[BBLISA] Appreciate the help...
Bill Bogstad
bogstad at pobox.com
Sat Jan 26 16:08:35 EST 2008
On Jan 24, 2008 7:07 PM, Ben Eisenbraun <bene at klatsch.org> wrote:
> On Thu, Jan 24, 2008 at 04:42:11PM -0500, Daniel Hagerty wrote:
> > Scott's real issue is that the exec*() system calls will happily
> > execute things in situations he doesn't consider safe. If you try to
> > fix it somewhere else, you might reduce the problem footprint, but
> > there will still be plenty of situations where user B can impersonate
> > user A because of a mistake rooted in A's cron usage.
> >
> > Maybe SE-Linux has some story for this.
>
> Systrace can do all sorts of things to neat things in this area. It's like
> ACLs for syscalls.
>
> http://www.citi.umich.edu/u/provos/systrace/
FYI,
There was an interesting security (timing) attack a year or so ago
that systems like systrace
were susceptible to. You might check to systrace has this problem or not.
The gist of the problem is as follows:
Multithreaded application does: open("/safe/file", ...)
Security system receives pointer to string and verifies that
application is allowed to access "/save/file"
Multithreaded application changes memory where pointer points to be
"/dangerous/file"
Security system passes pointer to real kernel open() call which now
open()s /dangerous/file
The problem is that the pointer passed by the application is used to
copy the filename into the kernel
twice. Once when the security system verifies it's okay and then
again to do the actual open().
That is a timing window which people have managed to figure out how to
exploit. If systrace uses
an architecture which copies the data twice then it may be susceptible
to this attack as well.
Bill Bogstad
More information about the bblisa
mailing list