[ubuntu-hardened] Re: Some thoughts about the hardened schema

Lorenzo Hernández García-Hierro lorenzo at gnu.org
Sun Apr 17 17:27:40 CDT 2005 

El jue, 14-04-2005 a las 03:05 +1000, Jamie Jones escribió:
> I was considering libsafe from the point of view of "how can I protect
> my system from some application that can't be fixed". If I ever
> needed/wanted to run something like that (eg distributed.net) I would
> like any practical extra layers of protection I can get. I do realise
> the libsafe upstream is effectively dead. There are other kernel-level
> methods that protect against ret2libc ?? (I'm very aware that libsafe is
> partial protection at best)

Address Space Layout Randomization (ASLR) makes ret2libc attacks more
difficult.

As I said, libsafe is available, so, users will be able to use it if
they want.

> I didn't mean to imply otherwise, I just though it was an oversight as I
> am new to Ubuntu.

No worries ;)


> True. But even SELinux started as a patch once :)

It was re-implemented to use the LSM framework, so, they worked it for
causing a *minimal* impact.

> Better tested is another nice practical reason to me. Although wasn't
> there some American company claiming to have patents on it a while ago ?

That's a typical absurd FUD against SELinux, read:
http://www.securecomputing.com/pdf/Statement_of_Assurance.pdf


> I have a strong feeling that you had answer questions like this
> repeatedly. I do know that it has lsm support, I am under the impression
> that there are problems with stacking multiple lsm modules in the
> kernel, which let to my understanding that it would work "better" with
> RSBAC. I can see practical uses for this on a samba server.

People is working on the module stacking, anyways, if there's something
*worthy* you can't do at kernel level with SELinux, I would like to
hear.

> I've never seen an unbiased comparision between PAX and ES actually.
> Other then paxtest is there any other testing tool I could use to make
> an evaluation on how they perform against each other ? (I'm not keen on
> running a "real" exploit to test ATM)

paxtest is good after you remove the "sabotage".

--- body.c.orig 2005-04-11 13:03:29.000000000 -0400
+++ body.c      2005-04-11 14:06:17.000000000 -0400
@@ -29,6 +29,9 @@
        return NULL;
 }
 
+/* Dummy function */
+void dummy(void) {}
+
 int main( int argc, char *argv[] )
 {
        int status;
@@ -39,9 +42,6 @@
         */
        int paxtest_mode = 1;
 
-       /* Dummy nested function */
-       void dummy(void) {}
-
        mode = getenv( "PAXTEST_MODE" );
        if( mode == NULL ) {
                paxtest_mode = 1;

> Ubuntu's not server capable ?? I've already deployed it as a public web
> server. Works fine for me.

I didn't say that: "Ubuntu is directed to desktops, but lately there's
an effort for making it server capable"

I've deployed it as testing box for my SELinux work.

> Personally I turn this on, because the machine that it runs on needs a
> fair bit of randomness and doesn't have many sources.

If it gets mainline, wonderful. If not, doubtful.
I can't assess with any risk regarding kernel packages maintenance, nor I can
put such risk on the back of the Ubuntu kernel team fellows.

> Out of curiosity, if I'm subscribed to the list, and I'm CC'ed am I only
> supposed to get one copy of the email ??

Yes.

> Thanks

My pleasure.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo at gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20050418/c488eb77/attachment.pgp

More information about the ubuntu-hardened mailing list