Dailydave mailing list archives
Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work?
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Fri, 2 Mar 2007 22:01:17 -0000
Steve, When you have "security professionals" writting the default behavior you don't have the specific needs and the custom applications involved, and then the problem of turn everything ok begin... In the pratice, many people (mostly?) just disable selinux in the installation process... Like you have said, both have bad points (attack vectors...) but I think complexity != security, so, im in favour of the auto-learning systems.. cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 5E90CA19 --------- Mensagem Original -------- De: Steve Grubb <sgrubb () redhat com> Para: dailydave () lists immunitysec com <dailydave () lists immunitysec com>, Rodrigo Rubira Branco BSDaemon <rodrigo () kernelhacking com> Assunto: Re: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Data: 02/03/07 11:27
On Thursday 01 March 2007 14:12:41 Rodrigo Rubira Branco (BSDaemon) wrote: > > We got eal4+ without SE Linux as part of the eval. > > Yeah, it depends of the TE of the certification, the new level and TE
is
> really dependent of selinux... in any way i have said about eal4+
just
> because i seen in this link > http://www.internetnews.com/security/article.php/3551616 When you talk about a certification, there are 2 parts to it. That article talks about our current effort which is LSPP/EAL4+. LSPP is the feature selection, which selinux is needed for the MAC portions of the security target. EAL4+ simply refers to the level of effort that went into design, documentation, and testing. SE Linux by itself does not meet LSPP, there
was
a whole lot of other work needed, too. > > &gt; using the LSM framework... its more bugged than great
(who donĀ“t
> agree with me??). > > > I don't agree with you. I don't have any bug report in our
bugzilla that
> > is traced to the kernel implementation. > > Its a design error, not necessarily implementation one... because
that we
> see lots of discussion regarding how to remove it ;) I haven't been involved in any discussions where people are asking to
remove
it. I have been involved in discussions where people believe they have sufficient protection in place where they want to disable it for
performance.
> in any way I wanna know your opinion about another point that is > learning-mode systems... i have a discussion about that with Joshua
in the
> past, but no conclusions... I can only guess that you mean systems that learn normal behavior so that abnormalities can be spotted? The problem is how do you _know_ you are observing correct behavior. You could have a trojaned app that you are now learning its behavior. You can imagine SE Linux policy as a learning mode system where _people_
learn
the app's behavior. They exercise the app, determine its normal behavior,
put
that into policy, and people everywhere install it. Then one day we get a new version of something and push it into rawhide. Suddenly we have AVCs (syscall denials based on policy). The behavior has changed. Is it a trojaned app or correct but new behavior? Does anyone
have a
program that can make that determination? It would take a human in the loop, either by asking the user if this is expected behavior - which they probably can't determine the implications
of
allowing the action (there are knowledgeable people out there, but we
can't
assume everyone is a programmer/admin). Or it takes skilled policy writers
to
make the decision and add it to policy - learning the new behavior. So,
you
always have this problem of version upgrades and learning new behavior.
That
can become the attack point. -Steve
________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Rodrigo Rubira Branco (BSDaemon) (Mar 01)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Steve Grubb (Mar 01)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Chris Rohlf (Mar 02)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? endrazine (Mar 03)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Chris Rohlf (Mar 03)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? endrazine (Mar 07)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Chris Rohlf (Mar 02)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Steve Grubb (Mar 01)
- <Possible follow-ups>
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Rodrigo Rubira Branco (BSDaemon) (Mar 01)
- Re: Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Rodrigo Rubira Branco (BSDaemon) (Mar 03)