Re: ANN: imsep 0.6

From: Sander Vesik <sander_traveling yahoo co uk>
To: "Gustavo J. A. M. Carneiro" <gjc inescporto pt>, Colin Walters <walters gnome org>
Cc: gtk-devel-list gnome org
Subject: Re: ANN: imsep 0.6
Date: Thu, 21 Oct 2004 17:15:56 +0100 (BST)

 --- "Gustavo J. A. M. Carneiro" <gjc inescporto pt> wrote: 
> Qui, 2004-10-21 às 02:29 -0400, Colin Walters escreveu: 
> > Hi,
> > 
> > I'd like to announce the first release of a little project called Imsep.
> > The goal, in short, is to completely isolate image loaders using
> > SELinux, so that a compromised or buggy image loader can do essentially
> > nothing.   It's designed for the "targeted" SELinux policy to be
> > released with Fedora Core 3.
> > 
> > I've put up a little web page here with slightly more information:
> > 
> > http://web.verbum.org/imsep/
> > 
> > The source includes a sample SELinux policy.
> > 
> > For people reading on the GTK+ list: I've created an initial patch to
> > make gdk-pixbuf use imsep, it seems to work:
> > 
> > http://web.verbum.org/imsep/download/gdk-pixbuf-imsep-0.6.patch
> > 
> > The GDK_PIXBUF_FORMAT_REQUIRES_LOAD feels like a hack, but I didn't see
> > a better alternative.
> > 
> > Comments welcome.
> 
>   What about DoS attacks?  If I accidentally attempt to load an image
> from the network, that image could be very large, consequently
> monopolising the imsep process, thus denying other applications of its
> services for a while.
> 
>   Another issue is, doesn't this introduce additional delay?  Maybe this
> module should only be invoked (explicitly) for content coming from
> untrusted sources.  You mention something about icon loader not using
> this.  Maybe not using imsep should be the rule, and not the exception.
> 

Note that the specs and ideas come from the folks that consider a "mathematicly 
proven to be correct and secure OS" developed by security cleared scientists 
locked up to be more secure than a simple humble "mathematicly proven to be 
correct and secure OS". Simple things like reality just don't apply.

But more importantly - you can't simply run *one* imsep if you want to have any
actual benefit that way, you must keep data from programs with different rights
separate. Because otherwise a image loader with exploitable image bug opens up 
it all to inspection and modification by code from some web site. If you want to
have actual benefoits from MLS & MAC, you need to be prepared to pay the price.
Otherwise you just pay most of it while not getting benefits.

>   Regards.
> 
> -- 
> Gustavo J. A. M. Carneiro
> <gjc inescporto pt> <gustavo users sourceforge net>
> The universe is always one step beyond logic.
> 

=====
Open Source - the religion of doing it right

___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

Follow-Ups:
- Re: ANN: imsep 0.6
  - From: Colin Walters

References:
- Re: ANN: imsep 0.6
  - From: Gustavo J. A. M. Carneiro

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]