on the dailydave list?).
>
Sorry, apparmor isn't even in the same class as grsec in terms of the
security it provides, I probably shouldn't have coupled them like that :)

> as a reminder, you kicked off with the following:
>
>> An Anti-Pattern is a commonly reinvented bad solution to a problem. In
>> security there are lots of these, The Six Dumbest Ideas in Computer
>> Security outlines several that are fairly common but I’m going to go
>> into detail about one in particular that several semi-popular security
>> mechanisms adopt.
>>
umm, "rebuked".. if you want to call it that, claiming that "hacking is
cool" is hardly compelling. The ideas on that page are good pointers in
general for security systems, I never saw anything claiming the actual
points were inaccurate *shrug*
>
> if that's not an invitation for a flamewar, then i don't know what is.
> but then, you asked for it, we'll see how smart you(r) selinux folks are.
>
I have no desire to get into a flameware (or the energy/time).
Professionally grsec, apparmor, systrace are irrelavent, the people I
deal with need analyzable policies and labeled objects (you can make fun
of CC requirements all you want but it doesn't matter in the least bit).

Personally I'd like to help security in general. Fedora has SELinux
enabled by default and protects several daemons by default. This is
clearly a win for security, MAC in a general use OS is unheard of, we
are breaking new ground here.

Incase you forgot hardened *does* support grsec, RSBAC and SELinux.
grsec is in no way a second class citizen, when people come to the
channel with problems I try to help them, I don't tell them they are
stupid and need to switch to SELinux. I even suggest that people who
have very lightweight security needs use grsecurity. In practice (eg.,
normal systems, normal people, etc) grsec can be very effective. My blog
posts are about security philosophy (as i stated in the first post) and
best practices. As you, and I know security is 100% about tradeoffs.
Sometimes the more secure solution is not the best for the situation.

I'm not sure what "you asked for it, we'll see how smart you(r) selinux
folks are" is suppose to mean, is that a threat? Are you going to make
fun of us on blogs and mailing lists?


--
gentoo-security@gentoo.org mailing list

Niels Provos wrote:
> On 4/26/06, Joshua Brindle <method@gentoo.org> wrote:
>
>> Well, systrace is path based so you can apply all those arguments
>> directly. I don't understand what you mean by systrace is not MAC, what
>> is it? It has a policy, it enforces access control. I guess choosing to
>>
>
> Let's take this opportunity to avoid misunderstandings. I don't know
> very much about mandatory access control nor SELinux in particular.
> However, I certainly support the statement that Systrace is not a MAC
> system nor does it want to be one. It would be great if you could
> help improve my understanding of SELinux by explaining the SELinux
> policy that governs, for example, your IRC client.
>
That is fair. If noone involved considers systrace MAC then I'm less
inclined to care about its availability, I'm still very concerned about
privilege escalation and user interaction. I will not concede that this
sort of activity (particularly the privilege escalation) is very dangerous.

SELinux is mandatory so the policy would already be loaded into the
kernel. The irc client executable would be labeled (something like
irc_exec_t). The user shell process would have a label (user_t) and
user_t executing irc_exec_t would cause a transition into user_irc_t.
The user_irc_t would then only have access to the resources it needs,
network, its own files in your home and tmp. Derived domains like
user_irc_t are used to seperate user apps from one another (without the
assistance of DAC).

There are tons of resources about how selinux works policy-wise though.
What in particular do you want to know?
--
gentoo-security@gentoo.org mailing list

On Wed, Apr 26, 2006 at 02:54:15PM -0400, Joshua Brindle wrote:
> Niels Provos wrote:
>
> That is fair. If noone involved considers systrace MAC then I'm less
> inclined to care about its availability, I'm still very concerned about
> privilege escalation and user interaction. I will not concede that this
> sort of activity (particularly the privilege escalation) is very dangerous.
>

Even if it's only allowed to root and/or systraced processes ?

(let's remember that systrace is something that must be very selectively
enabled and that the privilege elevation thing is only available to root on
processes started with systrace)

--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list

On Wed, Apr 26, 2006 at 12:59:03PM -0400, Joshua Brindle wrote:
> Well, systrace is path based so you can apply all those arguments
> directly. I don't understand what you mean by systrace is not MAC, what
> is it? It has a policy, it enforces access control. I guess choosing to
> run the app under it directly makes it discretionary. It still has all
> the issues that my blog such as ambiguous paths, problems in shared
> directories, etc.

