Re: [OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 3 Sep 2004 03:07, Linas Vepstas <linas@xxxxxxxxxxxxxx> wrote:
> Well, here's another idle question, again off-topic: Does SELinux provide
> any sort of assurances that storage media weren't tampered with between
> reboots?

No, that is outside the scope of the SE Linux project.

I am one of the many people in Red Hat who are involved in working on crypto 
block device support.  One of my own systems has a root file system that is 
AES encrypted with the kernel and initrd (which includes the decryption key) 
on removable media.  Eventually I want to see this become a standard feature 
of Fedora, maybe in FC4.  I think it will address most of what you want in 
this regard.

Note that the NSA guys do not talk to me about any security stuff, so I don't 
expect them to have any involvement in such things.

> For example, with BIOS/firmware getting more sophisticated over time,
> there's potential for an attacker to break in, remotely, into
> bios/firmware, shortly before booting into the OS, and then alter
> disk contents.  Yes, I know this is far-fetched, but was just curious.

When booting from removable media that contains the decryption key the attack 
scenario would be to replace the BIOS with one that sends everything it reads 
from disk (IE everything that the boot loader reads) over an Ethernet 
interface.

A trojan BIOS that modifies the kernel during the boot load process to 
introduce a security hole would be doable if you have adequate resources.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux