Security

OLS: Smack for embedded devices

The Simplified Mandatory Access Control Kernel (Smack) is a Linux access control mechanism akin to SELinux. As its name would imply, it is a much less complex scheme that requires far fewer resources than SELinux, which may make it more palatable to developers of embedded systems. Smack developer Casey Schaufler gave a talk at the recent Ottawa Linux Symposium (OLS) outlining how it could be used for embedded devices.

Smack has the distinction of being the second user of the Linux Security Module (LSM) kernel interface to be merged into the mainline. This finally put to rest the idea that the LSM might some day be removed from the kernel, requiring all security solutions to be implemented in terms of SELinux. But Smack comes at Mandatory Access Control (MAC)—which is at the heart of both SELinux and Smack—from a different perspective. Schaufler believes that MAC rules should be explicitly specified rather than implicit in a set of policies a la SELinux.

In order to get everyone up to speed, Schaufler gave an overview of MAC and Smack. The main thing to remember about MAC is that it is not user controlled. The system makes all decisions about access and the attributes of files that govern access. The standard UNIX model, by way of comparison, is a Discretionary Access Control (DAC) system, where users can change the security attributes of objects under their control.

Smack relies on labels for subjects, which are active entities, and objects which are passive. An access is then an operation that is performed by a subject, generally a task/process, on an object, which is typically a file. In order to determine whether the access succeeds or fails, Smack compares the subject and object labels, if they match access is granted, if they do not match, the explicit access rules are consulted. If one matches the attempted access, it is granted, otherwise it is denied.

There are three system labels defined, along with access rules governing their behavior, but all other rules must be explicitly added by the administrator. Labels are simply strings up to 23 characters long. Rules then specify a subject label, an object label, and a desired access (read, write, execute, append). After mounting a smackfs filesystem at /smack, rules can be written to /smack/load, which stores them in the kernel for immediate use.

It is important to note that objects inherit the label of the subject that creates them. That means that the label on an executable is only relevant to determine whether the subject process is allowed to execute it. The process that gets created has the label of the subject that executed it, not the label associated with the executable file. The same goes for processes that create files, those files get the label of the process. This is very different from the SELinux label inheritance rules.

There is more to it, of course, but not a lot more, which is what makes it attractive to some. Interested readers are directed to our article, Schaufler's OLS paper [PDF], or the Smack home page for more detailed looks at Smack.

Schaufler outlined specific reasons that a simplified system, like Smack, would be attractive in the embedded world. Many embedded devices are single-purpose and geared towards one user. Because cost is often a major factor, the device only needs to implement the exact set of functions that it is meant to provide. As Schaufler puts it: "feature completeness is uninteresting".

Cost often plays a role in the amount of system resources provided, particularly RAM and flash, as well. A solution that uses less memory fits well with the embedded mindset. There have been some efforts to pare down SELinux and its enormous policy file for the embedded world (including a paper at OLS [PDF], and a presentation at the Embedded Linux Conference that we covered briefly), but it is still rather large. It is also a great deal more complex than Smack, which was a major thrust of Schaufler's presentation.

One problematic area for putting SELinux on embedded devices is that most flash filesystems do not have support for extended attributes (xattrs). Both Smack and SELinux use xattrs to store labels for files, but Smack can provide a default label for an entire filesystem to avoid requiring xattr support. Also, system files automatically default to the "_" (called floor) label so, in many cases, labels on individual files may not be required.

In his talk, Schaufler gave several examples of specific sets of applications and how they could be easily cordoned off from each other while still working together. The model he used was of a mobile phone with multiple applications. The phone's system data would have the default floor label which means they can be read—but not written—by a process with any label.

One of Schaufler's examples was of two different applications that each retrieved content from the network to display to a user. Each retrieved headlines from different services, one from CNN, the other from ESPN. At times the content might overlap, in which case the phone vendor wanted each to be able to read the other's data, potentially displaying a sports story as part of the regular news or vice versa. This is easily handled by two Smack rules:

    ESPN CNN r
    CNN ESPN r

Assuming that the CNN application runs with the CNN label, and the ESPN process with ESPN, they can each read and write their own private data (because the labels match). Because of the two rules above, they can also read each other's private data. If at some point, the phone provider decided those two applications should not be able to share data, those rules simply need to be removed, no filesystem relabeling or anything else is required.

Another example that Schaufler gave was of a video process and an audio process that cooperated in sharing system resources by sending messages to each other. They had no need to share data, just to send UDP messages. In Smack, a process can send a UDP packet if it has write access to the label of the other process. So the following Smack rules could be used:

    Video Audio w
    Audio Video w

One might expect that giving write permission would allow Video, for example, to write to data with the Audio label. This is not the case because UNIX file semantics require read access in order to write file data (because the inode of the file must be read). So under this set of rules, each can send (and receive) UDP packets from the other process, but cannot access any of the data labeled for the other process.