Did you bother checking how systrace checks/applies the path? (the tone isn't
accusatory here, I didn't do it yet myself, but still we can't flame it without
knowing its implementation, this is not as easy to evaluate as you try to put
it design-wise). Admitedly you don't know much about systrace implementation,
would you kindly check into it and see how it *really* works before judging it?
Not saying that this should make you change your mind but it would probably be
best and it would allow a much more constructive feedback.

Neils, any comments about this?

> What you are doing in essence is making all binaries setuid by allowing
> privilege escalation. Think about it, setuid tells the linux kernel to

"all binaries" ? I never said that I'd apply this to all binaries, systrace
is discretionary so to speak...

> change the uid when this app is run, so you "remove" the setuid bit and
> let systrace escalate the capabilities by bypassing the kernel, this is
> not different from just having the binary be setuid and then only
> allowing whichever caps it needs and is more dangerous since there is a
> single layer controlling capabilities for an attack vector.
>

systrace "becomes" a kernel feature, systrace "bypassing" the kernel makes no
sense to me, but I guess this is a semantic issue...

This is just moving the all-permissive setuid concept (which I might say can be
arguably a kinda broken/insecure thing) to a syscall acl framework.

> Neither grsecurity nor SELinux allow any kind of bypass of standard
> linux kernel permissions. They cannot lower the security level of the
> system whereas systrace can by granting capabilities that processes
> would not have had otherwise.
>

Systrace can lower the security level of the system if *you* configure it to
do so as *root* (which could do that anyway), this is just shifting the sec
model from 'setuid lets the process run as root but we "jail" it with MAC' to
"we remove setuid and we selectively allow kernel_side what it can do".

Unless you are really dumb in defining policies I can't see how this could be
heavily mis-used / compromised.

Neils, Method: all feedback is welcome.

Cheers

--
Andrea Barisani <lcars@gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
PGP-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
--
gentoo-security@gentoo.org mailing list

