A casestudy where selinux has stopped malware attacks

A casestudy where selinux has stopped malware attacks

[masoom alam]

[-- Attachment #1: Type: text/plain, Size: 278 bytes --]

Hi every one,

Do we have some thing like the mentioned subject documented?

Thank you.


*----*
*Dr. Masoom Alam,*
Associate Professor,
Department of Computer Science,
COMSATS Institute of Information Technology,
Park Road, Islamabad
Off +92-51-9049-5391
Cell +92-332-9298-404

[-- Attachment #2: Type: text/html, Size: 1180 bytes --]

Re: A casestudy where selinux has stopped malware attacks

[Patrick K., ITF]

[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]

Hello,

Please read about SELinux here:

http://selinuxproject.org/page/FAQ


MAC in case of SeLinux or DAC (Discretionary Access Control)  are there 
to control the extent of which a user or process can access or interact 
with resources.

They by nature may sandbox an attack, but are not there to stop malware 
attacks.
They may mitigate some of them like this one: (Exactly serving one of 
its purposes)

CVE-2016-9962 docker: insecure opening of file-descriptor allows 
privilege escalation:

http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/


Mitigating is not stopping, you still need to patch the vulnerability, 
and it is not necessarily for all kind of malware or cases of malware, 
it depends on malware , your setting, the environment and etc.

You may not deploy Selinux and think you stopped all attacks, it is just 
false sense of security.

P.S. With Special thanks to Dan Walsh of RedHat


Best regards,

-- 
  Patrick K.

On 9/21/2017 12:13 AM, masoom alam wrote:
> Hi every one,
>
> Do we have some thing like the mentioned subject documented?
>
> Thank you.
>
>
> *----*
> *Dr. Masoom Alam,*
> Associate Professor,
> Department of Computer Science,
> COMSATS Institute of Information Technology,
> Park Road, Islamabad
> Off +92-51-9049-5391
> Cell +92-332-9298-404


[-- Attachment #2: Type: text/html, Size: 3928 bytes --]

Re: A casestudy where selinux has stopped malware attacks

[Joshua Brindle]

masoom alam wrote:
> Hi every one,
>
> Do we have some thing like the mentioned subject documented?
>
> Thank you.
>

Probably one of the better catalogued set of malware stopped by SELinux, 
which shows various ways SELinux mitigated the attacks, is The Case For 
SEAndroid from Stephen Smalley:

https://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf

Re: A casestudy where selinux has stopped malware attacks

[masoom alam]

[-- Attachment #1: Type: text/plain, Size: 491 bytes --]

Many thanks.



On Sep 21, 2017 7:26 PM, "Joshua Brindle" <brindle@quarksecurity.com> wrote:

> masoom alam wrote:
>
>> Hi every one,
>>
>> Do we have some thing like the mentioned subject documented?
>>
>> Thank you.
>>
>>
> Probably one of the better catalogued set of malware stopped by SELinux,
> which shows various ways SELinux mitigated the attacks, is The Case For
> SEAndroid from Stephen Smalley:
>
> https://selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid.pdf
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 1111 bytes --]

Re: A casestudy where selinux has stopped malware attacks

[Nick Kralevich]

Android has tried to document pretty extensively how the reduction of
attack surface provided by SELinux has resulted in a significant
percentage of bugs being unreachable.

See, for example
https://www.blackhat.com/docs/us-17/thursday/us-17-Kralevich-Honey-I-Shrunk-The-Attack-Surface-Adventures-In-Android-Security-Hardening.pdf
slide 52, where 44% of our security bulletin class bugs are reduced in
severity because of SELinux attack surface management.

However, SELinux's primary goal isn't attack surface management
(although it's very good at it). It's primary purpose is containment
and being able to reason about the state of the system assuming a
compromise of any component. If SELinux stops a malware author, that
malware author will simply choose to not publish their non-working
code. Most people, including malware authors, will only celebrate
their successes, but won't publicize their failures. Measurements in
this area are hard.

-- Nick


On Wed, Sep 20, 2017 at 9:13 PM, masoom alam <masoom.alam@gmail.com> wrote:
> Hi every one,
>
> Do we have some thing like the mentioned subject documented?
>
> Thank you.
>
>
> ----
> Dr. Masoom Alam,
> Associate Professor,
> Department of Computer Science,
> COMSATS Institute of Information Technology,
> Park Road, Islamabad
> Off +92-51-9049-5391
> Cell +92-332-9298-404



-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

Re: A casestudy where selinux has stopped malware attacks

[Tracy Reed]

[-- Attachment #1: Type: text/plain, Size: 712 bytes --]

I wrote this:

https://www.reddit.com/r/selinux/comments/1xcb1t/selinux_saved_our_asses/

I have various other similar stories. And then there's this:

https://doublepulsar.com/hardening-apache-struts-with-selinux-db3a9cd1a10c

On Wed, Sep 20, 2017 at 09:13:23PM PDT, masoom alam spake thusly:
> Hi every one,
> 
> Do we have some thing like the mentioned subject documented?
> 
> Thank you.
> 
> 
> *----*
> *Dr. Masoom Alam,*
> Associate Professor,
> Department of Computer Science,
> COMSATS Institute of Information Technology,
> Park Road, Islamabad
> Off +92-51-9049-5391
> Cell +92-332-9298-404

-- 
Tracy Reed
http://tracyreed.org
Digital signature attached for your safety.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]