Because you can't trust the programs you run to act as you expect. In most cases when you run programs they are authorised to do anything you can do. Malware and vulnerabilities in software can lead your programs to use your privileges to act maliciously.
FBAC-LSM is a security extension for Linux. It restricts programs based on the features that you want them to perform. You specify high level goals such as "Web Browser", some application-specific information (which can usually be automated), and then FBAC-LSM stops the programs from misbehaving. See the demonstration.
Currently FBAC-LSM is in early stages of development. It is functional, but it is unstable. FBAC-LSM has been developed on OpenSUSE 10.3, and is developed against this previous version of the kernel with the AppArmor LSM extensions. In the future FBAC-LSM will be compatible with the new LSM interface.
It is also possible to use the user-space tools on just about any Linux system (with Qt4 installed) to get a feel for how FBAC-LSM works without installing the LSM to enforce policy. There are multiple ways you can test what is authorised by a policy, or to simulate program activity. There is currently limited support for managing AppArmor using FBAC-LSM tools.
Currently FBAC-LSM is only available as source (see the next section for download instructions).
Please report your experiences.
Grab the source using git from:
Using Linux you can pull a copy of the repository (which includes code and policies) to your computer using the command:
git clone git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm
There is lots to be done, and no mater your expertise you can be of assistance. Check out the TODO file.
Some more information is available on the FBAC-LSM development sourceforge project page.
Send patches, files or comments to the (very quiet) public mailing list fbac-lsm-general at lists.sourceforge.net (subscribe here) or to z.cliffe at schreuders.org
Developing FBAC-LSM takes a lot of time. Please consider making a $5 donation to support continuing development.
FBAC-LSM (pronounced: Eff-back L.S.M.) is named after the security model FBAC and the LSM security framework. FBAC stands for Functionality-Based Application Confinement. The Linux Security Module (LSM) framework allows the Linux kernel to be extended with additional security features. An important component of FBAC-LSM is a Linux Security Module (LSM). FBAC-LSM also includes user-space tools. I realise the name FBAC-LSM is not catchy. One day it will probably be renamed.
I (Z. Cliffe Schreuders) created FBAC-LSM for my PhD research. I am currently looking for people to help to develop FBAC-LSM further. Here is a list of all the people who have contributed code to FBAC-LSM so far:
Z. Cliffe Schreuders
I would also like to acknowledge my supervisors who helped with guidance during my research:
Associate Professor Tanya McGill
A detailed explanation of the graphical interface with screenshots.
These videos give an overview of how FBAC-LSM works, and demonstrates how it is used.
LCA2010 (linux.conf.au) presentation:
Gives an overview of the problems with previous approaches to application-oriented access controls, explains how the new approach (FBAC-LSM) works, and gives a live demo of using FBAC-LSM to confine a Trojan horse.
This presentation was received well, was of interest to many of the attendees, and resulted in ongoing discussions after the conference. There were more people in the room than are visible in the video :)
Highlights some key points: the main components policy is made up of, where policy is stored on disk, how the path-based pattern matching wildcards work (similar to AppArmor wildcards), enforcing modes that policies can be in, steps for confining applications, and some helpful commands.
Note that once the program has been confined, the damage which it could cause in the event of the presence of software vulnerabilities or malware is severely limited. This example confines the program KWrite which is a text editor, to only allow access to particular files. KWrite is not a particularly high risk target - although it is safer not to trust programs when possible - and this demo illustrates how policies can be created to confine applications.
FBAC-LSM now provides new automation features not covered in this video.