Re: [fw-wiz] Proxy and Stateful together ??

From: Crispin Cowan (crispin@wirex.com)
Date: 11/16/02


From: Crispin Cowan <crispin@wirex.com>
To: Bennett Todd <bet@rahul.net>
Date: Sat Nov 16 18:48:30 2002


Bennett Todd wrote:

>Given the difficulty finding really first-rack top quality secure
>application-layer proxies, I think SELinux is coming to be an
>exceedingly attractive platform for building these gizmos, since it
>offers some helpful tools for sandboxing less-perfectly-trusted
>daemons. I'd also be tempted to mix in some of the canary stuff from
>Immunix (StackGuard and all that).
>
Immunix was designed to build these kinds of secure appliances. Our
SubDomain feature does the same kind of sandboxing that SELinux does,
but the sandboxing abstraction is much simpler:

    * SELinux: general purpose framework for mandatory access control
      (MAC) including features such as role-based access control (RBAC).
    * SubDomain: appliance-oriented MAC that lets you specify the file
      access that should be granted to each program.

SubDomain's simplicity makes it faster and easier to profile
applications. This allowed us to very quickly profile a bunch of highly
vulnerable and undocumented applications and CGI scripts in the 2002
Defcon Capture-the-Flag game http://news.com.com/2100-1001-948404.html

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"