FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-09-2008, 04:59 PM
David
 
Default SELinux DoS?

Hey Guys!

Some colleagues and I tested the behavior of SELinux due to a project on
the university. So we wrote a little test program and the necessary
policies.
Overall it works fine, but we build in a bug in our test program which
offers the exploitation through a stack based buffer overflow.
When we tried to getting a root shell based on this bug (the demo tool
has set suid bit), SELinux prevents the execution of the shell, but the
demo program will not be quitted.
It hangs at the point of trying to open the shell and SELinux writes
endless log entries to /var/log/audit/audit.log.


We assumed that this behavior will occur due to following actions:

- demo tool tries to open a shell via shellcode, occurred through a
buffer overflow.

- selinux prevents this execution.
- the function-call in demo tool tries to jump back to the return address,
- but the address is overwritten through the bof.
- so, it jumps to the buffer and tries to open a shell again.
All together in a endless loop.

This behavior seems to be alright from technical aspect, but should this
be the behavior of selinux? Or is there an option which instructs
selinux to kill processes which tries pass over there contexts too often?


For instance, this manner could be easy used for DoS Attacks. Our tests
exhibits that the execution of many demo program instances will make the
system unusable.

Any ideas about this behavior, or any solution?


David

(Tested on FC9.)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 06:12 PM
Stephen Smalley
 
Default SELinux DoS?

On Wed, 2008-07-09 at 18:59 +0200, David wrote:
> Hey Guys!
>
> Some colleagues and I tested the behavior of SELinux due to a project on
> the university. So we wrote a little test program and the necessary
> policies.
> Overall it works fine, but we build in a bug in our test program which
> offers the exploitation through a stack based buffer overflow.
> When we tried to getting a root shell based on this bug (the demo tool
> has set suid bit), SELinux prevents the execution of the shell, but the
> demo program will not be quitted.
> It hangs at the point of trying to open the shell and SELinux writes
> endless log entries to /var/log/audit/audit.log.
>
> We assumed that this behavior will occur due to following actions:
>
> - demo tool tries to open a shell via shellcode, occurred through a
> buffer overflow.
> - selinux prevents this execution.
> - the function-call in demo tool tries to jump back to the return address,
> - but the address is overwritten through the bof.
> - so, it jumps to the buffer and tries to open a shell again.
> All together in a endless loop.
>
> This behavior seems to be alright from technical aspect, but should this
> be the behavior of selinux? Or is there an option which instructs
> selinux to kill processes which tries pass over there contexts too often?
>
> For instance, this manner could be easy used for DoS Attacks. Our tests
> exhibits that the execution of many demo program instances will make the
> system unusable.
>
> Any ideas about this behavior, or any solution?

That's not really a selinux issue per se, but rather an audit issue.
auditctl does have a ratelimit option (-r) to throttle audit, and you
can put default rules you want applied at startup
into /etc/audit/audit.rules. You could also write an audit backend
(using audispd to dispatch events to it) that would detect such flooding
and possibly kill the responsible party, although danger lurks there.

Executable stack should/could have been mitigated by execshield and by
the selinux execmem/execstack controls if applied.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org