Domain: nailabs.com
Stories and comments across the archive that link to nailabs.com.
Comments · 9
-
Access control lists no, mandatory security yesAccess control lists are a primitive in search of a security policy. You don't want users, or even sysadmins, manipulating them directly. You want some defined security policy that they enforce, with tools that insure that all the access control lists are consistent with the security policy.
Mandatory security is the way to go. NSA Secure Linux and LOMAC are the best known steps in that direction. LOMAC, from Network Associates, was a big step in the right direction. NA did that for Linux, made it open source, but stopped development a while back, possibly because Microsoft got nervous about improved Linux security. (Microsoft is known to have lobbied heavily against NSA Secure Linux.)
The problem with mandatory security is that it really works. You then have to go and fix all the tools that cross security boundaries and shouldn't.
The key project here would be to take NSA Secure Linux or LOMAC and make a mail server, a DNS server, and Apache work within the restrictions. That would be very, very useful.
-
Re:I think there is
> Isn't Trusted Solaris basically just this? At an OS level, you associate trust levels that permeate throughout your network.
I think this kind of approach is better than creating virtual machine sandboxes that still run the old weak UNIX security model. If someone 0wns your sandboxed apache, they can still likely cause
a DoS with it, or propogate worms, or pretty much anything really.
Good use of iptables and linux "capabilities" can help a lot with limiting what an application can do, but still don't go far enough, IMHO.
Look at projects like SELinux, LIDS, RSBAC, LOMAC
for examples of "free software" alternate security models.
And yeah, they're a pain for development, but then so is trying to program securely :)
- MugginsM -
LOMAC - Perl tainting for LinuxLOMAC has some promise. They have a good idea: there are two integrity levels, high and low. Everything that comes in from the net is at low level, and can't affect anything that is at high level. Level is carried around with files, processes, etc. This severely limits what can be done from the outside.
This has real potential for locked-down servers, kiosk systems, etc. It's a bit stringent for most desktops. But it's not too hard to use.
-
How open source can deal with thisThe right answer to this is for the open source community to put security into UNIX/Linux that can confine hostile code. You should be able to open any executable content from a browser without risk. This is what FreeBSD jails and LOMAC are for. But browsers need to be compatible with such things.
The basic idea is that you need to be able to run executable code under OS-enforced restrictions that are similar to the restrictions on Java applets. A legitimate Active-X control, for example, needs to talk to its window, its site, and the instance of the rendering engine for the current page. That's a jail-type application. FreeBSD has this now, but browsers don't use it.
The LOMAC system is more general. It's like Perl tainting, for the whole OS. You can download some application from the Internet, but it can't do anything to data that didn't come from the Internet. Games, for example, fit well into this model.
Rather than whining about Microsoft's sign-everything approach, the Linux community needs to develop security technologies like these that provide real security. This is better than what Microsoft is proposing. And most of the hard work is already done. The main task is to get the browser people to use it.
This makes a lot of sense for the Mozilla project to do, making them a superior alternative to IE. But their code base may be too big to try this easily. The process architecture of the browser, at the "who talks to what" level, needs to be redesigned with security in mind. Basically, the rendering engine for each page needs to be in a separate process with limited privileges. This has impacts on many browser features, although the main rendering task isn't impacted much.
Think of it as a firewall inside the browser.
-
Re:Complacence will get us nowhere
NSA Security-Enhanced Linux (SELinux)
implements flexible and fine-grained mandatory access controls for Linux.
These controls can be used to confine processes (including superuser processes)
to least privilege, to protect the integrity and confidentiality of processes
and data, and to support protected subsystems or assured pipelines. SELinux
is available under the GNU General Public License. -
Re:BSD?Actually, our favorite branch of our favorite government agency (DARPA, DoD) is funding a lot of work for both. For instance, CBOSS is a contract that NAI Labs recently won to start funding such things as SELinux and LOMAC.
For what it's worth, LOMAC is an example of a project currently underway andbeing developed for Linux and FreeBSD both, so it is not only Linux that is getting security projecs funded for it (^_^)
Disclaimer: I am an employee of NAI Labs, not that it makes this information less relevant.
-
Re:BSD?Actually, our favorite branch of our favorite government agency (DARPA, DoD) is funding a lot of work for both. For instance, CBOSS is a contract that NAI Labs recently won to start funding such things as SELinux and LOMAC.
For what it's worth, LOMAC is an example of a project currently underway andbeing developed for Linux and FreeBSD both, so it is not only Linux that is getting security projecs funded for it (^_^)
Disclaimer: I am an employee of NAI Labs, not that it makes this information less relevant.
-
Re:BSD?Actually, our favorite branch of our favorite government agency (DARPA, DoD) is funding a lot of work for both. For instance, CBOSS is a contract that NAI Labs recently won to start funding such things as SELinux and LOMAC.
For what it's worth, LOMAC is an example of a project currently underway andbeing developed for Linux and FreeBSD both, so it is not only Linux that is getting security projecs funded for it (^_^)
Disclaimer: I am an employee of NAI Labs, not that it makes this information less relevant.
-
SELinux or NSALinux == NAILinux ??
Interesting, while looking at this page, I noticed a link for SELinux / NSALinux. Apparently NAI is the developer of this distro? The page at NAI with information concerning their involvement with SELinux / NSALinux may be found here.
Perhaps this distro is not as 'corrupt' or biased as initially thought.