LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Walsh: Introducing the SELinux Sandbox

Walsh: Introducing the SELinux Sandbox

Posted May 28, 2009 22:31 UTC (Thu) by nix (subscriber, #2304)
In reply to: Walsh: Introducing the SELinux Sandbox by hozelda
Parent article: Walsh: Introducing the SELinux Sandbox

In fact, mentioning VMWare is redundant since we already know we can't trust closed source companies or their binary-only products.
More generally, the claim (whether stated or implied is not relevant: this is the claim as everyone understands it) that security systems make is that modulo bugs they provide some level of security. Of course, unless the system is utterly trivial, there are always bugs: but that doesn't mean the system is useless. It just means that it cannot keep out a sufficiently determined attacker.

Brad and PaXTeam assert (although they will doubtless deny this as part of the charmless dance of evasion they both employ whenever their reasoning is faulty) that this renders all such security systems worthless. But this is nonsense. The lock on my front door will not keep out an attacker who is determined enough to wade through plant growth and break my kitchen window. This is easy to detect --- but my house security systems also won't keep out an attacker who cuts through the glass of the patio door, which can be done nearly silently with enough care. The thing is that most attackers simply aren't going to do that: it's difficult and annoying and they're more likely to simply skip the house and go on to the next one, unless this is a targetted attack. The only way to keep out targetted attacks from such people is to go and live on a military base: but that merely opens me to attacks from much more powerful actors, who in time of war are likely to attack the military base and take me out as collateral damage, without even meaning to, but who wouldn't bother attacking a single anonymous house in the suburbs.

If you are under targetted attack by a sufficiently determined and ingenious attacker --- the sort of person Brad appears to be considering, who is willing to search for new remote and local vulnerabilities, write exploits for them, and target specific sites with them --- then you're in serious trouble and the best thing to do is simply get off the net until they go away (this is hardly optimal, but improving it is really up to law enforcement or network infrastructure: there's nothing individuals can sanely do). In the case where the attacker finds an exploit for a new vulnerability and launches mass attacks with it, we are somewhat protected by techniques such as ASLR, which can make many classes of exploit more *likely* to fail: mass attackers are likely to give up and go on to the next host before then. This is exactly the same sort of 'defense in depth' with non-100%-perfect but make-cracks-harder systems that Brad has been disparaging. (The strange thing is that a lot of the defences in grsecurity are of this type, so Brad obviously knows this. I'd be stunned if he didn't, 'cos it's security 101 stuff.)

All this is true no matter what security system you are discussing. All security systems for commodity OSes are really there to keep out mass attacks and attacks by the non-ingenious. Thanksfully, nearly all attacks are of these classes.

(Log in to post comments)

Walsh: Introducing the SELinux Sandbox

Posted May 29, 2009 1:14 UTC (Fri) by hozelda (guest, #19341) [Link]

nix, I think you are basically correct, but an attack on a FOSS system is complicated by the fact that users can take active steps at any time to help thwart attacks. These users have a lot more information at their fingertips than those who don't have source code nor an ability to controllably change their system around whenever they feel it is necessary.

It's ridiculous how vulnerable you are when you depend fundamentally on information others are keeping secret from you.

Walsh: Introducing the SELinux Sandbox

Posted May 29, 2009 7:03 UTC (Fri) by nix (subscriber, #2304) [Link]

Yes. Hell, even if they don't know the attack class and can recompile
everything, they can simply randomly perturb their system
(function-neutral changes to ABI, say) or change their architecture:
security through obscurity may be an ugly hack but the number of people
launching attacks on old MIPS boxes is minimal :)

Walsh: Introducing the SELinux Sandbox

Posted May 29, 2009 17:25 UTC (Fri) by Arach (subscriber, #58847) [Link]

> Brad and PaXTeam assert (although they will doubtless deny this as part
> of the charmless dance of evasion they both employ whenever their
> reasoning is faulty) that this renders all such security systems
> worthless.

Excuse me, but I can't find where one of them asserts anything like that. Would you be so kind to provide a relevant quote or a link, please?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds