Re: Selinux kernel patches

Re: Selinux kernel patches

[Pete Loscocco]

Joshua Brindle wrote:
> I was wondering if there was any effort on your team of developers to
> get your kernel patches submitted to linus for possible inclusion into
> the standard linux source? And also the utility patches, will you be
> trying to submit them to their authors?

We would like very much for our kernel patches to be considered for
inclusion in a future kernel release. We are working toward that goal.
The real goal is to get features such as we have put in Linux accepted
not only in Linux but in other systems as well. We chose Linux because
it not only would increase the security of a popular system but because
it's open development enables it to be a worked example that could be
applied to other systems as well.

We think that we have a good architecture and that it warrants
consideration. We have put it out not as a complete solution but as
something that should be built upon. Inclusion in the "standard"
sources would really enable a much wider audience to work with the
system, gain experience using the security features, and make the
system better.

As for the utility patches, they have never been the focus of the
work.  We have made changes where we found it necessary or useful, but
have yet to make any serious effort to to address all of the user space
issues. If the architecture were to be adopted by the community, we
would probably reexamine that decision and spend more effort on such
things. Until that happens, we probably won't be looking for our
changes to be included with the utility authors.

Pete Loscocco
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux kernel patches

[Dale Amon]

On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> We think that we have a good architecture and that it warrants
> consideration. We have put it out not as a complete solution but as
> something that should be built upon. Inclusion in the "standard"
> sources would really enable a much wider audience to work with the
> system, gain experience using the security features, and make the
> system better.
> 

Just a wild suggestion. When things are well along and
everyone thinks the system is ready, why not put a box
out on a public network for a game of "capture the flag"?

Offer a free T-shirt "I cracked the NSA" to anyone who
succeeds *and* tells precisely how it was done. Set up
tests for system cracks both from fully external or from
various shell access levels. Certainly a way of catching
any more egregious faults and as a means of building 
confidence that the system has succeeded in accomplishing
its' goal.

Of course the real test is a few thousand computers under
a few years of real operational conditions. But a bit
of initial testing never hurt :-)

I know I'd sleep better at night if I knew from the
start that the kiddies were blocked cold from my
customers systems.

-- 
------------------------------------------------------
Use Linux: A computer        Dale Amon, CEO/MD
is a terrible thing          Village Networking Ltd
to waste.                    Belfast, Northern Ireland
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux kernel patches

[Christopher McCrory]

Hello...


Dale Amon wrote:

> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> 
<snip>
> Just a wild suggestion. When things are well along and
> everyone thinks the system is ready, why not put a box
> out on a public network for a game of "capture the flag"?
> 

	This has been done before; with other systems.  It has also been shown 
that the crackers you really need to worry about don't participate.



<snip>



-- 

Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com

"Linux: Because rebooting is for adding new hardware"


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Cature the flag (was Re: Selinux kernel patches)

[Sandy Harris]

Dale Amon wrote:
> 
> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> > We think that we have a good architecture and that it warrants
> > consideration. ...
> 
> Just a wild suggestion. When things are well along and
> everyone thinks the system is ready, why not put a box
> out on a public network for a game of "capture the flag"?

The annual Defcon conference (http://www.defcon.org/) has run such
a contest, on a LAN at the conference, for several years now. Some
firewall vendors bring machines for use as targets.
 
> Offer a free T-shirt "I cracked the NSA" to anyone who
> succeeds *and* tells precisely how it was done. Set up
> tests for system cracks both from fully external or from
> various shell access levels.

In addition to attackers' machines and target machiness, they have
other machines doing packet logging so attacks can be analysed
later.

A web search on "defcon capture the flag" will turn up the rules,
last year's logs and some discussion.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[paul]

So what happens when the hackers attack the machines logging packets?  Or what if they just decide to take down the router?

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[paul]

I have always felt that the best way to test a piece of software is the same way that any scientist would test a hypothesis.  The hypothesis here is that the software is secure.  So in order to test that hypothesis you have to have people that test that software for security holes.

In my opinion, finishing a piece of software and then inviting the whole planet to try and "hack" it for $200 and a free shirt is just not the best way to approach this.  You will end up with people from all over the planet not only attacking the system but also the network, including other systems on the same wire that are gathering packets, routers, and perhaps even the upstream provider.  Sure, you can say that all these are off limits, but people will simply not care as has been shown by these kind of "tests" over and over and over.

What we intend to do at Bladestorm is to integrate all the efforts here into our distribution and conduct a controlled test, where the software is tested by security professionals.  It will be probed and tested thoroughly, we would report our findings, patch, reprobe, and then after that cycle is done we will do a beta.  And the beta would be to put the distribution into environments where the software can be tested.  This way, we can eliminate variables such as routers going down and so forth and really be able to pinpoint holes.

