danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
So does SELInux really stop any attacks?
danwalsh
Tresys corporation is tracking some of the known vulnerabilities in the past that SELinux has thwarted. 

You can read  about them at

 http://tresys.com/selinux/

One key feature of SELinux is the confinement of executable memory.  This tops applications from having memory that is both executable and writable at the same time.  A lot of attacks on computer software involve a coding mistake in code that allows the writing of memory beyond the end of an allocated buffer, called a buffer overflow.  So a cracker find a piece of code that allocates less space then the code can write.  The cracker  tricks the application to writing his data into the overflowed buffer.  Finally he attempts to get the application to execute the buffer that he has just written.  SELinux executable memory checks in the kernel prevent this. 

While we have attempted to turn these checks on for the unconfined user in the past, we have had missed success, because of badly written applications breaking.   But for almost all confined applications these checks are turned on.  So if a vulnerability exists in a confined application that involves a buffer overflow, most likely SELinux will prevent it.



not selinux

(Anonymous)

2008-04-05 02:28 pm (UTC)

thats the pax/exec shield feature (which is usually used as the same time as selinux but also other solutions like grsec, rsbac, etc..)

Re: not selinux

(Anonymous)

2008-04-05 02:45 pm (UTC)

In reply to the anonymous poster above, the execmem, execheap, and execstack perms are not the same as the pax/execshield.... plenty of information available via Google regarding the difference between the two.

Thanks for directing me to that list. I see my Linux Journal article on Mambo on the list.

Thanks for directing me to that list. I see my Linux Journal article on Mambo on the list.

Hi Dan!

For prevent Buffer Overflow, SELinux can do this in automatic mode? or maybe we need to understand which argument we can use when we write a policy??

because, if i write a policy for an application that is not confined by default, and (logically) i want prevent Buffer Overflow for this specific application, i need to know "which" key rules to insert in my policy? or SELinux prevent automatically?

I think to be clear.

Thanks in advance,

Bye,

You are viewing danwalsh