Re: Hook function suggestion

From: buddy (buddyat_private)
Date: Thu Apr 19 2001 - 04:42:49 PDT

  • Next message: Amon Ott: "Re: Direction of the mailing list/effort"

    Crispin Cowan wrote:
    
    > buddy wrote:
    >
    > > However, this does *not* offer complete protection. It might even
    > > introduce vulnerabilities, 'cause if I can hook into the kernel to prevent
    > > something from happening, my paranoid other half realizes that someone
    > > else could as well.
    > >
    > > I can set all the permissions I want, but if someone thrashes my DNS,
    > > I'm screwed. (So do we want to hook into signal() to catch segfaults?)
    > > If someone takes an axe to my webserver, I'm screwed. (So do we want
    > > to hook into the webcam driver so we can detect motions in the server room?)
    >
    > I think you're missing the concept.  You need root privileges to be able to load
    > modules.  Many of the security modules will actually disable further module
    > loading and unloading.  So once your machine is booted and running the security
    > module of your choice, the LSM interface does not present an additional threat,
    > regardless of what someone does to (say) your DNS server.
    
    I was trying to express my concern about where the discussion is going. I'm
    sorry if I wasn't clear enough.
    
    If we had carte blanche we could hook into *all* kernel objects and functions.
    But Linus has made it quite clear that LSM's impact on the kernel code proper has
    to be limited - and of course, that makes sense.
    
    If it turns out that these limits still allow for every conceivable and favourable
    hook we can think of, that's just perfect. I don't think this will happen though,
    so we'll have to make decisions about LSM's features and forget about the
    ones we don't need.
    
    <sarcasm>
    
    After all the plugs from people promoting their own solutions to a problem that
    has not even been defined, we now have a list of hook candidates, comprising
    "basic kernel service, filesystems, capabilities, network, IPC, and more."
    
    Brilliant, we cover everything.
    
    </sarcasm>
    
    Now, the only thing I'm trying to say here, is that nobody seems to care about the
    reason *why* you would want to hook into, say, sys_fork(). There has been no
    discussion about the actual threats and insecurities that we want to cover.
    
    If you don't think that that matters, think again.
    
    As an example, needing root privileges in order to (un)load modules doesn't make
    me feel any safer, but apparently I'm more paranoid than you are. ;-) I'm worried
    about all those people relying on their LKM notifying them of a root compromise,
    and being owned all the same.
    
    I'm not saying that LSM will add insecurity to the kernel. What I'm addressing is
    the problem that the police face: if you want to carry a gun to protect people,
    you'd better protect the gun too. Besides, the police's primary task is not to
    carry
    a gun, but to protect people.
    
    > Crispin
    >
    > P.S.  My thanks to Huagang for actually providing the spec of desired hooks for
    > LIDS.  That's what we really need to be discussing here.
    
    I'm certainly not trying to start a broad, general discussion about computer
    security.
    I can't wait either to get something done. But not just anything.
    So, while I appreciate Huagang's effort and input, I thought I'd take the
    opportunity to discuss the *really* difficult stuff related to security, and how
    that is connected to LSM.
    
    Cheers,
    Buddy
    
    > --
    > Crispin Cowan, Ph.D.
    > Chief Scientist, WireX Communications, Inc. http://wirex.com
    > Security Hardened Linux Distribution:       http://immunix.org
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 02:41:18 PDT