Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out

From: Huagang Xie (xie@private)
Date: Mon Jun 14 2004 - 11:26:08 PDT

Next message: Yuan Chunyang: "Re: a question about coming from security_socket_getpeersec ?"

Previous message: Crispin Cowan: "Re: a question about coming from security_socket_getpeersec ?"
In reply to: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Next in thread: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Reply: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for Crispin pointing out those interesting papers.

Since I am not a user of selinux, sorry I do not have the answer for
the advantage/disavantage of the LIDS vs Selinux, but I just googled
it and found one interesting paper at

http://www.giac.org/practical/Rick_Larabee_GSEC.doc

And a new member of LIDS team, purna, is working on some interesting stuff
in the version of kernel 2.4, such as TPE, 

http://www.lids.org/document/LIDS-TPE-feature.txt

and LIDS TDE: Sandboxing an application

http://forum.lids.org/viewtopic.php?t=14


Thanks,
Huagang

On Sun, Jun 13, 2004 at 11:20:13AM -0700, Crispin Cowan wrote:
> Michael Dean wrote:
> 
> >could you explain to me, simply, the advantages of lids over selinux?  
> >Thanks
> 
> For a substantial treatment on the relative merits of a broad selection 
> of intrusion prevention technologies, including several LSM packages 
> (SELinux, DTE, and SubDomain) consider this book chapter:
> 
>    "Survivability: Synergizing Security and Reliability". Crispin
>    Cowan. Book chapter in "Advances in Computers", Marvin V. Zelkowitz
>    editing, Academic Press, 2004.  Buy "Advances in Computers" 60 here
>    <http://www.elsevier.com/wps/find/bookdescription.cws_home/702750/description>.
>    Chapter here PDF <http://immunix.com/%7Ecrispin/survivability.pdf>.
> 
> Unfortunately, the chapter does not specifically address LIDS. LIDS 
> borrows some design elements from SubDomain (modeling access control on 
> relating programs to accesses instead of users) but inverts it: 
> SubDomain specifies the files a program can access, while (IIRC) LIDS 
> specifies the programs that may access a file.
> 
> I don't know where the notion of listing the files that a program may 
> access came from. It has antecedents in Janus (Goldberg, Wagner, Thomas, 
> and Brewer, USENIX Security 1996) and TRON (Bermin, Bourassa, and 
> Selberg, USENIX 1995).
> 
> The latter concept of listing the programs that may access a file was 
> originally introduced in the PACLs (Program Access Control Lists) paper 
> in 1990:
> 
> @inproceedings{
>    pacl90,
>    author = "D.R. Wichers and D.M. Cook and R.A. Olsson and J.
>        Crossley and P. Kerchen and K. Levitt and R. Lo",
>    title = "{PACL's: An Access Control List Approach to Anti-viral
>        Security}",
>    booktitle = "Proceedings of the 13th National Computer Security 
> Conference",
>    address = "Washington, DC",
>    pages = "340--349",
>    month = "October 1-4",
>    year = 1990
> }
> 
> Which of these concepts is "better" depends on what you are trying to 
> assure.
> 
> Crispin
> 
> -- 
> Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
> CTO, Immunix          http://immunix.com

Next message: Yuan Chunyang: "Re: a question about coming from security_socket_getpeersec ?"
Previous message: Crispin Cowan: "Re: a question about coming from security_socket_getpeersec ?"
In reply to: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Next in thread: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Reply: Crispin Cowan: "Re: LIDS 2.2.0rc1 for kernel 2.6.6 is out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 14 2004 - 11:28:59 PDT