[Apparmor-dev] AppArmor Security Goal 0.5

Crispin Cowan crispin at mercenarylinux.com
Thu Nov 8 11:50:20 MST 2007 

John Johansen wrote:
>> AppArmor is intended to protect systems from attackers exploiting
>> vulnerabilities in applications that the system hosts. The threat is
>> that an attacker can cause a vulnerable application to do something
>> unexpected and undesirable. AppArmor addresses this threat by confining
>> the application to access only the resources it needs to access to
>> execute properly, effectively imposing "least privilege" execution on
>> the application
> Sorry this just strikes me as the wrong focus.  AppArmor is not about
> protecting a system from attackers.
I don't understand this aversion. Talking about what the attacker might
do and how you can mitigate it is standard in the security literature.
If there is no attacker, then there is no need for security, so stop all
this crap. Mechanisms to stop a benign fault instead of a malicious
attack are very different.

>   It is about containment (sandboxing)
>   
If we are going to get all picky about it, AA is not sandboxing.
Sandboxing is where you make a private copy of stuff the confined app is
going to use and then confine it, chroot and Java applets being the
canonical examples. AppArmor is access control. If anything, one could
say that AppArmor is a targeted policy access control system, but I
dislike using a term that the SELinux community invented for something
they see as weak.

> which can limit what a program can access under legitimate uses,
> and contain damage done by a misbehaving program.  Attackers can
> make a program  misbehave, and the containment may actually stop and
> attackers as a given attack may rely on resources that are not
> available.
>   
Which is the whole point of doing it. AA is far too much trouble to be
worth it for any other purpose.

> I would like to see this document try to avoid the nebulous, attacker
> and instead focus on containment.  Something more along the lines
> of
>
> AppArmor is intended to provide a sandboxing solution that can limit
> and control the resources accessable to an application.  The reduced
> set of accessable resources allows for tighter control on program
> behavior allowing for the restriction of traditionally acceptable
> behavior in situations where it is not desirable and containment
> of damage that can be done by a misbehaving program.
>   
I fundamentally disagree. Security is about protecting you from threats,
and the above misses the point.

>>     * AppArmor does not slice bread, cure cancer, bring world peace, or
>>       provide perfect security. This list may be expanded :-
> while I responded with the perfect security snipe I didn't actually
> intend it to end up in this document and would prefer it was removed.
> Looking at the proceeding list of what AA does not address it is
> blatently obvious that AA does not provide perfect security.
>   
I'll take that clause out again, but I want to leave in the silly
caveat, as it makes an important point, which is the "does not" list is
incomplete, and cannot be made complete.

Crispin

More information about the Apparmor-dev mailing list