Attacks against AppArmor

Maybe Mrkvonic is asking who is actually attacking whom, as in directly attacking? I don't feel anyone has ever attacked me, personally, in a direct manner whatsoever. Maybe this is what he's getting at? Aren't most exploits just put out there for the majority of end users to stumble upon by chance, and then in that case there's usually a decision made by the potential victim on whether or not to allow the exploit to unleash itself along with its potential payload upon its victim, so this final trigger mechanism is in the hands of the end user?

I tend to understand what he's getting at when he implies most exploits are trivial. Very rarely in all the years I've been using a computer have I felt my security setup has actually been responsible for "saving" me from an exploit. The means of avoiding or incurring one has mostly always been in my control.

 

It's not vulnerability assessment, and it's not risk assessment, it's nothing of the kind. It has nothing to do with responsibility. This is entirely the realm of bad science fiction portrayed as drama. I guess I will stop being involved in these "security" arguments.

Mrk

 

According to you, no computer on earth has ever been cracked. No software has any vulnerability. It is all made-up and science fiction.

It must be nice living in such a fantasy world.

 

No further argument from me.

Even simple reasoning on the discussed topic fails here.

We were talking about Apparmor attacks.
Your conclusion is: according to you, no computer ...

Lovely.

No one talked about computers.
No one talked about any software.
No one talked about cracking.

And here, in this Apparmor discussion, it's all one big ********.

The difference between me and people afraid of security is that I have the tools to decide what constitutes a valid threat, and 99.9% of all security ******** out there is diarrhea in digital form.

Most of the security companies are selling you fear.

Final word from me on sci-fi topics.

Cheers,
Mrk

 

I think the issue is that people aren't asking "will I be attacked?" they're asking "will this attack work?". I don't think that makes them afraid, really. I don't think anyone on this site is very afraid, I think it's a lot of people who want to learn based on interest and not fear.

Anyways, as for your security tools, I doubt their abilities as your conclusions on Flame and X keylogging were just as dismissive (despite Flame being a multi million dollar project that included a hash collision and X keylogging being very well documented despite it not being used in attacks). Can you really deny that you consistently play down threats as non issues? Really just a rhetorical question, just something to leave out there.

If that's the final word, so be it. I actually feel very much the same way - it's all stopped being a fun discussion or much of an outlet. Opinions are out there, people can read them if they like and draw their own conclusions.

 

No one talked about computers? No one talked about software? What do you think AppArmor is? It is software that runs on a computer.

I don't think anyone is saying any of these attacks are likely. Someone asked if bypassing AppArmor was possible. Someone else then posted an exploit. I explained that the exploit could work, but it is unlikely to be a threat in practice.

No disagreement from me. But this isn't a topic about security companies, not is it a discussion about AV software (which I think is a scam). This is a discussion about possible bypasses of LSM. Such bypasses are possible (I don't care if you live in denial). I can post links, exploits and proof if you would like.

 

That's my feeling exactly. I actually find the approach taken by Mrk and others of similar mindset (there aren't many in these forums ) to be refreshing in a way and even a reminder sometimes not to get overly immersed in the technicalities of the threats out there, including many of the recent ones being hyped by the media such as the Java exploits, although it might be beneficial to those skeptical of the calm, cool and reflective approach, if some sort of explanation is given as to why something is regarded as "trivial" or "science fiction" or "media hype". Otoh, I also like to know how, exactly, some of these threats could compromise a machine, mainly because I do find it interesting and intriguing - I'm not at all afraid, it's just a sort of hobby, and because I can then implement my own security in such a way as to avoid the threats with as little impact on performance as possible. Thus is the reason I utilize built-in O/S measures as much as possible.

 

Until we have proof of concept code or at least documentation of a working example so anyone can reproduce of someone remotely exploiting a working OS we are talking purely hypothetical situation.

We have a very specific local exploit that no one has confirmed even works (what versions of Linux, what versions of Apparmour are affected ?!?).

It would require an remote exploit or some social engineering as an attack vector to gain access to deliver this exploit - where are the examples of this ?

About the only thing we can do is report the issue to the Apparmour devs.

 

There are plenty of examples of LSM bypasses. LSM includes SELinux, AppArmor, SMACK and others. How is this possible? Because LSM runs in the kernel. If you find a kernel exploit, then bypassing LSM is trivial. It depends on a number of factors, but it can and has been documented.

Brad Spengler has found and demonstrated a number of such bypasses (and he is not alone, others have done the same). https://www.youtube.com/watch?v=UdkpJ13e6Z0

Now, is this likely to be a threat to Joe Average desktop user in practice? No. Not likely. That is unless you are a high value target and someone is dedicated to breaking your box. If that's your threat model, then you have to take such things into consideration.

 

What I'm asking for is the conditions in which this exploit will work. The quote above makes it sound like perhaps you understand those conditions. Can you share them with us?

What are just a few of the million factors?

The attacker needs to be at my machine to execute this? If that's the case then I am not concerned in the least about this particular attack because I control physical access to my machine at all times. Easy.

 

I was talking about this specific exploit.

That is so true.