Re: getting started with SELinux
Hi!
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <dukeofnukem@gmx.net> wrote:
>> A little OT, but http://www.adamantix.org 's distro provides everything
>> and more SELinux has to offer while IMHO being a little easier to handle.
> Adamantix is not Debian. The people subscribed to this list are here for
> Debian security not other OS security.
Adamantix is still Debian, only more secure. One of the enhancements is the use
of SSP: Stack Smashing Protector (also known as ProPolice). It is a patch for
GCC which adds protection against a number of stack overflows. OpenBSD uses it
too, Theo de Raadt even says that it is as good as normal GCC. In Adamantix we
still use GCC 2.95, which has some issues with some C++ code. Other than that,
it works fine. Even the Adamantix kernel has been compiled with SSP.
SSP protects the base pointer and the return address on the stack by placing
a so called canary before these two addresses. When an overflow overwrites the
canary, this will be detected by SSP before the function returns. Thus the
program is terminated before the exploit code is called.
The overhead introduced by SSP is relatively low, because it tries to do some
optimisations. It only adds checking code to functions which it considers
dangerous. The optimisation algorithm is not perfect, and therefore it can
skip functions that need protection. But it is possible to let SSP generate
code for every function, at a higher performance cost of course.
Another useful feature is that SSP reorganises local variables. Arrays are
placed closer to the canary value on the stack. And pointer variables are moved
away (they could be damaged too by overflows that do not overwrite the canary
value). It is therefore more effective than similar solutions that do not
reorder local variable.
SSP is certainly not perfect, it can only stop a limited number of exploits.
But it is not wise to depend on only one security mechanism. Therefore it will
be more effective when used together with a kernel patch like PaX and a
mandatory access control system like RSBAC, like in Adamantix.
Last time I looked, the GCC 3.3 package in Debian already had the patch
included. It is just not enabled by default. Remove one #, rebuild the package
and you can use the stack protector enabled GCC compiler.
You have to watch out though, an SSP compiled object file will require several
symbols that are normally provided when you compile everything with SSP. This
can cause problems when SSP is used to compile a library, but not the main
executable. There are other things to watch out for, like GRUB and the Linux
kernel do not link without adding a few lines of code. Trivial to fix, but
still something to watch out for. Other than that, it has been working fine. I
have not yet seen SSP related problems for packages that compiled succesfully,
other than missing symbols when mixing Debian Woody packages with Adamantix
packages.
All in all I can certainly recommend it.
>> Don't want to discourage anybody from SELinux, especially not with
>> kernel 2.6 reaching production status, just my 2c ;-)
> I doubt that there's any risk of that.
It looks like SELinux is an interesting concept, but it is lacking some
important functionality. This is mostly because the LSM concept on which it is
based is has a number of problems. See also:
http://www.rsbac.org/lsm.htm
http://www.grsecurity.net/lsm.php
Fortunately, RSBAC is not limited by the limitations of LSM. People who have
used SELinux before using RSBAC told me that RSBAC is easier to use than
SELinux.
Groetjes,
Peter Busser
--
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world
http://www.adamantix.org/
Reply to: