nCircle.com >> 360 Security

« cansecwest/core06: "real time threat mitigation techniques" | Main | SCADAGard SIG To Be Established »

cansecwest/core06: "Stunt Profiling: Securing a system while you wait"

Crispin Cowan from Novel Inc.
Title: Stunt Profiling: Securing a System While you Wait

Quick reminder: Novell acquired Immunix and thus AppArmor
Goal of AppArmor: Confines applications to do what they are supposed to do, and nothing else.

Coming from a game development background, I am always sensitive how the design of the system takes in to account the skill set and behavioral profile of the user. The outside of the packaging should read: domain expert not included. ☺ I am being serious here. Great design for the knowledgeable Linux user. These are people who have a good chance of properly answering a question related to “should I glob this shared lib the ‘*.so’ level or more of a ‘*\.2?.so’ level. Nothing wrong with that, just don’t try to change your market. Optimizing for one audience will almost always compromise your value in the other.

The thing uses the LSM (Linux Security Module) Interface in a Linux 2.6 Kernel. Being in the kernel is a pain in the butt without LSM. I would agree that with this position in the problem space and your objectives of governance, LSM is the best choice for mediation given the cost to bypass it.

I don’t know if Crispin was the designer but the designer is the first person I have heard who truly understands black-list and white-list strategies. Given this very dynamic problem to solve, a hybrid proves the most dominant strategy. I can’t help but spend some time on this subject as I have been working at this knot for so long.

Quick review: white-list strategy is where the white-list set (Lets call it G for good) contains “all good things”; black-list strategy is where the black-list set (lets call it B for bad) contains “all bad things”. The role of the set is to describe the criteria match for some action. What needs to be emphasized (that is missing in most discussions) is that both set G and set B are a subset of the Universal set U.

For the record, I have a serious problem with the terms white and black when it is associated with good and bad. From here on out I will call them set G or good-list, B or bad-list, and U or universal-set.

Crispin pointed out that most misuse detection is based on bad-list while most anomaly detection is based on good-list. Here is where I would like to share with you my thoughts.

The factors I always keep in my head are the ‘rightness’ and the ‘completeness’. Don’t ask me why I call them that because I would then have to invite you in to my head and that is a scary place. Given the size of U, which subset B or G will yield a higher rightness (the knowledge quality of the elements) and a higher completeness (the complement of subset B or G relative to U) As a rule of thumb, when U is large and mostly unknown, B is the dominant strategy; when U is smaller or mostly known, G is the dominant strategy. If I had more time, I would explain this properly but I have too many blog postings to get through tonight.

AppArmor uses a very elegant hybrid model whereby they use a good-list for applications and a bad-list for the system-wide criteria. It is the right choice in my opinion because a single application to be protected presents a smaller universal set and with a lot more known objects and it makes G dominant over B. The system-wide space presents a larger U with a high potential for unknowns so B is dominant over G.

Very nice policy language. It is in a native tongue of the target user base and you can’t ask for more than that. Great job!

I’ll just note some highlights from the demo of AppArmor.
The learning mode was great in that what was uncertain, it asked the user thus creating a better G set in both rightness and completeness. Again, I would point out that most of these questions need to be answered by a domain expert but that is the case here so no problem. Rock on.

The moment he put his machine on the network and spawned the vulnerable sendmail daemon for the demo, it was hacked! Funny stuff. He pulled it off the network, configured AppArmor to protect the vulnerable program, all was well. Great demo. Lesson learned: secure before connect and Cansec. ☺

He did some SElinux versus AppArmor bashing. Whatever. I think AppArmor can speak for itself.

Overall, very nice tool for the highly technical. The cansecwest audience was perfect and I am sure I can say the same for the SUSElinux community.

--tk

Posted on April 6, 2006 10:01 PM |

Search


About

This page contains a single entry from the blog posted on April 6, 2006 10:01 PM.

The previous post in this blog was cansecwest/core06: "real time threat mitigation techniques".

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]