Slashdot Mirror

← Back to Stories (view on slashdot.org)

NAI Labs releases LOMAC, a kernel security extension

Posted by Nik on from the security-thru-well-written-code dept.

Tim Fraser writes "NAI Labs has released a new version of the Linux LOMAC kernel extension , their latest in a series of security extension products they're involved with -- ranging from components of TrustedBSD to SELinux. LOMAC provides a drop-in security solution that does not require extensive administration unlike other kinds of Mandatory Access control (MAC). There's a port of LOMAC to FreeBSD in the works. The release announcement has more details.

24 of 62 comments (clear)

  1. Too good to be true? by japhmi · · Score: 2
    Is this really "drop in security?" Can securing a box really be this easy? Does anyone have experience with this program that can talk about how secure it is? Should I switch from OpenBSD?

    (oh, and I think fp, but I'm not sure)

    --
    "Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
    1. Re:Too good to be true? by Lord+of+the+Files · · Score: 5

      The author gave a talk at our lug last week. This is my understanding of what he said.

      Basically LOMAC's goal is to increase security without being intrusive. (Intrusive systems are hard to get people to use). It doesn't protect against everything, or even close to everything. It does make a class of actions which should basically never be done impossible.

      It divides the fs into level 1 and level 2 parts. Level 2 stuff is things like /etc, /usr, and anything else only root should be mucking with. Level 1 is everything else. Programs begin running at level 2, and are demoted to level 1 as soon as they read a level 1 file (or from the network which is considered level 1).

      This keeps someone who compromised your copy of bind running as root from reconfiguring your system. It doesn't stop them from trashing your www data, or anything else going on at level 1.

      i.e. it eliminates a certain class of problems.

      As to it being drop in, it's a kernel module. What is level 1 vs. level 2 in the file system is defined at compile time. There is _no_ configuration, which makes it very easy to use.

      --

      God does not play dice - Einstein

      Not only does God play dice, he sometimes throws them where they

  2. Fantastic by jmallett · · Score: 2

    I'm glad to see Linux stuff catching up with the amount of security technology that has been out there in the world. If only RWatson would port jailng to Linux, it'd be probably one of the best platforms for security, since so much cool stuff does tend to get developed. Fad or not, the attention and dollars that are put into Linux make it worthwhile.
    --

  3. Drop in security? by idistrust · · Score: 3
    I don't think that anything can be drop in security. Somebody's GOT to know what they're doing. Back in the olden days I messed around with Bastille's "drop-in-security" and ended up with a foobar'd system that I couldn't even get into. That's not security, that's just uselessness.

    With all of that aside though, any kind of thing like this has got to be good. When high-up people see that something like Linux is getting support like this, they (in my experience) become a little less afraid of it. Didn't Microsoft claim to have some kind of security certification on NT or something like that? My memory is getting sketchy so there's a damn good chance I'm wrong. But if Linux could have something similar to that... it would definitely be a start. To some people, fancy titles mean everything.

    Mike.

    --

    --Ask a silly person, get a silly answer.

    1. Re:Drop in security? by online-shopper · · Score: 2

      Yeah, MS has a C2(I thinK) rating for a specific config of NT. it's a bunch of BS because that config doens't include network access

    2. Re:Drop in security? by Flower · · Score: 2

      Your information is old and mine will be incomplete sadly to say. NT did get C2 certified on a network under 6 configurations iirc. I remember checking out the story on the MS website and seeing that the configurations would be posted at a later date. After a month or two, I gave up trying to read about these 6 configurations. I assume they are documented somewhere.

      --
      I don't want knowledge. I want certainty. - Law, David Bowie
    3. Re:Drop in security? by Shirotae · · Score: 2

      See the entry in the Evaluated Products List for the C2 status of NT4 with SP6a and a C2 update. NT4 with SP3 has an E3/F-C2 evaluation from UK ITSEC.

      If you don't already know about these sites, you probably don't want to bother reading the evaluation reports.

  4. Good to see true kernel level security solutions by hillct · · Score: 3

    This is great news for the linux community. It's interestingthat commercial software vendors (vs OSS vendors) seem to think things like this for linux are not viable. Strange. Seems to work for me. Security by closed source is a variant on security through obscurity and we all know what a falacy this is.

    Great Work Guys!

    --CTH

    --

    --

    --Got Lists? | Top 95 Star Wars Line
  5. Ok, so what's so great about it... by Anonymous Coward · · Score: 4

    Am I missing something, but how does this differ from giving every critical file the system immutable flag (under BSDs), then when the box has come up nicely you lift the security level, to something that enforces the chflags and doesn't let you change them?

    Ok, so it's nice to just load it, and all your problems will go away. Anyways the standard user won't use it because they haven't heard of it, and they dont know how to get it or compile it.

