Re: More Input From User Space

• Previous message: Greg KH: "Re: Direction of the mailing list/effort"
• In reply to: jmjonesat_private: "More Input From User Space"
• Next in thread: jmjonesat_private: "Re: More Input From User Space"
• Reply: jmjonesat_private: "Re: More Input From User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jmjonesat_private wrote:

>     Well designed applications will do their own "checking" then try
> to do the thing.  If the thing returns with "EPERM", then *let it*.
> A well designed module COULD implement a little AI and count these
> illegal attempts, making a decision thereupon, OR, it could be provided
> with a "signature" file of sorts that states what the designer intended
> his program to access.

This is (roughly) what Anil's research is about. He characterizes certain
activities as "suspicious", and then imposes an exponentially growing delay
on the application each time it does something "suspicious".


> A well designed LSM could implement a policy
> that allows application layer programs to register their "normal"
> behaviour with the LSM... resulting only in WHOOPSIE in the event that
> the application suddenly does something unexpected.

This is (roughly) what SubDomain does.  The difference is that the permitted
behavior (per program) is specified in a conf file, rather than being
registered by the program.  If you let the program register its intended
behavior, then the attacker can hack the program and get it to register some
interesting new things to do just before doing them.

So yes, these are good suggestions for things that LSM modules should be
doing.


>     My worry at this point, is "trust".  I think there MUST be some way
> to verify that the security module loaded is correct.

This is outside the scope of the LSM project.  The basic model is that it
takes root authority to load a module.  It also (only!) takes root authority
to overwrite /boot/vmlinuz and then force a reboot.  Therefore any module
authentication mechanism that we build that are not coupled with a high
integrity boot sequence (where everthing from the BIOS on up authenticates
the next level) is useless.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: Low-cost hooks, multiple modules, per-task data"
• Previous message: Greg KH: "Re: Direction of the mailing list/effort"
• In reply to: jmjonesat_private: "More Input From User Space"
• Next in thread: jmjonesat_private: "Re: More Input From User Space"
• Reply: jmjonesat_private: "Re: More Input From User Space"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 18:38:31 PDT