lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6419.1180811687@turing-police.cc.vt.edu>
Date:	Sat, 02 Jun 2007 15:14:47 -0400
From:	Valdis.Kletnieks@...edu
To:	david@...g.hm
Cc:	David Wagner <daw-usenet@...erner.cs.berkeley.edu>,
	linux-kernel@...r.kernel.org
Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

On Sat, 02 Jun 2007 07:27:13 PDT, david@...g.hm said:

> > The type of hardening that AppArmor can provide network-facing daemons is only
> > protecting the system against attacks that aren't even a large part of the
> > threat model.   Exploiting a broken PHP script? Happens all the time, and
> > AppArmor can't do much for it.
> 
> actually, this is _exactly_ where AppArmor is the most useful. if the PHP 
> script is restricted by AppArmor it won't be able to go out and touch 
> things that it's not supposed to.

OK. I'll bite.  AppArmor basically only mediates filename objects.

What filename do you specify to stop it when the exploited PHP script is used
bu a spammer to send mail to millions, when it was intended to send mail only
to a specific set of people?  Wait, that's a tcp connection to localhost:25.

What filename do you specifu to stop blog comment spam and other abuses of a
content management system (remember that the PHP code *does* need write access
to the files in question)?

It might be able to stop J Random SkriptKiddy from scribbling "Y0uz Ben Pwned"
all over your home page, but it doesn't do much to control lots of other abuses
of web apps.  To be fair, SELinux can't help a lot more, because the problem
often ends up being abuse of an access privilege that the program *should*
have - for example, if it's supposed to query the database, it's hard to stop it from making
an inappropriate query at the level that AppArmor and SELinux work at.

I'm not convinced that it's solving enough *actual* problems, given that we've
rejected a lot of other "helps a little in some cases" code for kernel
inclusion.

> if you are targeting one specific company or one specific server then you 
> are correct,

There's a lot of that going around.  And they're the attacks that you need to
worry about, because you're likely to end up as a headline.

>              however most attacks are not that targeted,

There's a big difference between "most attacks" and "most attacks you should
worry about".

>                                                          they do things 
> like useing google to find random servers that are running vunerable 
> software and attack that

Rmember that at a minimum, that also means that you're Goggleable as vulnerable
to attacks that AppArmor can't stop.  And yes, Googling for vulnerable software
*is* one of the primary ways that blog spammers find the vulerable blogs.

If your site is run in such a way that you you have to worry about random
attackers who use google, your site has *bigger* security issues, and thinking
that AppArmor is going to improve things is exactly the sort of smoke screen
magic bullet that we don't want putting in the kernel.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