    Anyone with more experience about system should use something like LIDS or SELinux, which lets you do much more fine-grained control, and SELinux really rocks in this aspect. Of course SELinux isn't very stable yet, so using it on a web-server maybe ain't the worlds greatest idea, but this is where LIDS comes to play.

    SELinux is of course very cool when building remote administration computers (one computer in the network and all remote administrators has to log in to it, and connect from it to the server they wan't to administer) or shell boxes.

    So I really don't think this is anything great, or?

    1. Re:Ok, so what's so great about it... by Lord+of+the+Files · · Score: 2

      The idea behind LOMAC is that newbies can use it, without it interfering overly much with their normal usage. With one or two exceptions non-root users shouldn't even notice that this has been added.

      As to your suggestion about the immutable flag - that keeps files from getting changed at all by anyone. This keeps files from being changed by any proccess that could have been corrupted. Again, not nearly as intrusive as not being able to modify any system files without rebooting.

      LIDS, SELinux, etc. are great in many situations. LOMAC has uses in others. It's not a better or worse thing.

      --

      God does not play dice - Einstein

      Not only does God play dice, he sometimes throws them where they

    2. Re:Ok, so what's so great about it... by Tim+Fraser · · Score: 3

      Hi!

      LOMAC is my project, and I was among the NAI Labs contractors working on the NSA's SELinux project for a short while, too. SELinux is indeed an excellent technology. I've found SELinux to be extremely stable - I never had any of the released versions of SELinux crash on me in my (roughly) 6 months of usage.

      The NSA's SELinux project and NAI Labs' LOMAC project have different goals. SELinux is designed to provide powerful features like extremely-fine-grained access control and a time-tested highly-general Flask architecture. LOMAC is designed to remain compatible with existing Linux kernels and software, and work without configuration, even at the cost of some features.

      So, the LOMAC LKM is completely specialized towards supporting a single, simple, coarse-grained form of access control. However, it can be loaded into unmodified off-the-CD-ROM Linux kernels, and you don't have to configure it to recognize your local users and applications. SELinux provides many more powerful features, but it requires you do some configuration, and to patch your kernel and some of your applications.

      It's a tradeoff. Depending on your requirements, you may prefer different choices along the features/compatibility line.

      As for the comparison with the immutable flag, LOMAC provides a more flexible solution that allows admins to modify critical files that are immutable to normal users. LOMAC also provides a mechanism to prevent clever attackers from using Trojan horses or input designed to cause buffer overflows to get control of privileged processes.

      There's a complete description in the LOMAC manual on ftp.tislabs.com/pub/lomac, if you're curious.

      - Tim Fraser, NAI Labs

  6. Re:They can call it "secure"... by Ded+Bob · · Score: 2

    If they pretend to audit the code, can they call it secure?

    Since he pretends to be Theo, they can pretend to audit the code. :)

  7. Lomac. by Matt2000 · · Score: 3


    Protect your computer from outside forces, befriend LOMAC of the forest people. He will pound intruders with sticks and release hounds upon persons who would scan your ports.

    He shall call locusts to protect ftp, floods to guard again DoS and will conceal your serial ports with small bushes and shrubbery.

    It is LOMAC! Flee!

    He shall create small burrowing animals to scratch at the shins of Chinese hackers who would defile your graduate hompage. He will attach secret undersea creatures to the undersides of your mouse to protect you against static charges. He will warn you when you sit weird and your leg might fall asleep.

    It is LOMAC! (Score:-1, Retarded).

    --

    1. Re:Lomac. by iomud · · Score: 2

      Sort of reminds me of the LOTHAR sketches on Saturday night live, Loooothar of the hill people... Loooothar...

      funny stuff

    2. Re:Lomac. by Fervent · · Score: 2

      Actually, Lomac reminds me more of "Lojack", the "anti-theft deteriant system".

      --

      - I don't care if they globalize against free speech. All my best free thoughts are done in my head.

  8. Re:This is ok but... by Tim+Fraser · · Score: 3

    Hi!

    Thanks for your interest in LOMAC! LOMAC is my project, and I've talked quite a bit with Amon Ott, RSBAC's creator. We'll both be at the Kernel Security Extension BOF at the upcoming USENIX Annual Technical Conference this June.

    LOMAC and RSBAC have different goals. RSBAC's goal is to provide a general framework that can (simultaneously) support a wide variety of access control mechanisms. LOMAC's goal is to be compatible with existing Linux kernels and software. There's a tradeoff between functionality and compatibility: RSBAC provides general support, but requires a kernel patch. The LOMAC LKM supports only one access control mechanism, but it can be loaded into unmodified off-the-CD-ROM Linux kernels.

    I've talked to Amon Ott about porting LOMAC to RSBAC's framework. I'm hoping to do a demo-quality port this summer, if I can find the time.

    Also, LOMAC allows remote administration via SSH.

    - Tim Fraser, NAI Labs

  9. security wall of silence by joq · · Score: 2


    I just wrote a rebuttal to Kurt Seifried's humorous "Why Linux is more secure then OpenBSD" which can be found here.