pageexec@freemail.hu wrote:
> On 26 Apr 2006 at 13:38, Joshua Brindle wrote:
>
>> That is silly. The model is to essentially sandbox apps. The problem is
>> that the sandbox is leaky due to the abstractions being used (eg.,
>> paths). There is no way to determine that the policy you wrote is
>> actually being enforced, and again, escalating privileges and increasing
>> the potential for misuse.
>>
>
> is there any particular reason you're avoiding answering my (Andrea's,
> for that matter) requests for specific attack examples?
>
> it's my observation that you as well as many other selinux advocates
> often try to stay at some superficial theoretical level of 'attacks'
> as if that meant anything in the real world. it means nothing, so
> please try get down from that 'high horse' and answer the questions.
>
I do not believe that specifying a specific vulnerability is required
for a model to be broken. I also do not actively try to break systems
(penetrate and patch methodology) to decide if they are broken, any
theoretical problem with the model is exploitable in the worst case
scenario, that is enough. There is nothing 'high horse' about it, do you
think people that build skyscrapers have to see the natural disasters
that will destroy the buildings first hand? No, they have models for
everything, the sky scraper itself, the possible 'attacks', etc.
> <snip>
>> That is absolutely false. If some person sells selinux as The Solution
>> that is one thing, I have never said and will never say that SELinux is
>> any kind of end all for security.
>>
>
> what is it that you say about selinux then? clearly, you must have an
> opinion about its place in the world of security solutions. i.e., is
> there (according to you) a situation where say apparmor or grsecurity
> provide better security (you get to define what security means in that
> situation) than selinux? i'm all ears ;-). you realize that if you
> cannot provide such a situation then you'll have effectively confirmed
> my statement.
>
>
what best suits your needs depends on your security needs. I've always
said this in hardened. I have no need to create imaginary situations,
I've suggested to many people in #gentoo-hardened that grsecurity might
meet their needs better than other solutions.
> <snip>
>
> you suggested that systrace should be rejected (among others) because
> it allows the user to (re)define the policy based on feedback from the
> access control mechanism. all i pointed out was that the same applies
> to selinux as well (and it does happen in real life too) yet you're
> not suggesting its removal. you can't have it both ways.
>
>
There is a huge difference between a policy loaded into the kernel that
is mandatory at all times (and can be modified when necessary) and a
policy that is in userspace, is entirely dynamic, and pops up with a
dialog when a new access attempt happens. Clearly the policy has to
change to the environment, however in general MAC policies should not be
changing at run time. Since the systrace author has said that systrace
is not and does not want to be MAC this might be a non-issue. Just as
long as anyone using systrace knows they aren't using a mandatory access
control system.
>> umm, its pretty obvious, want a picture? here:
>>
>> SELinux:
>> attacker --> kernel DAC/capability checks --> selinux access checks -->
>> capabilities granted.
>> systrace:
>> attacker --> systrace --> capabilities granted.
>>
>
> and? this is not an attack vector, this just describes how things
> work at some conceptual level. an attack is where you demonstrate
> how you exploit the above mechanism to gain privileges that weren't
> otherwise granted to you by the systrace policy. note that i'm not
> saying that such an attack doesn't exist, it's just that you have
> yet to demonstrate one.
>
>
Eh? that _is_ an attack vector. you are asking for a PoC exploit which
is not something I'm interested in that sort of thing at all. Again, you
do not need a reproducible exploit to have a broken model.
>>> <snip>
>>>
>> Sorry, apparmor isn't even in the same class as grsec in terms of the
>> security it provides, I probably shouldn't have coupled them like that :)
>>
>
> oh the tears of joy... can't believe you actually said that.
> more seriously, more on the blog.
>
>
I'm not sure why you can't believe I said that. grsec has several
advantages over apparmor, the primary one probably being that it can
actually do access control on the entire system rather that an
app-by-app basis (which apparmor explicitly limit themselves to)..
apparmor decided to build simplicity into their model instead of making
their model extensive and simplifying the policy writing/generation.
grsecurity has similar deficiencies, such as IPC. The reason is that
grsecurity specifically targets system/app integrity and not information
flow. The claim from the grsec author will be that IPC isn't a real
attack vector, and in practice it might not be for more systems but
there are many systems that are very sensitive to information flow and
need IPC protection. grsecurity wouldn't be sufficient for those
systems, it may be for others.
>> umm, "rebuked".. if you want to call it that, claiming that "hacking is
>> cool" is hardly compelling. The ideas on that page are good pointers in
>> general for security systems, I never saw anything claiming the actual
>> points were inaccurate *shrug*
>>
>
> start here: http://marc.theaimsgroup.com/?l=dailydave&m=112638071303189&w=2
>
> and please tell me you're not running with a+x.
>
>
The answer to that email is simple. You don't need an access control
matrix of a million elements if you have equivalence classes (something
widely used in SELinux), see
http://securityblog.org/brindle/2006/03/23/the-myth-of-least-privilege-or-why-we-love-equivalence-classes/
the a+x in $PATH argument is a strawman, anything you run is under your
privilege level (whether that's the DAC uid or the MAC domain (or
however it is implemented))
> <snip>
> actually, the folks who wrote CC are very clever in my opinion, they
> have clearly understood what information security is all about and it's
> not their fault that many 'experts' of our time sell their concepts to
> completely wrong markets.
>
>
Glad to hear it...
>> Personally I'd like to help security in general. Fedora has SELinux
>> enabled by default and protects several daemons by default. This is
>> clearly a win for security, MAC in a general use OS is unheard of, we
>> are breaking new ground here.
>>
>
> i was saving this for the blog, but since you've brought it up...
>
> you've just proved how dangerous spreading false sense of security
> is. the targeted policy you're talking about does not give any real
> security and coming from a self-described expert on selinux, it's
> really disheartening to see as you should know better than that.
>
>
Once again, you are confusing policy and mechanism. Just because the
targeted policy doesn't restrict everything on the system doesn't say
anything at all about the mechanism. Second, the targeted policy never
claims to protect everyone from everything, quite the opposite, the name
"targeted" pretty clearly states that certain things are restricted.
Now, the difference between the selinux targeted and other systems is
that with the targeted you can actually analyze the policy and ensure
that the targeted domains can't affect the integrity of the rest of the
system, which is impossible with path based systems.

