Security
Umbrella 0.7
This week the Umbrella team released version 0.7 of Umbrella, a "security mechanism" that implements Process-Based Access Control (PBAC) and authentication of signed binaries for Linux. Since Umbrella 0.7 is the first feature complete release, we thought now might be a good time to take a look at the project. Kristian Sørensen, one of the Umbrella Team members, was kind enough to respond to our questions about Umbrella.
While Umbrella sounds a bit like Security-Enhanced Linux or other on
the surface, Sørensen pointed out that Umbrella is designed for
consumer devices rather than general-purpose servers or other systems,
though it might be useful for "specific server environments
".
Sørensen provided this explanation of Umbrella:
There are two categories of policies: File system restrictions (FSR) and Capability restrictions (CR). A FSR is simply a path (e.g. /etc/passwd), which restricts the process having this policy from accessing that file. If the restriction were "/etc" the entire directory is off limits, and thus a restriction on "/" denies access to the entire file system. The capability restrictions are non-file system restrictions, such as creation of sockets (IP networking, bluetooth etc.), sending signals, creation of new processes etc.
Umbrella has no need for a security administrator to manage the security policy of an entire system. Umbrella relies of the programmers of to embed the security policy into programs. This is done in a very simple manner: By replacing fork() with rfork() and by embedding execute restrictions to the binary.
The security policy in the binaries (both rfork and execute restrictions) is protected by a digital signature: A signed SHA1 hash of the binary is placed in the ELF header, and checked on time of execution. If the binary or its restrictions has been tampered with, the hash will not match and the binary is denied access to run. In order for the signed binaries to be authenticated in the first place, the public key of the vendor must be placed within the key ring of Umbrella.
Umbrella requires a 2.6.9 kernel (or later) and includes a kernel patch, the Umbrella library and a user-space program. Binaries that will be restricted by Umbrella need to be signed using Bsign and GnuPG. Umbrella and DigSig are the only projects this author is aware of that check digital signatures of binaries. The policy for the application is stored in the binary itself.
Since Umbrella can be used to restrict binaries unless they are signed by
an authority, we asked Sørensen if Umbrella was similar to so-called
"trusted computing" efforts. Sørensen confirmed that Umbrella was
"related to 'trusted computing'
".
While it's desirable to prevent attacks on consumer electronics devices, we
asked if Umbrella could also be used to prevent users from "hacking"
devices to expand the capabilities of a device -- something that may not be
desirable from the end-user's point of view. Sørensen acknowledged
that a device could be designed so that it would be "very
difficult
" for a user to "tamper with the software of the
device
".
What about performance? Sørensen said that the team had just finished
benchmarking Umbrella, and found that it had "between 2.5% and 4.5%
overhead, depending on how the system is stressed. Thus, having Umbrella in
the kernel is not noticeable
".
According to Sørensen, the Umbrella project started as a master's project, but he has plans to start a company in the fall, based on the Umbrella technology, called Linnovative.
It should be interesting to see how Umbrella develops and whether this approach catches on. It is simpler than SELinux, but doesn't look suitable for use in general systems at this time -- which is a shame, as it would be nice to have a simpler system that's usable for general purpose server and desktop systems. However, Umbrella may be another tool that helps Linux gain acceptance in the embedded and consumer electronics market.
New vulnerabilities
ethereal: buffer overflow
| Package(s): | ethereal | CVE #(s): | CAN-2005-0739 | ||||||||
| Created: | April 28, 2005 | Updated: | May 4, 2005 | ||||||||
| Description: | The IAPP dissector of Ethereal is vulnerable to a buffer overflow. A remote attacker may be able to create a special network packet in order to take advantage of the problem. | ||||||||||
| Alerts: |
| ||||||||||
gzip: race condition and directory traversal
| Package(s): | gzip | CVE #(s): | CAN-2005-0988 CAN-2005-1228 | ||||||||||||||||||||||||||||||||
| Created: | May 4, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||||||||||
| Description: | gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Horde Framework: multiple XSS vulnerabilities
| Package(s): | horde | CVE #(s): | |||||
| Created: | May 2, 2005 | Updated: | May 3, 2005 | ||||
| Description: | Cross-site scripting vulnerabilities have been discovered in various modules of the Horde Framework. | ||||||
| Alerts: |
| ||||||
ImageMagick: heap corruption
| Package(s): | ImageMagick | CVE #(s): | CAN-2005-1275 | ||||||||||||||||
| Created: | April 28, 2005 | Updated: | May 25, 2005 | ||||||||||||||||
| Description: | ImageMagick 6.2.1 and earlier has a heap corruption problem in the pnm coder. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
infozip: privilege escalation, directory-traversal
| Package(s): | infozip | CVE #(s): | CAN-2003-0282 CAN-2004-1010 CAN-2005-0602 | ||||||||
| Created: | May 2, 2005 | Updated: | August 1, 2005 | ||||||||
| Description: | InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities. | ||||||||||
| Alerts: |
| ||||||||||
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl | CVE #(s): | CAN-2005-0106 | ||||||||
| Created: | May 3, 2005 | Updated: | January 27, 2006 | ||||||||
| Description: | Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content. | ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: insecure SQL script installation
| Package(s): | phpMyAdmin | CVE #(s): | |||||
| Created: | May 2, 2005 | Updated: | May 3, 2005 | ||||
| Description: | The phpMyAdmin installation process leaves the SQL install script with insecure permissions. A local attacker could exploit this vulnerability to obtain the initial phpMyAdmin password and from there obtain information about databases accessible by phpMyAdmin. | ||||||
| Alerts: |
| ||||||
postgresql: database initialization errors
| Package(s): | postgresql | CVE #(s): | CAN-2005-1409 CAN-2005-1410 | ||||||||||||||||||||||||
| Created: | May 4, 2005 | Updated: | February 28, 2006 | ||||||||||||||||||||||||
| Description: | PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Pound: buffer overflow
| Package(s): | pound | CVE #(s): | CVE-2005-1391 | ||||
| Created: | May 2, 2005 | Updated: | January 10, 2006 | ||||
| Description: | Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process. | ||||||
| Alerts: |
| ||||||
prozilla: format string vulnerabilities
| Package(s): | prozilla | CVE #(s): | CAN-2005-0523 | ||||
| Created: | May 4, 2005 | Updated: | May 4, 2005 | ||||
| Description: | Several format string vulnerabilities have been found in prozilla; an exploit requires a malicious server. | ||||||
| Alerts: |
| ||||||
smartlist: wrong input processing
| Package(s): | smartlist | CVE #(s): | CAN-2005-0157 | ||||
| Created: | May 3, 2005 | Updated: | May 3, 2005 | ||||
| Description: | Jeroen van Wolffelaar noticed that the confirm add-on of SmartList, the listmanager used on lists.debian.org, which is used on that host as well, could be tricked to subscribe arbitrary addresses to the lists. | ||||||
| Alerts: |
| ||||||
tcpdump: multiple DoS issues
| Package(s): | tcpdump | CVE #(s): | CAN-2005-1280 CAN-2005-1279 CAN-2005-1278 | ||||||||||||||||||||||||||||||||
| Created: | May 2, 2005 | Updated: | April 10, 2006 | ||||||||||||||||||||||||||||||||
| Description: | The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted RSVP
packet of length 4. (CAN-2005-1280)
tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279) The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>