[Info-vax] Why not reimplement SEVMS into x86 OpenVMS?

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Nov 21 08:41:04 EST 2022 

On 2022-11-18, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 11/17/2022 8:12 AM, Simon Clubley wrote:
>> On 2022-11-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 11/16/2022 9:47 AM, Michael C wrote:
>>>> Offer it free ...
>>>>
>>>> Would be fast to port ...
>>>>
>>>> Wouldn't that boost security until other features can be added?
>>>
>>> If mandatory access control is seen as important for security by
>>> customers and potential customers then it would make sense.
>>>
>>> But I am skeptical.
>>>
>>> The common threats today are just so much different than the
>>> common threats 30 years ago.
>>>
>> 
>> One major use is for helping to keep attackers contained after a
>> compromise occurs.
>> 
>> A good example is SELinux which applies this mindset to (by default)
>> server processes running on a Linux system.
>> 
>> This approach is still _very_ useful, regardless of how the initial
>> compromise occurred, and whether it was some new or old technique used
>> to carry out the initial compromise.
>
> But what is the specific scenario?
>
> Vulnerability 1 allows an attacker to change DAC protection
> on something that the attacker can then utilize via vulnerability 2,
> but MAC would prevent that?
>

You appear to be thinking in terms of files Arne and SELinux is way better
than even that. You seem to be thinking purely of stopping the compromise
in the first place (and SELinux certainly is a part of that), but if a
compromise occurs anyway, than SELinux can help to keep the compromised
code contained and isolated within a localised part of the system.

For example, SELinux restricts _which_ network ports a process can open.
If the process isn't allowed to open those ports normally, then any
hostile code running in that process is also restricted in what ports
it can open.

SELinux isn't just about files on disks, it's about protecting resources
in general and in SELinux, _each_ network port is just another resource
to be protected.

This is a _major_ improvement over what VMS can offer in terms of security.

> I could happen, but I don't see it as a common scenario.
>
> SELinux is certainly useful and relevant, but it does much
> more than SEVMS MAC.
>

Exactly. SEVMS MAC is limited compared to what SELinux can do.
For example, the last public documentation I could find showed no
integration of SEVMS into UCX, or TCP/IP in general, at all.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list