    So here's my two cents to it all. Having used Linux for some years then switching back to the BSD's (started with FBSD, now running Open for my server, and FBSD @ home) I'd have to say Linux is as much of a Joke as Windows is when it comes to security, and no I don't mean to be a troll.

    People are forgetting some of the core basics involved with security. Auditing. If core codebase was audited prior to releasing a distribution, you wouldn't have that many security advisories coming forward. Sure the process can become tedious especially when your in a large network environment, but why should I run an insecure OS then download an add-on solution, when I could just download OpenBSD for hardcore security?

    Give me a break sure lomac sounds great so does did bastille, so does SE-Linux but these to me are just patches. I'd rather take a secure by default installation any time.

    And oh yea you could respond with limiting services being run, but that still doesn't account for all the patches you have to install because someone just released another advisory for Linux.

    Anyways the article I wrote summarizes some good points and weak ones too. kudos

    J. "sil" Oquendo
    Uncommon Hax0rin6 Methids
    Chief Hax0rin6 Office
    AntiOffline.com
    (security pimps should get a laugh off the sig ;))


    --

    Want Root?
    1. Re:security wall of silence by crucini · · Score: 2
      but why should I run an insecure OS then download an add-on solution, when I could just download OpenBSD for hardcore security?
      OpenBSD does not protect against user error. Like any Unix, it's a springloaded trap - one false move and you've given you're privileges to an attacker. One false move by a root process and the attacker has root. Lomac is clearly trying to prevent this.
      Take for example a program which is not "part of" OpenBSD, hence not audited. It is suid root, and by manipulating an environment variable you can make it read a tainted file from an unprivileged location, resulting in buffer overflow and root. Lomac, as I understand it, would notice that this privileged process read an unprivileged file and demote the privilege of the process. Hence, no root for the attacker.
      Although I agree with you partially; Linux needs more common sense security and less high-tech security addons. I think one reason that NT machines are insecure is that their security model, while admirable, is too complicated.
  10. Re:Drop in security?/' Holy Grail by einhverfr · · Score: 2
    Drop in security is impossible. However, I do agree that these developments will continue to make Linux and other OSS software very attractive to lage companies.

    Of course drop-in security seems to be a bit of a holy grail that many companies continue to quest for be never achieve. See previous posts on eLiza (IBM's attempt at self-policing networks) and other such things (there is an idea-- a firewall that talks back to the admin...).

    I will have to play with this.

    --

    LedgerSMB: Open source Accounting/ERP
  11. But that's what the BSDL is for. . . by Webmonger · · Score: 2

    We just had a debate about this. Some folks say that BSDL is too open, but there's tons and tons of folks who say that only the BSDL is truly free. Well, this the natural consequence of that freedom; of using BSDL-- someone can relicense your code (hell, they can make it closed source). If you weren't prepared for that, if it's an unacceptable possibility, then the BSDL, was not the right license in the first place.

  12. More like Perl tainting by Animats · · Score: 2
    Actually, this works more like Perl's "taint" feature. The basic idea is that everything has an integrity level, and the goal is to prevent information flow upward in integrity level. Processes drop in integrity level if tainted by reading lower-integrity data. They then can't write higher-integrity data. This keeps trojan horses, viruses, and such at the low integrity level. They can still cause trouble to data down there, but not to the higher integrity data. Of course, anything you download and install is stuck at low integrity level. But for many users, that's OK.

    This is much lower-resolution tainting than Perl offers, since entire processes get tainted. This creates a few problems. The designers had to add some gimmickry associated with pipe handling so that you can spawn processes from the shell without tainting the parent shell.

    The whole effort is designed to answer the question "Can mandatory security be made liveable?" Highly secure systems with mandatory security have been built, but are painful to use. This system does have some strong properties, and the authors claim it's usable without too much pain. It's thus a good step in the right direction.

  13. Do not use on server boxes by mind21_98 · · Score: 2

    I just tried using LOMAC on a box that was at a NOC remotely. It locked me completely out of my box, no way of connecting or anything. I'm contacting the NOC at this moment to lead them through de-installation.

    This module is not for you unless it'll be used as a workstation which will not run any servers.

    --
    US businesses that currently accept chip and PIN/signature
    1. Re:Do not use on server boxes by Tim+Fraser · · Score: 2

      Hi.

      Thanks for giving LOMAC a shot; I'm sorry you ran into problems. The early versions of LOMAC did prevent remote administration, as you describe. However, LOMAC releases since 1.0.5 provide an exception to allow remote administration via SSH.

      - Tim Fraser, NAI Labs

  14. hey by apofex · · Score: 2

    So this module would do things like make a exploitable bind hole useless? Why not just chroot jail bind and run something like openbsd with bind 4 (which is not as nasty as bind 8 and the evil swiss cheese bind 9) ??? Just an opinion :)