Security
OLS: Smack for embedded devices
The Simplified Mandatory Access Control Kernel (Smack) is a Linux access control mechanism akin to SELinux. As its name would imply, it is a much less complex scheme that requires far fewer resources than SELinux, which may make it more palatable to developers of embedded systems. Smack developer Casey Schaufler gave a talk at the recent Ottawa Linux Symposium (OLS) outlining how it could be used for embedded devices.
Smack has the distinction of being the second user of the Linux Security Module (LSM) kernel interface to be merged into the mainline. This finally put to rest the idea that the LSM might some day be removed from the kernel, requiring all security solutions to be implemented in terms of SELinux. But Smack comes at Mandatory Access Control (MAC)—which is at the heart of both SELinux and Smack—from a different perspective. Schaufler believes that MAC rules should be explicitly specified rather than implicit in a set of policies a la SELinux.
In order to get everyone up to speed, Schaufler gave an overview of MAC and Smack. The main thing to remember about MAC is that it is not user controlled. The system makes all decisions about access and the attributes of files that govern access. The standard UNIX model, by way of comparison, is a Discretionary Access Control (DAC) system, where users can change the security attributes of objects under their control.
Smack relies on labels for subjects, which are active entities, and objects which are passive. An access is then an operation that is performed by a subject, generally a task/process, on an object, which is typically a file. In order to determine whether the access succeeds or fails, Smack compares the subject and object labels, if they match access is granted, if they do not match, the explicit access rules are consulted. If one matches the attempted access, it is granted, otherwise it is denied.
There are three system labels defined, along with access rules governing their behavior, but all other rules must be explicitly added by the administrator. Labels are simply strings up to 23 characters long. Rules then specify a subject label, an object label, and a desired access (read, write, execute, append). After mounting a smackfs filesystem at /smack, rules can be written to /smack/load, which stores them in the kernel for immediate use.
It is important to note that objects inherit the label of the subject that creates them. That means that the label on an executable is only relevant to determine whether the subject process is allowed to execute it. The process that gets created has the label of the subject that executed it, not the label associated with the executable file. The same goes for processes that create files, those files get the label of the process. This is very different from the SELinux label inheritance rules.
There is more to it, of course, but not a lot more, which is what makes it attractive to some. Interested readers are directed to our article, Schaufler's OLS paper [PDF], or the Smack home page for more detailed looks at Smack.
Schaufler outlined specific reasons that a simplified system, like Smack,
would be attractive in the embedded world. Many embedded devices are
single-purpose and geared towards one user. Because cost is often a major
factor, the device only needs to implement the exact set of functions that
it is meant to provide. As Schaufler puts it: "feature
completeness is uninteresting
".
Cost often plays a role in the amount of system resources provided, particularly RAM and flash, as well. A solution that uses less memory fits well with the embedded mindset. There have been some efforts to pare down SELinux and its enormous policy file for the embedded world (including a paper at OLS [PDF], and a presentation at the Embedded Linux Conference that we covered briefly), but it is still rather large. It is also a great deal more complex than Smack, which was a major thrust of Schaufler's presentation.
One problematic area for putting SELinux on embedded devices is that most flash filesystems do not have support for extended attributes (xattrs). Both Smack and SELinux use xattrs to store labels for files, but Smack can provide a default label for an entire filesystem to avoid requiring xattr support. Also, system files automatically default to the "_" (called floor) label so, in many cases, labels on individual files may not be required.
In his talk, Schaufler gave several examples of specific sets of applications and how they could be easily cordoned off from each other while still working together. The model he used was of a mobile phone with multiple applications. The phone's system data would have the default floor label which means they can be read—but not written—by a process with any label.
One of Schaufler's examples was of two different applications that each retrieved content from the network to display to a user. Each retrieved headlines from different services, one from CNN, the other from ESPN. At times the content might overlap, in which case the phone vendor wanted each to be able to read the other's data, potentially displaying a sports story as part of the regular news or vice versa. This is easily handled by two Smack rules:
ESPN CNN r CNN ESPN r
Assuming that the CNN application runs with the CNN label, and the ESPN process with ESPN, they can each read and write their own private data (because the labels match). Because of the two rules above, they can also read each other's private data. If at some point, the phone provider decided those two applications should not be able to share data, those rules simply need to be removed, no filesystem relabeling or anything else is required.
