lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 Aug 2003 12:56:10 -0700
From: Crispin Cowan <crispin@...unix.com>
To: Balwinder Singh <balwinder@....net>
Cc: bugtraq@...urityfocus.com, provos@...i.umich.edu
Subject: Re: Need help. Proof of concept 100% security.


Balwinder Singh wrote:

>I have developed an application, which I believe can provide 100%
>security against various attacks.I can hear people laughing. Hmm..
>The applications is called Execution Flow Control (EFC).
>Details of software can be found at http://203.197.88.14/efc
>
This sounds somewhat similar to our SubDomain 
<http://immunix.org/subdomain.html> product, which profiles applications 
in terms of what files they may access. It sounds very similar to the 
approach taken by Systrace 
<http://www.citi.umich.edu/u/provos/systrace/>,  Okena 
<http://newsroom.cisco.com/dlls/corp_012403.html> and Entercept 
<http://www.entercept.com/>, which like EFC, profile applications in 
terms of which system calls they may invoke.

At least Systrace also allows you to profile the arguments presented to 
syscalls, so you can fake SubDomain's file access control paradigm. This 
is important, because "touch /etc/pointless" is rather different from 
"touch /etc/hosts.allow". It is unclear from the EFC documents if EFC 
supports argument profiling.

The advantages of syscall access control:

    * more expressive: if you know that application Foo has no business
      calling e.g. mkdir, then you can catch exploits that try to
      leverage that kind of thing.

The advantages of SubDomain:

    * It is easier to generate a file access profile for an application
      than a syscall profile. Instead, SubDomain just has a long list of
      prohibited/dangerous syscalls for confined applications, letting
      the admin think about important stuff (which files to grant access
      to) and ignore less important stuff (who cares if *this* app calls
      getpid?).
    * Syscall mediation is prone to race conditions inside the kernel if
      it is implemented using syscall interposition.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