Re: [PATCH] settime hooks (1/1)

From: Michael Halcrow (mike@private)
Date: Mon Aug 09 2004 - 08:33:55 PDT


On Mon, Aug 09, 2004 at 12:04:53PM -0400, James Morris wrote:
> On Thu, 5 Aug 2004, Michael Halcrow wrote:
> > For final review before sending them off to LKML.  Please let me
> > know if anything looks amiss.  This is in support of the BSD
> > Secure Levels LSM that follow.
> 
> Is there a good paper describing the threat model for Secure Levels?

BSD Secure Levels is like the Rock of Gibraltar.  You do not question
it; it just is.  :-)

On a more serious note, there is no such paper that I know of.  I have
seen some discussion regarding it in various BSD documents scattered
around the web.  BSD Secure Levels seems to have formed largely via
the bazaar model - BSD admins and developers have converged on this
set of policies associated with levels as something that provides good
security in the event of root compromise.  My goal with this LSM has
been simply to replicate their work into a module that BSD admins are
already familiar with.  This module was also intended to demonstrate
sufficient coverage of LSM hooks in the kernel to implement this
model.

> Or can you explain why specifically decrementing the system time is
> something you would want to stop root from doing?

Keep in mind that BSD Secure Levels is designed to limit potential
damage that can be done after a root compromise.

Messing with the system time is one potential vector that an attacker
could use to obfuscate his activities.  If you cannot depend on the
timestamps on files and in logs, auditing and post-mortem analysis
becomes more difficult.

While I was in school, the system time stamped on the files in the
student directory was used to determine whether or not the student met
his deadline.  If an unscrupulous student performed a local root
exploit, he could conceivably set the system time back to falsify the
timestamps on the files.  Whether or not such an attack would be
successful can depend on more factors than just the local system time,
but BSD Secure Levels removes that variable.

These are just a couple of justifications I can think of off the top
of my head for disallowing a system time decrement by root.

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D  2371 2D3C FDDA 3EB6 601D





This archive was generated by hypermail 2.1.3 : Mon Aug 09 2004 - 09:42:50 PDT