Another example that Schaufler gave was of a video process and an audio process that cooperated in sharing system resources by sending messages to each other. They had no need to share data, just to send UDP messages. In Smack, a process can send a UDP packet if it has write access to the label of the other process. So the following Smack rules could be used:
Video Audio w Audio Video w
One might expect that giving write permission would allow Video, for example, to write to data with the Audio label. This is not the case because UNIX file semantics require read access in order to write file data (because the inode of the file must be read). So under this set of rules, each can send (and receive) UDP packets from the other process, but cannot access any of the data labeled for the other process.
Schaufler had some other examples in his presentation (slides [PDF]), that were geared more towards exploring Smack capabilities than specifically at embedded applications. He concluded by directly comparing Smack and SELinux in terms of complexity. Clearly Smack is vastly simpler; whether it has enough capabilities to provide the protection that embedded developers require remains to be seen. On the other hand, whether SELinux can be made to work reasonably in embedded environments is also an outstanding question. It will be interesting to watch.
Brief items
Phishing Kits Widely Compromised To Steal From Phishers (Information Week)
For your amusement: Information Week reports from a USENIX talk about compromised phishing kits. "In January, Netcraft security researcher Paul Mutton identified a phishing tool kit distributed by a group of Moroccan cybercriminals that had been compromised with a back door. Unbeknownst to its users, the phishing kit sent copies of stolen information to its creators. Now it turns out that more than 40% of the live phishing kits found online (61 out of 150) have back doors designed to steal from the information thieves using them." The moral is clear: one should always stick with open-source malware.
New vulnerabilities
drupal: session fixation
Package(s): | drupal | CVE #(s): | |||||
Created: | August 1, 2008 | Updated: | August 6, 2008 | ||||
Description: | From this Drupal advisory: When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. | ||||||
Alerts: |
|
filezilla: unsecured data transfers
Package(s): | filezilla | CVE #(s): | |||||||||
Created: | August 1, 2008 | Updated: | August 6, 2008 | ||||||||
Description: | From the FileZilla homepage: FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are handled on SSL/TLS secured data transfers. | ||||||||||
Alerts: |
|
httrack: buffer overflow
Package(s): | httrack | CVE #(s): | CVE-2008-3429 | ||||||||||||
Created: | August 1, 2008 | Updated: | September 12, 2008 | ||||||||||||
Description: | From the Debian advisory: Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs. | ||||||||||||||
Alerts: |
|
java-1.5.0-ibm: buffer overflow
Package(s): | java-1.5.0-ibm | CVE #(s): | CVE-2008-3108 | ||||||||||||||||||||||||||||
Created: | July 31, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||
Description: | IBM Java has a buffer overflow vulnerability. From the CVE database entry: Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain privileges via unspecified vectors related to font processing. | ||||||||||||||||||||||||||||||
Alerts: |
|
libxslt: heap buffer overflow
Package(s): | libxslt | CVE #(s): | CVE-2008-2935 | ||||||||||||||||||||||||||||||||||||
Created: | July 31, 2008 | Updated: | October 27, 2008 | ||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat alert: A heap buffer overflow flaw was discovered in the RC4 libxslt library extension. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute arbitrary code with the privileges of the application using the libxslt library to perform XSL transformations on untrusted XSL style sheets. | ||||||||||||||||||||||||||||||||||||||
Alerts: |
|
nfs-utils: access restriction problem
Package(s): | nfs-utils | CVE #(s): | CVE-2008-1376 | ||||||||||||||||
Created: | July 31, 2008 | Updated: | May 21, 2009 | ||||||||||||||||