Schaufler had some other examples in his presentation (slides [PDF]), that were geared more towards exploring Smack capabilities than specifically at embedded applications. He concluded by directly comparing Smack and SELinux in terms of complexity. Clearly Smack is vastly simpler; whether it has enough capabilities to provide the protection that embedded developers require remains to be seen. On the other hand, whether SELinux can be made to work reasonably in embedded environments is also an outstanding question. It will be interesting to watch.

Comments (1 posted)

Brief items

Phishing Kits Widely Compromised To Steal From Phishers (Information Week)

For your amusement: Information Week reports from a USENIX talk about compromised phishing kits. "In January, Netcraft security researcher Paul Mutton identified a phishing tool kit distributed by a group of Moroccan cybercriminals that had been compromised with a back door. Unbeknownst to its users, the phishing kit sent copies of stolen information to its creators. Now it turns out that more than 40% of the live phishing kits found online (61 out of 150) have back doors designed to steal from the information thieves using them." The moral is clear: one should always stick with open-source malware.

Comments (9 posted)

New vulnerabilities

drupal: session fixation

Package(s):	drupal	CVE #(s):
Created:	August 1, 2008	Updated:	August 6, 2008
Description:	From this Drupal advisory: When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access.
Alerts:	Fedora FEDORA-2008-6916 2008-07-31

Comments (none posted)

filezilla: unsecured data transfers

Package(s):	filezilla	CVE #(s):
Created:	August 1, 2008	Updated:	August 6, 2008
Description:	From the FileZilla homepage: FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are handled on SSL/TLS secured data transfers.
Alerts:	Fedora FEDORA-2008-6812 2008-07-31 Fedora FEDORA-2008-6865 2008-07-31

Comments (none posted)

httrack: buffer overflow

Package(s):	httrack	CVE #(s):	CVE-2008-3429
Created:	August 1, 2008	Updated:	September 12, 2008
Description:	From the Debian advisory: Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs.
Alerts:	Fedora FEDORA-2008-7896 2008-09-11 Fedora FEDORA-2008-7862 2008-09-11 Debian DSA-1626-1 2008-08-01

Comments (none posted)

java-1.5.0-ibm: buffer overflow

Package(s):	java-1.5.0-ibm	CVE #(s):	CVE-2008-3108
Created:	July 31, 2008	Updated:	November 18, 2009
Description:	IBM Java has a buffer overflow vulnerability. From the CVE database entry: Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain privileges via unspecified vectors related to font processing.
Alerts:	Gentoo 200911-02 2009-11-17 Red Hat RHSA-2008:1044-01 2008-12-18 Red Hat RHSA-2008:1043-01 2008-12-18 SuSE SUSE-SA:2008:045 2008-09-17 SuSE SUSE-SA:2008:043 2008-09-04 SuSE SUSE-SA:2008:042 2008-08-25 Red Hat RHSA-2008:0790-02 2008-07-31

Comments (none posted)

libxslt: heap buffer overflow

Package(s):	libxslt	CVE #(s):	CVE-2008-2935
Created:	July 31, 2008	Updated:	October 27, 2008
Description:	From the Red Hat alert: A heap buffer overflow flaw was discovered in the RC4 libxslt library extension. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute arbitrary code with the privileges of the application using the libxslt library to perform XSL transformations on untrusted XSL style sheets.
Alerts:	rPath rPSA-2008-0306-1 2008-10-27 Fedora FEDORA-2008-7062 2008-08-07 Ubuntu USN-633-1 2008-08-01 CentOS CESA-2008:0649 2008-07-31 Fedora FEDORA-2008-7029 2008-08-07 Mandriva MDVSA-2008:160 2007-08-01 Debian DSA-1624-1 2008-07-31 Gentoo 200808-06 2008-08-06 Red Hat RHSA-2008:0649-01 2008-07-31

Comments (none posted)

nfs-utils: access restriction problem

Package(s):	nfs-utils	CVE #(s):	CVE-2008-1376
Created:	July 31, 2008	Updated:	May 21, 2009
Description:	nfs-utils has an access restriction problem. From the Red Hat alert: A flaw was found in the nfs-utils package build. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not.
Alerts:	CentOS CESA-2009:0955 2009-05-21 Red Hat RHSA-2009:0955-01 2009-05-18 Red Hat RHSA-2008:0486-01 2008-07-31 CentOS CESA-2008:0486 2008-07-31

Comments (none posted)

opensc: unauthorized PIN change

Package(s):	opensc	CVE #(s):	CVE-2008-2235 CVE-2008-3972
Created:	August 4, 2008	Updated:	June 1, 2009
Description:	From the Debian advisory: Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected.
Alerts:	Fedora FEDORA-2009-2267 2009-03-03 SuSE SUSE-SR:2009:004 2009-02-17 Gentoo 200812-09 2008-12-10 SuSE SUSE-SR:2008:019 2008-09-26 Mandriva MDVSA-2008:183 2007-09-02 Debian DSA-1627-2 2008-08-31 Debian DSA-1627-1 2008-08-04

