Overall question
What is preventing the uptake of MAC systems such as SELinux/AppArmor in corporate and desktop computing environments?
Why don't you think it isn't already widespread?
I do not count "available in the operating system" as "widespread". Windows actually has a native POSIX emulation layer, but very few Windows systems have it installed and running. Many Linux distributions have packages for AppArmor and SELinux, but to my knowledge only Fedora and subsequently RHEL ship with these enabled and the default behaviour is only to constrain system services - Fedora, for example, supports unconfined_t
- no prizes for guessing what that does.
In addition, many commercial vendors of Linux products say they "do not support SELinux" and I've seen frequent forum references in my pre-Stack Overflow days and indeed many blog posts suggesting that "fixing" SELinux basically involves turning it off.
Background
I categorise access control into two types:
- User-only access control systems such as DAC and RBAC. In these models, each user has a set of privileges and these are inherited by any software or application running by that user.
- Mandatory access control (MAC) systems, where each application has its own set of privileges which may or may not be combined with the user level privileges as appropriate.
The reason I ask is this: if I want to compromise a system under the first model, it is pretty much a two step process. Firstly, find a vulnerable entry point that allows me to execute arbitrary code and two, find a vulnerable privileged process from that starting point to allow me to escalate my privileges. If the vulnerable entry point is also privileged, so much the better.
But this raises the question: why do these applications need access to everything the user has access to? Take for example Firefox. It has some shared libraries (or DLLs, if you're on Windows) it needs to load and it needs to be able to load profile information and any plugins, but why should it be able to read my entire /usr
tree, or enumerate all processes my user is currently running? It might well want write access to /home/ninefingers/Downloads
, but it doesn't need access to /home/ninefingers/Banking
, for example. More to the point, it doesn't need to be able to start a new instance of a privileged process with corrupt input, or be able to send messages to a setguid process via local sockets.
Now, to some extent we have a semi-working solution. On Linux, many system daemons (services) actually drop privileges and are run as separate users which cannot log in interactively (with a shell - use /bin/false
or /sbin/nologin
as shells) which works to an extend, except that any file can only have owner, group and other permissions (unlike Windows).
I realise also that there are some technical challenges to MAC, including the current X11 security model. Many Linux distributions do offer SELinux or AppArmor configuration and constrained daemons, but there doesn't appear to be much impetus for the desktop. Windows Vista supports Integrity Levels, but these are not particularly fine grained.
I am not so concerned with the idea of privilege levels within a domain - see this question asking for practical usage of such techniques and strategies, but more the idea that applications, just like users, should be subject to the principle of least privilege. The Invisible Things Lab blog post "The MS-DOS Security Model" makes many of the points I am concerned with, particularly with regards to desktop security.
I also think shipping MAC rules with each application would encourage better software development - almost like test driven development, if a rule is triggered that you aren't expecting, you know you potentially have a bug (or your rules are wrong).
Potential sub questions that might help answer the overall question
- Have you ever tried to implement Mandatory Access Control/appsec in a corporate environment? Was it ever discussed and abandoned and if so why? What I'm looking for is "what stopped you using it" if it was considered.
- Am I right? I clearly think MAC systems as I've described them help protect entry points against malware intrusion, but I'm open to arguments for other solutions to the problem or arguments that actually the current system works well enough.
- What are the impacts for usability (there are clearly some) and can they be mitigated?
- Can the hurdles with desktop integration be overcome?
- Are there any other middle-ground systems I may have overlooked?
- Why is there no concerted industry-wide effort to improving the appsec security situation, either via this method or via another alternative?