Description: | nfs-utils has an access restriction problem. From the Red Hat alert: A flaw was found in the nfs-utils package build. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not. | ||||||||||||||||||
Alerts: |
|
opensc: unauthorized PIN change
Package(s): | opensc | CVE #(s): | CVE-2008-2235 CVE-2008-3972 | ||||||||||||||||||||||||||||
Created: | August 4, 2008 | Updated: | June 1, 2009 | ||||||||||||||||||||||||||||
Description: | From the Debian advisory: Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected. | ||||||||||||||||||||||||||||||
Alerts: |
|
pan: execution of arbitrary code
Package(s): | pan | CVE #(s): | CVE-2008-2363 | ||||||||||||
Created: | August 1, 2008 | Updated: | October 8, 2009 | ||||||||||||
Description: | From the Gentoo advisory: Pavel Polischouk reported a boundary error in the PartsBatch class when processing .nzb files. A remote attacker could entice a user to open a specially crafted .nzb file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||||||||||
Alerts: |
|
pdns-recursor: weak random number generator
Package(s): | pdns-recursor | CVE #(s): | CVE-2008-3217 | ||||||||
Created: | July 31, 2008 | Updated: | August 21, 2008 | ||||||||
Description: | The PowerDNS Recursor non-authoritative/recursing DNS server has a vulnerability involving a weak random number generator that is used for source port selection. This simplifies the process of generating remote attack vectors for conducting DNS cache poisoning. | ||||||||||
Alerts: |
|
phpMyAdmin: cross-site framing vulnerability
Package(s): | phpMyAdmin | CVE #(s): | |||||
Created: | July 31, 2008 | Updated: | August 6, 2008 | ||||
Description: | phpMyAdmin has a cross-site framing vulnerability,
described here:
"It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in config.inc.php to allow this behavior. Also, XSS was possible for someone who could overwrite config/config.inc.php during the time this file is present in this directory." | ||||||
Alerts: |
|
pidgin: memory leak
Package(s): | pidgin gaim | CVE #(s): | CVE-2008-2956 | ||||
Created: | August 6, 2008 | Updated: | August 6, 2008 | ||||
Description: | Pidgin 2.0.0 ("and possibly other versions") contains a memory leak which is exploitable for a denial of service attack. | ||||||
Alerts: |
|
python: multiple vulnerabilities
Package(s): | python | CVE #(s): | CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | August 1, 2008 | Updated: | November 1, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Gentoo advisory: Multiple vulnerabilities in Python may allow for the execution of arbitrary code. A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. Exploitation might lead to the execution of arbitrary code or a Denial of Service. Vulnerabilities within the hashlib might lead to weakened cryptographic protection of data integrity or authenticity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
RealPlayer: buffer overflow
Package(s): | RealPlayer | CVE #(s): | CVE-2007-5400 | ||||||||||||||||||||
Created: | July 31, 2008 | Updated: | December 16, 2013 | ||||||||||||||||||||
Description: | RealPlayer is susceptible to a buffer overflow. From the national vulnerability database entry: Heap-based buffer overflow in the Shockwave Flash (SWF) frame handling in RealNetworks RealPlayer 10.5 Build 6.0.12.1483 might allow remote attackers to execute arbitrary code via a crafted SWF file. | ||||||||||||||||||||||
Alerts: |
|
trac: multiple vulnerabilities
Package(s): | trac | CVE #(s): | CVE-2008-2951 CVE-2008-3328 | ||||
Created: | July 31, 2008 | Updated: | August 6, 2008 | ||||
Description: | The trac integrated software management system has two vulnerabilities.
From the Fedora alert:
CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | ||||||
Alerts: |
|
vlc: multiple vulnerabilities
Package(s): | vlc | CVE #(s): | CVE-2008-2147 CVE-2008-2430 | ||||||||
Created: | August 1, 2008 | Updated: | June 18, 2009 | ||||||||
Description: | From the Gentoo advisory: Remi Denis-Courmont reported that VLC loads plugins from the current working directory in an unsafe manner (CVE-2008-2147). Alin Rad Pop (Secunia Research) reported an integer overflow error in the Open() function in the file modules/demux/wav.c (CVE-2008-2430). | ||||||||||
Alerts: |
|
Page editor: Jake Edge
Next page:
Kernel development>>