lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070930190742.GB9358@thunk.org>
Date:	Sun, 30 Sep 2007 15:07:42 -0400
From:	Theodore Tso <tytso@....edu>
To:	Andi Kleen <ak@...e.de>
Cc:	Joshua Brindle <method@...icmethod.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	casey@...aufler-ca.com, torvalds@...ux-foundation.org,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org>,
	Paul Moore <paul.moore@...com>
Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

On Sun, Sep 30, 2007 at 07:39:57PM +0200, Andi Kleen wrote:
> > CIPSO also lets systems like SELinux and SMACK talk to other trusted 
> > systems (eg., trusted solaris) in a way they understand. 
> 
> Perhaps, but is the result secure? I have severe doubts.

As always, it depends on your environment.  There are people who are
using Linux systems where trusting the network makes sense.  For
example, if you're on a battleship, say, or all of the machines are in
a cluster which is inside a Tempest-shielded machine room with a
massive combination lock that you might find on a bank vault, or if
you're environment where network cables are protected by pressurized
pipes (so any attempt to tamper with or tap the cables causes a
pressure drop which sets off the alarm which summons the Marines armed
with M-16's...).

(I've been inside classified machine rooms, which is why my laptop has
the 'Unclassified' label on it; it's needed so people can easily
eyeball it and know that I'm not allowed to connect it to any of the
classified networks.  And those are just the less serious machine
rooms.  In the really serious classified areas with the bank
vault-like doors, and the copper-tinted windows, I'm not allowed to
bring in an unclassified laptop at all --- and yes, Linux is being
used in such environments.  And yes, they do sometimes use IPSO and/or
CIPSO.)

> Security that isn't secure is not really useful. You might as well not
> bother.

There are different kinds of security.  Not all of them involve
cryptography and IPSEC.  Some of them involve armed soldiers and air
gap firewalls.  :-)

Yes, normally the network is outside the Trusted Computing Base (TCB),
but a cluster of Linux machines in a rack is roughly the same size of
a huge Unix server tens year ago --- and it's not like Ethernet is any
more secure than the PCI bus.  So why do we consider communications
across a PCI bus secure even though they aren't encrypted?  Why,
because normally we assume the PCI bus is inside the trust boundary,
and so we don't worry about bad guys tapping communications between
the CPU and the hard drive on the PCI bus.

But these days, it is obviously possible to create clusters where
certain network interfaces are only connected to machines contained
completely inside the trust boundary, just like a PCI bus in a
traditional server.  So don't be so quick to dismiss something like
CIPSO out of hand, just because it doesn't use IPSEC.

Regards,

	   	   		      	       - Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