Re: [fw-wiz] Proxy and Stateful together ??

From: Crispin Cowan (
Date: 11/16/02

From: Crispin Cowan <>
To: Bennett Todd <>
Date: Sat Nov 16 18:48:30 2002

Bennett Todd wrote:

>Given the difficulty finding really first-rack top quality secure
>application-layer proxies, I think SELinux is coming to be an
>exceedingly attractive platform for building these gizmos, since it
>offers some helpful tools for sandboxing less-perfectly-trusted
>daemons. I'd also be tempted to mix in some of the canary stuff from
>Immunix (StackGuard and all that).
Immunix was designed to build these kinds of secure appliances. Our
SubDomain feature does the same kind of sandboxing that SELinux does,
but the sandboxing abstraction is much simpler:

    * SELinux: general purpose framework for mandatory access control
      (MAC) including features such as role-based access control (RBAC).
    * SubDomain: appliance-oriented MAC that lets you specify the file
      access that should be granted to each program.

SubDomain's simplicity makes it faster and easier to profile
applications. This allowed us to very quickly profile a bunch of highly
vulnerable and undocumented applications and CGI scripts in the 2002
Defcon Capture-the-Flag game


Crispin Cowan, Ph.D.
Chief Scientist, WireX            
Security Hardened Linux Distribution:
Available for purchase:
			    Just say ".Nyet"

Relevant Pages

  • Re: XP Roaming Profile Issue
    ... This behavior is because the applications are installed either by another ... The profile ships up and down to the ... > For example if they sit at a newly imaged machine and installs all their ... > with the user and is poulated with the respective application settings. ...
  • Re: [PATCH v2] fs: block cross-uid sticky symlinks
    ... 1.We have things like SELinux so you can write rules to bound apps ... impact on applications). ... SELinux or similar rules you could create a single exception rule. ... kernel is a single solution to the entire class of vulnerability. ...
  • Re: [RFC][PATCH 3/6] SLIM main patch
    ... currently available in selinux. ... just to support this one model. ... applications seem to do a fixed set of operations in a fixed domain, ... So I will not be able to print my private key? ...
  • Re: Pull report with or without relationships
    ... >My customer wants the report to show the Employee Profile with applications ... >if applications exisit OR the Profile alone. ... default join for any new query you create using these two ...
  • Re: Capsicum project: Ideas needed
    ... As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base ... the following applications were sandboxed during initial ... I have added sandboxing to syslogd, because this is also a critical ... I'm not too familiar with the operation of capsicum, but in general anything with untrusted input can be worth sandboxing, especially in a server environment. ...