Monthly Archives: August 2007

SELinux Policy Wizard

Dan Walsh has published an article on his SELinux policy generation wizard at Red Hat Magazine.

SELinux policy wizard GUI

The article is a great introduction to the modern SELinux policy development environment, while the tool itself demonstrates how high-level abstractions are the key to SELinux usability.

In this case, the sysadmin is provided with a set of questions about the application to be confined, and makes selections based upon patterns which are commonly encountered in similar applications. Some further questions are asked, such as which ports the application might use, and then a loadable policy module is generated.

If you want to try the tool for yourself, you’ll find it in current RHEL 5 and Fedora 7, runnable via system-config-selinux .

Linux Journal: Mambo Exploit Blocked by SELinux

Linux Journal have published an interesting article, Mambo Exploit Blocked by SELinux, by Richard Bullington-McGuire.

Mambo is a CMS written in PHP. At some point, the code was vulnerable to a worm, which breached Richard’s system. His article details how this breach was both detected and contained with SELinux, as configured with the default targeted policy under RHEL4.

It demonstrates one of the core goals of SELinux, which is to prevent flawed software from being exploited by malware. In this case, the payload was delivered into the system via a third party PHP application, but was then prevented from doing any damage.

The article is also useful generally as an example of computer forensics procedures.

Robert Watson on System Call Wrappers

Even though it is fairly well known that system call wrappers are dangerous, many security schemes continue to use them, including several well-known commercial security products from major vendors.

Briefly, the technique involves intercepting user requests at the system call level, then performing some security function and perhaps failing the call. A common example is re-vectoring the system call table so that a virus scanner is invoked when a file is opened. The Linux system call table was unexported long ago to discourage such use, although there’s no way to actually prevent it.

There are many problems with such techniques. One significant class arises from the combination of concurrency, and gaps in time between when an object is checked and when it is used. For example, an application may subvert the security mechanism by passing clean data to be checked, then replacing it with malicious data before it is used. This is called a Time of Check to Time of Use race, or TOCTTOU.

Robert Watson, of FreeBSD and TrustedBSD fame, recently presented a good paper on the topic, which he discusses here: USENIX WOOT07, Exploiting Concurrency Vulnerabilities in System Call Wrappers, and the Evil Genius.

In the paper, problems with system call wrapping are comprehensively detailed, while the slides also include several examples of exploit code.

One interesting case, which I think would surprise many, is the ease with which their sudo could be subverted.

With Sudo on MP systems, the window for execve() arguments was over 430K cycles. We were able to successfully exploit this vulnerability, replacing command lines so that they were incorrectly logged, masking all further attacker activity in the audit trail.

The paper also discusses ways to mitigate the problem, including not using system call wrapping at all, and instead directly integrating mediation into the kernel; which is what SELinux does.

FOSS.IN/2007 Announced

The 2007 FOSS.IN conference has been announced, and will take place in Bengalaru from December 4-8.

It looks like they’re tightening their focus on community development and depth of talks, as discussed by Andrew Cowie.

There’ll be a HackCenter — an area set up specifically for people to work together — this is something I’d have found useful at many other conferences in the past.

I really hope to return to the conference this year, after not being able to make it for 2006.

foss.in logo