Re: State of Audit Proposal ?

• Previous message: Crispin Cowan: "Re: linux-security-module digest, Vol 1 #175 - 9 msgs"
• In reply to: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Next in thread: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"KRAMER,STEVEN (HP-USA,ex1)" wrote:

> Why is it that MAC and DAC both must return the same error messages?

As per my previous post, modules don't have to return the same error codes
that DAC returns, but if a module returns anything different than what DAC
would return, it is the module that creates the covert channel.  This
covert channel is created regardless of the MAC/DAC sequence, because the
attacker can determine which layer denied the access, regardless of the
order.  Only by returning precisely the same error code is the covert
channel closed.

The only covert channel that is affected by the MAC/DAC checking sequence
is the timing covert channel.  The attacker could potentially determine
whether whether it was DAC or MAC that denied the request, depending on how
long the access check takes to run.  There are several major problems with
trying to close this timing covert channel with LSM:

   * Hard to fix: Linux is performance-tuned, so it leaks timing covert
     channel information all over the place. This makes it fairly difficult
     for LSM to mask timing covert channels, other than by using sys call
     interposition and throwing random delay into every system call.  Ick.
   * Loow priority:
        o It is very hard to exploit:  Linux is a noisy environment, so it
          is hard to infer the result based on timing.
        o The attacker doen't gain that much: so the attacker knows whether
          it was DAC or MAC that denied the request. How much leverage does
          that buy? IMHO, not very much.

> I'm also curious as to why you don't think Linux is an appropriate
> system for which to eliminate covert channels.

I don't regard it as feasible to defeat covert channels in anything more
complex than a smart card.  Even there, it has proven fairly difficult to
mitigate covert channels, e.g. the attack that discloses private keys based
on the smartcard CPU's power consumption during eponentiation.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: State of Audit Proposal ?"
• Previous message: Crispin Cowan: "Re: linux-security-module digest, Vol 1 #175 - 9 msgs"
• In reply to: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Next in thread: KRAMER,STEVEN (HP-USA,ex1): "RE: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 22:39:21 PDT