Selinux kernel patches

Selinux kernel patches

[Joshua Brindle]

[-- Attachment #1: Type: text/plain, Size: 321 bytes --]

I was wondering if there was any effort on your team of developers to get your kernel patches submitted to linus for possible inclusion into the standard linux source? And also the utility patches, will you be trying to submit them to their authors?


Joshua Brindle
Unix Administrator
Southern Nazarene University

[-- Attachment #2: HTML --]
[-- Type: text/html, Size: 776 bytes --]

Re: Selinux kernel patches

[Pete Loscocco]

Joshua Brindle wrote:
> I was wondering if there was any effort on your team of developers to
> get your kernel patches submitted to linus for possible inclusion into
> the standard linux source? And also the utility patches, will you be
> trying to submit them to their authors?

We would like very much for our kernel patches to be considered for
inclusion in a future kernel release. We are working toward that goal.
The real goal is to get features such as we have put in Linux accepted
not only in Linux but in other systems as well. We chose Linux because
it not only would increase the security of a popular system but because
it's open development enables it to be a worked example that could be
applied to other systems as well.

We think that we have a good architecture and that it warrants
consideration. We have put it out not as a complete solution but as
something that should be built upon. Inclusion in the "standard"
sources would really enable a much wider audience to work with the
system, gain experience using the security features, and make the
system better.

As for the utility patches, they have never been the focus of the
work.  We have made changes where we found it necessary or useful, but
have yet to make any serious effort to to address all of the user space
issues. If the architecture were to be adopted by the community, we
would probably reexamine that decision and spend more effort on such
things. Until that happens, we probably won't be looking for our
changes to be included with the utility authors.

Pete Loscocco
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux kernel patches

[Dale Amon]

On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> We think that we have a good architecture and that it warrants
> consideration. We have put it out not as a complete solution but as
> something that should be built upon. Inclusion in the "standard"
> sources would really enable a much wider audience to work with the
> system, gain experience using the security features, and make the
> system better.
> 

Just a wild suggestion. When things are well along and
everyone thinks the system is ready, why not put a box
out on a public network for a game of "capture the flag"?

Offer a free T-shirt "I cracked the NSA" to anyone who
succeeds *and* tells precisely how it was done. Set up
tests for system cracks both from fully external or from
various shell access levels. Certainly a way of catching
any more egregious faults and as a means of building 
confidence that the system has succeeded in accomplishing
its' goal.

Of course the real test is a few thousand computers under
a few years of real operational conditions. But a bit
of initial testing never hurt :-)

I know I'd sleep better at night if I knew from the
start that the kiddies were blocked cold from my
customers systems.

-- 
------------------------------------------------------
Use Linux: A computer        Dale Amon, CEO/MD
is a terrible thing          Village Networking Ltd
to waste.                    Belfast, Northern Ireland
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux kernel patches

[Christopher McCrory]

Hello...


Dale Amon wrote:

> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> 
<snip>
> Just a wild suggestion. When things are well along and
> everyone thinks the system is ready, why not put a box
> out on a public network for a game of "capture the flag"?
> 

	This has been done before; with other systems.  It has also been shown 
that the crackers you really need to worry about don't participate.



<snip>



-- 

Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com

"Linux: Because rebooting is for adding new hardware"


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Selinux kernel patches

[paul]

I have seen a lot of these test and it is very hard to learn anything from these.  People have a lot of different definitions for "getting in" which usually includes "if you can't get into your own system then we win", meaning that you see a lot of things attack everything around the system, including the logging system and the routers, along with any firewalls or IDS system that might be present.

Yes, you learn, but what you often learn is not what you are looking to learn.  These kind of tests is like handing out 2,000 can openers to 2,000 15-year-olds and telling them to all be the first to open a can of pea soup.

The security community titans, such as Bruce Schneier, have constantly said that these kind of tests are just a publicity stunt and a waste of time.

If you want to see how good this is, set up a lab, eliminate variables such as someone attacking a border router, and have a few people that know what they are doing bang on the software internally and externally.  You will get much better results and something you can analyze right away.


---------- Original Message ----------------------------------
From: Dale Amon <amon@vnl.com>
Date: Fri, 9 Feb 2001 15:22:25 +0000

>On Fri, Feb 09, 2001 at 10:14:09AM -0500, paul  wrote:
>> These kind of shows never real mount to anything since the "hackers" 
>> will typically attack everything around the box as well, including 
>> the routers.  Besides, these things are more of a publicity stunt 
>> than a bona fide test of the operating system.
>> 
>
>PR or not, if someone does get in, you have learned something. And
>the reason I said "external" for the test was that very reason. I'd
>not want the machine under test to be anywhere *near* anything that
>was really important.
>
>> Our company is working with the findings here and integrating them 
>> into our own distribution, and our plan is to basically bang on it 
>> as much as we can in-house and then bite the bullet and put it out, 
>> patching and upgrading as problems are exposed.
>> 
>
>Which comes down to the resources you have as a company, or
>that I have as a company. I don't think it is such a bad
>idea to have some more impersonal baseline outside of
>ourselves.
>
>At the end of the day, proving security is like proving
>aliens don't exist. If a flying saucer lands in London, you've 
>proven they do; but no matter how much you spend you can 
>never absolutely guarantee the negation. You can only 
>add 9's to your statistical confidence in that conclusion.
>
>-- 
>------------------------------------------------------
>Use Linux: A computer        Dale Amon, CEO/MD
>is a terrible thing          Village Networking Ltd
>to waste.                    Belfast, Northern Ireland
>------------------------------------------------------
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.