Re: SELinux metadata protection

From: Crispin Cowan (crispin@private)
Date: Wed Jan 04 2006 - 16:55:51 PST


Serge E. Hallyn wrote:
> Hmm, a question on behavior.
>
> Let's say hallyn_t is allowed to write /var (var_t), but not to do
> getattr on /var/secret_process_is_running (secret_t).  If hallyn_t
> does ls /var/secret_process_is_running, he gets -ENOENT, but what
> should he get if he does 'touch /var/secret_process_is_running'?
> -EPERM obviously leaks information...
>   
If you create a file whose existence is supposed to be secret, and you
put it in a public directory, then you have made a mistake, because the
file's existence is always detectable.

Suppose we create file in /var/nothingtoseehere. The adversary can
create any file they want, *except* for /var/nothingtoseehere, which
will return some kind of error message (doesn't matter which error).
>From this, the attacker can infer the existence of the file, and its name.

The secret file is casting a shadow in a public place. This is just like
a stealth aircraft; sure, radar can't see it, and it is black against
the black night sky, but it still blocks out the stars as it passes in
front of them. Ultimately, you must hide your secrets inside a
sufficiently large and/or opaque container, and the container will end
up being visible.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com



This archive was generated by hypermail 2.1.3 : Wed Jan 04 2006 - 16:56:56 PST