Re: Security patches

To: Henrique de Moraes Holschuh <hmh@debian.org>, debian-security@lists.debian.org
Subject: Re: Security patches
From: Russell Coker <russell@coker.com.au>
Date: Fri, 19 Dec 2003 23:22:53 +1100
Message-id: <[🔎] 200312192322.53833.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031219091833.GA17499@khazad-dum.debian.net>
References: <20031129032129.GA1372@eriador> <[🔎] 200312191229.39439.russell@coker.com.au> <[🔎] 20031219091833.GA17499@khazad-dum.debian.net>

On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Fri, 19 Dec 2003, Russell Coker wrote:
> > In terms of LSM protection against this, if you use SE Linux then all
> > aspects of file access and module loading are controlled by the policy. 
> > I am going to write a policy that implements something similar to BSD
> > secure levels so that you can put a server into a mode where all kmem and
> > module load access is disabled.  That should be all you need.
>
> I think there is a LSM "BSD secure levels" module around (that has nothing
> to do with SE Linux), which should be much easier an install for those who
> want to play with BSD secure levels in Linux.

It has been floating around.  AFAIK it was never released in a fully working 
form, and it definately has not been included in the kernel.org kernel.

> Russel, do you know if there is any talk about changing the kernel itself
> so that it cannot write to its own exec pages?  That would kill the stealth
> capabilities of _all_ kernel-changing rootkits but ones that change the
> on-disk kernel image or initrd image itself...  (and having those on RO
> media is quite straightforward, anyway).

Smart-ass answer:  It's called the HURD.

Serious answer:  The kernel has to be able to manage all aspects of virtual 
memory, so protecting it from itself is impossible.  If we went to some sort 
of HAL scheme similar to NT then we could do some of this (but it doesn't 
seem to do NT much good).  If we went to a full micro-kernel then we could 
have only the micro-kernel itself being granted such access, but then it 
wouldn't be Linux any more.

SE Linux could be ported to the HURD.  Much (most?) of the early work that SE 
Linux is based on was done on micro-kernelled OSs.  I have no time to do the 
serious stuff (restricting which "ports" a process can use when communicating 
with other processes and the micro-kernel, or porting the security server to 
be a daemon/translator), but I can help with some of the testing and writing 
policy.

It should be possible to make SE HURD more secure than SE Linux.  I am sure 
that the NSA people would be intersted in such a project, I doubt that they 
would have any time to contribute to it, but I'm sure that they would give 
some good advice if asked.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- Re: Security patches
  - From: Russell Coker <russell@coker.com.au>
- Re: Security patches
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Security patches
Next by Date: CVS server in a user-mode-linux
Previous by thread: Re: Security patches
Next by thread: bridge firewall with kernel 2.4.22
Index(es):
- Date
- Thread