Public stunts like this is more like handing 2,000 people a can opener and telling them all to try to be the first to open a can.  You end up with a mess, and a lot of spilled tomato soup.  It's just not worth it from my vantage point.

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Cature the flag (was Re: Selinux kernel patches)

[John Cordani]

Paul,
As a scientist I certainly try to apply science to the production of
information products. I agree with your stance on this issue. Certainly
engineers and scientists should first test their hypothesis and experiment
in a controlled environment prior to any beta release. When the engineering
and testing teams have reached their conclusions and refinements an open
test of the beta release might be warrented.

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
Behalf Of paul
Sent: Friday, February 09, 2001 10:33 AM
To: selinux@tycho.nsa.gov
Subject: Re: Cature the flag (was Re: Selinux kernel patches)


I have always felt that the best way to test a piece of software is the same
way that any scientist would test a hypothesis.  The hypothesis here is that
the software is secure.  So in order to test that hypothesis you have to
have people that test that software for security holes.

In my opinion, finishing a piece of software and then inviting the whole
planet to try and "hack" it for $200 and a free shirt is just not the best
way to approach this.  You will end up with people from all over the planet
not only attacking the system but also the network, including other systems
on the same wire that are gathering packets, routers, and perhaps even the
upstream provider.  Sure, you can say that all these are off limits, but
people will simply not care as has been shown by these kind of "tests" over
and over and over.

What we intend to do at Bladestorm is to integrate all the efforts here into
our distribution and conduct a controlled test, where the software is tested
by security professionals.  It will be probed and tested thoroughly, we
would report our findings, patch, reprobe, and then after that cycle is done
we will do a beta.  And the beta would be to put the distribution into
environments where the software can be tested.  This way, we can eliminate
variables such as routers going down and so forth and really be able to
pinpoint holes.

Public stunts like this is more like handing 2,000 people a can opener and
telling them all to try to be the first to open a can.  You end up with a
mess, and a lot of spilled tomato soup.  It's just not worth it from my
vantage point.

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>>
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>>
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
>
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux
list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Cature the flag (was Re: Selinux kernel patches)

[Ellis, Wes]

Then this is another vulnerability, and would need to be addressed, a
machine is not just itself, but any other machines attached to it, and this
is most often were I have personally found weaknesses in audits.

-----Original Message-----
From: paul [mailto:paul@bladestorm.com]
Sent: Friday, February 09, 2001 9:18 AM
To: selinux@tycho.nsa.gov; Sandy Harris
Subject: Re: Cature the flag (was Re: Selinux kernel patches)


So what happens when the hackers attack the machines logging packets?  Or
what if they just decide to take down the router?

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux
list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[Daniel Harrison]

In case some people haven't seen it, there has been a thread on the Vuln-Dev list hosted by securityfocus.com talking about the right and wrong way to do this. Some vendors have been participating in the discussion. I would definitely suggest checking out the archives of that list.

-dan

paul wrote:

> I have always felt that the best way to test a piece of software is the same way that any scientist would test a hypothesis.  The hypothesis here is that the software is secure.  So in order to test that hypothesis you have to have people that test that software for security holes.
>
> In my opinion, finishing a piece of software and then inviting the whole planet to try and "hack" it for $200 and a free shirt is just not the best way to approach this.  You will end up with people from all over the planet not only attacking the system but also the network, including other systems on the same wire that are gathering packets, routers, and perhaps even the upstream provider.  Sure, you can say that all these are off limits, but people will simply not care as has been shown by these kind of "tests" over and over and over.
>
> What we intend to do at Bladestorm is to integrate all the efforts here into our distribution and conduct a controlled test, where the software is tested by security professionals.  It will be probed and tested thoroughly, we would report our findings, patch, reprobe, and then after that cycle is done we will do a beta.  And the beta would be to put the distribution into environments where the software can be tested.  This way, we can eliminate variables such as routers going down and so forth and really be able to pinpoint holes.
>
> Public stunts like this is more like handing 2,000 people a can opener and telling them all to try to be the first to open a can.  You end up with a mess, and a lot of spilled tomato soup.  It's just not worth it from my vantage point.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[Jose Nazario]

On Fri, 9 Feb 2001, paul  wrote:

> So what happens when the hackers attack the machines logging packets?

usually its configured at layer 2 only, so it's not visible to anyone.
it's a good NIDS procedure. it's invisible, and also nearly immune to
attacks. you also use a good IP stack (usually OpenBSD).

> Or what if they just decide to take down the router?

which used to happen at DefCon, then they moved to OpenBSD and cut down
those problems pretty quickly.

these are all good considerations, and considering that you're trying to
attract the best of the best, wise to keep in mind. but, they've also been
addressed before.

____________________________
jose nazario						     jose@cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.