[redhat-lspp] untrusted printing formats
Knoke, Jim (US SSA)
jim.knoke at baesystems.com
Mon Apr 17 11:42:21 UTC 2006
When getting BAE Systems XTS-400 system ready for TCSEC B3 (its now
EAL5) evaluation, this was a big issue. PostScript was viewed as being
too complicated, with all the ways you could embed commands for the
printer. We settled on PCL5 and having the TSF recognize and strip away
embedded control sequences. We also had to perform a security analysis
of the printer hardware to convince the evaluators that it would not
recognize special, malicious sequences and do something like save part
of a page and output it later inside a downgraded job.
However EAL4 isn't usually as stringent as B3 was, and with a lot of
expertise maybe you could show that a PostScript
converter/generator/filter would effectively take all the potentially
dangerous printer commands out. I'm curious if there is guidance from
NIAP on these issues. I'm also not sure if you are trying to position
Linux for a future EAL5, where presumably the vulnerability analysis
would be more stringent. Unfortunately I'm not an expert in this printer
stuff and don't know much about the other formats.
-----Original Message-----
From: redhat-lspp-bounces at redhat.com
[mailto:redhat-lspp-bounces at redhat.com] On Behalf Of Matt Anderson
Sent: Thursday, April 13, 2006 2:09 PM
To: redhat-lspp at redhat.com
Subject: [redhat-lspp] untrusted printing formats
Earlier this week I began asking around about which formats we should
convert to bitmaps prior to sending on to the trusted printer.
Postscript is the obvious case since as a fully functional language it
is possible to embed code in a document which could subvert the forced
label. EPS and PDF are not quite as inherently suspect, but due to the
ease of converting those types to postscript and then processing them
similarly they seem like good candidates as well.
By default the only other formats CUPS supports are:
application/vnd.hp-HPGL
application/x-cshell
application/x-perl
application/x-shell
text/plain
text/html
image/gif
image/png
image/jpeg
image/tiff
image/x-bitmap
image/x-photocd
image/x-portable-anymap
image/x-portable-bitmap
image/x-portable-graymap
image/x-portable-pixmap
image/x-sgi-rgb
image/x-xbitmap
image/x-xpixmap
image/x-xwindowdump
image/x-sun-raster
Of those I am not aware of any attacks on printed output.
Other than PS/EPS/PDF can anyone think of another format which should
get special handling in order to preserve the integrity of the forced
label?
thanks
-matt
--
redhat-lspp mailing list
redhat-lspp at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
More information about the redhat-lspp
mailing list