FC4 kernel performance

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 22 13:16:02 UTC 2005 

On Wed, 2005-06-22 at 08:53 -0400, Paul A Houle wrote:
>     It's not so clear that SELinux helps much against real attacks.  It 
> would take a much tougher security model than the Unix model or even the 
> SELinux model to stop the virus and zombie infections that we're seeing 
> in the Windows world.  Things like NX that prevent or complicate buffer 
> overflow attacks may be more useful.

Actually, the SELinux model (or more generally, flexible mandatory
access control) is precisely what one needs in order to contain
malicious and flawed applications.  And SELinux can also help reinforce
mehcanisms like exec-shield by providing policy control over what
applications can generate runtime code.

>     If,  for instance,  I can find a way to execute arbitrary code in 
> Firefox or Thunderbird,  I can install something on your computer that 
> runs as you.

But with SELinux, that application (firefox or thunderbird or whatever)
can be placed in its own security domain, with its own set of
permissions that are a subset of the user's overall permissions.  There
is admittedly a lot of work to do to properly secure the desktop (e.g.
security-enhanced X, which has been implemented but not yet upstreamed),
but mandatory access control is the right mechanism for dealing with
this issue.

>   It can perpetuate itself by putting itself in your 
> .profile or in a cron job.  It can make socket connections to anywhere,  
> and accept socket connections,  so long as the port number is >1024.  
> This process can send spam,  do network scanning,  try to infect other 
> machines,  install a keystroke logger,  let me look through your 
> personal files (and other people's files if the permissions are 
> permissive,)  and do plenty of other things.

Again, with SELinux, those applications can be limited to accessing no
more than what they need for their legitimate purpose, including file
accesses, the ability to bind to local ports, the ability to make
outbound connections to particular ports, etc.

>     Root access would be nice -- that would let me run a packet 
> sniffer,  install a root kit,  and generally make it a lot harder to 
> clean up the mess,  but modern crackers (who are attacking networks,  
> not individual computers) don't need it.

Yes, Colin Walter's talk at the SELinux Symposium (see
selinux-symposium.org) noted that an attacker often just wants access to
the user's account and data.  But SELinux can be used to counter this
threat (with further work in the desktop to extend MAC to appropriate
applications).

-- 
Stephen Smalley
National Security Agency

More information about the fedora-devel-list mailing list