Comments (none posted)

pan: execution of arbitrary code

Package(s):	pan	CVE #(s):	CVE-2008-2363
Created:	August 1, 2008	Updated:	October 8, 2009
Description:	From the Gentoo advisory: Pavel Polischouk reported a boundary error in the PartsBatch class when processing .nzb files. A remote attacker could entice a user to open a specially crafted .nzb file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.
Alerts:	Ubuntu USN-845-1 2009-10-08 Mandriva MDVSA-2008:201 2008-09-22 Gentoo 200807-15 2008-07-31

Comments (none posted)

pdns-recursor: weak random number generator

Package(s):	pdns-recursor	CVE #(s):	CVE-2008-3217
Created:	July 31, 2008	Updated:	August 21, 2008
Description:	The PowerDNS Recursor non-authoritative/recursing DNS server has a vulnerability involving a weak random number generator that is used for source port selection. This simplifies the process of generating remote attack vectors for conducting DNS cache poisoning.
Alerts:	Fedora FEDORA-2008-6893 2008-07-30 Gentoo GLSA 200804-22 2008-04-18

Comments (none posted)

phpMyAdmin: cross-site framing vulnerability

Package(s):	phpMyAdmin	CVE #(s):
Created:	July 31, 2008	Updated:	August 6, 2008
Description:	phpMyAdmin has a cross-site framing vulnerability, described here: "It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in config.inc.php to allow this behavior. Also, XSS was possible for someone who could overwrite config/config.inc.php during the time this file is present in this directory."
Alerts:	Fedora FEDORA-2008-6868 2008-07-30

Comments (none posted)

pidgin: memory leak

Package(s):	pidgin gaim	CVE #(s):	CVE-2008-2956
Created:	August 6, 2008	Updated:	August 6, 2008
Description:	Pidgin 2.0.0 ("and possibly other versions") contains a memory leak which is exploitable for a denial of service attack.
Alerts:	rPath rPSA-2008-0246-1 2008-08-05

Comments (none posted)

python: multiple vulnerabilities

Package(s):	python	CVE #(s):	CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144
Created:	August 1, 2008	Updated:	November 1, 2010
Description:	From the Gentoo advisory: Multiple vulnerabilities in Python may allow for the execution of arbitrary code. A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. Exploitation might lead to the execution of arbitrary code or a Denial of Service. Vulnerabilities within the hashlib might lead to weakened cryptographic protection of data integrity or authenticity.
Alerts:	MeeGo MeeGo-SA-10:16 2010-08-03 Pardus 2010-76 2010-06-15 Debian DSA-1977-1 2010-01-25 CentOS CESA-2009:1176 2009-07-29 CentOS CESA-2009:1178 2009-07-27 Red Hat RHSA-2009:1176-01 2009-07-27 Red Hat RHSA-2009:1177-01 2009-07-27 Red Hat RHSA-2009:1178-02 2009-07-27 Mandriva MDVSA-2009:036 2009-02-12 Debian DSA-1667-1 2008-11-19 Mandriva MDVSA-2008:186 2008-09-04 SuSE SUSE-SR:2008:017 2008-08-29 rPath rPSA-2008-0243-1 2008-08-13 Mandriva MDVSA-2008:164 2008-08-07 Mandriva MDVSA-2008:163 2007-08-07 Ubuntu USN-632-1 2008-08-01 Gentoo 200807-16 2008-07-31

Comments (none posted)

RealPlayer: buffer overflow

Package(s):	RealPlayer	CVE #(s):	CVE-2007-5400
Created:	July 31, 2008	Updated:	June 9, 2009
Description:	RealPlayer is susceptible to a buffer overflow. From the national vulnerability database entry: Heap-based buffer overflow in the Shockwave Flash (SWF) frame handling in RealNetworks RealPlayer 10.5 Build 6.0.12.1483 might allow remote attackers to execute arbitrary code via a crafted SWF file.
Alerts:	SuSE SUSE-SR:2009:011 2009-06-09 Red Hat RHSA-2008:0812-02 2008-09-17 Gentoo 200809-03 2008-09-04 Red Hat RHSA-2008:0812-01 2008-07-31

Comments (none posted)

trac: multiple vulnerabilities

Package(s):	trac	CVE #(s):	CVE-2008-2951 CVE-2008-3328
Created:	July 31, 2008	Updated:	August 6, 2008
Description:	The trac integrated software management system has two vulnerabilities. From the Fedora alert: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Alerts:	Fedora FEDORA-2008-6833 2008-07-30

Comments (none posted)

vlc: multiple vulnerabilities

Package(s):	vlc	CVE #(s):	CVE-2008-2147 CVE-2008-2430
Created:	August 1, 2008	Updated:	June 18, 2009
Description:	From the Gentoo advisory: Remi Denis-Courmont reported that VLC loads plugins from the current working directory in an unsafe manner (CVE-2008-2147). Alin Rad Pop (Secunia Research) reported an integer overflow error in the Open() function in the file modules/demux/wav.c (CVE-2008-2430).
Alerts:	Debian DSA-1819-1 2009-06-18 Gentoo 200807-13 2008-07-31

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>