Also, where have I ever said that I'm an expert on security or selinux?
I do not appreciate blatant attempts to misinform or discredit people,
don't do that.
> it is a bandage for the utter usability mess that selinux is and
> 'everyone' had complained about. practical example, what does
> restricting nscd by a policy help (and i'm generously ignoring the
> possibility of exploiting a kernel bug in a two stage attack) when
> an exploit can just go for an unconfined application (plenty of them
> left)? so yeah, a clear win and breaking new ground there... no.
>
On recent targeted systems most, if not all, network daemons are
confined. Its pretty obvious that an "unconfined" application is... wait
for it... not confined! wow, I'm very glad that you can use a
dictionary. I don't think anyone expects unconfined applications to be
... well.. confined. If they do they've been grossly misinformed, I take
no credit for anything here..
>> Incase you forgot hardened *does* support grsec, RSBAC and SELinux.
>> grsec is in no way a second class citizen, when people come to the
>> channel with problems I try to help them, I don't tell them they are
>> stupid and need to switch to SELinux.
>>
>
> i think you misunderstood me. i don't care what opinion you hold about
> grsec or apparmor or whatever as much as i care about not spreading
> false sense of security. you drew a clear and obvious line between
> selinux and the rest of the world ("grsec/apparmor implement one of the
> dumbest ideas in security", that's what you stated effectively), and
> that's simply not right so you will have to defend your opinion or eat
> those words, your choice.
>
>
I think you misunderstanding. I claim that path based access control is
flawed for all the reasons I've listed (which you haven't refuted) at an
ideal and philosophical level. There are a number of practical and
technical issues with this as well (see the LSM list over the last week
or so...) But I haven't talked about those at all, I'm not sure where
you are coming from here.
>> I even suggest that people who have very lightweight security needs
>> use grsecurity. In practice (eg., normal systems, normal people, etc)
>> grsec can be very effsective.
>>
>
> although i wasn't talking about grsec per se, but now you made me curious.
> what the heck is 'lightweight security'? and how come that a system
> implementing one of the dumbest ideas in security can be effective?
> effective at what? being dumb? or perhaps, providing 'security'? what
> would that 'security' mean then and why cannot selinux provide it?
>
>
Once again, security is about your requirements and possible tradeoffs.
>> I'm not sure what "you asked for it, we'll see how smart you(r) selinux
>> folks are" is suppose to mean, is that a threat? Are you going to make
>> fun of us on blogs and mailing lists?
>>
>
> you already pulled that feat off, so i'm left with the task of putting
> the pieces of the puzzle together for all to see.
>
Ok, have fun with that. I'm going to be gone after today until next week
so don't misconstrue my lack of reply as assent.
--
gentoo-security@gentoo.org mailing list

Joshua Brindle wrote:
> pageexec@freemail.hu wrote:
>> is there any particular reason you're avoiding answering my (Andrea's,
>> for that matter) requests for specific attack examples?
>> it's my observation that you as well as many other selinux advocates
>> often try to stay at some superficial theoretical level of 'attacks'
>> as if that meant anything in the real world. it means nothing, so
>> please try get down from that 'high horse' and answer the questions.

Forgive my telling a short, true story here. Back in 1989, Steve Bellovin
wrote a paper called "Security Problems in the TCP/IP Protocol Suite." It
detailed a theoretical attack based on sequence number guessing. In 1994,
Kevin Mitnik used sequence guessing attacks against Tsutomu Shimomura's
network, in an attack that seemed pretty new... an act that ultimately led
to Mitnik's capture and imprisonment. In '89, Bellovin's paper didn't get
a lot of long-term attention because it seemed to be talking about some
wild, theoretical problem that nobody would ever be able to actually exploit.

So, what's the point of this story? You really shouldn't need a specific
attack example to think about the security implications of software.
Instead, you need to have a good theoretical base from which to make
decisions, and balance those decisions with practical knowledge and
understanding because all security decisions are ultimately based on an
assessment of what the risks are and a decision to mitigate or accept the
remaining risk.

This isn't coming from a high horse. This discussion appears to be a
question of competing priorities (functionality versus assurance) in trying
to ensure that a product continues to meet an extremely high standard for
quality.

-Bill
--
William Yang
wyang@gcfn.net
--
gentoo-security@gentoo.org mailing list