SELinux Protected Paths Revisited

Transcription

1 SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1,

2 Talk Topics Mechanism for MAC enforcement between 2 machines Labeled IPsec Protected Paths Are we ready? Distributed System MAC What else do we need? Claims Distributed enforcement: distributed, shared monitor Trust in that enforcement: trust representation Simplicity and scalability: can virtual machines help? 2

3 Mandatory Access Control Appl Appl Appl Linux Kernel SELinux Module MAC Policy 3

4 Mandatory Access Control Appl Appl Appl File X Linux Kernel SELinux Module MAC Policy 4

5 Network MAC System System X Appl Appl Appl Appl Appl Appl Linux Kernel SELinux Module MAC Policy Linux Kernel SELinux Module MAC Policy 5

6 Client-Server MAC Server Client Worker Appl Appl Server Appl Appl Appl Linux Kernel SELinux Module MAC Policy Linux Kernel SELinux Module MAC Policy 6

7 Location-independent MAC Base System Remote System Appl Appl Master Create New Appl Appl Linux Kernel SELinux Module MAC Policy Linux Kernel SELinux Module MAC Policy 7

8 Labeled IPsec Leverage IPsec Advantages Secure communication Easy to integrate to kernel MAC Add MAC Labeling to IPsec Control application access to IPsec channels Can only send/receive with MAC permission Results Application to application control is possible BLP controls between applications on different machines Applications can use labeling information Label child processes Part of Linux rc* kernel Will be in kernel 8

9 Client-Server Usage System System Worker Appl Appl Appl Appl Appl Appl OS Kernel Access Control Module MAC Policy OS Kernel Access Control Module MAC Policy (1) Black must be able to access green policy (among others) (2) Black can extract label of SA for socket (3) Prototyped using getsockopt(, SO_PEERSEC) 9

10 Get Peer Label TCP Is a socket connected? (TCP_ESTABLISHED) getsockopt(.. SO_PEERSEC..) dst_entry cache of socket (labeled SA) UDP Connectionless Set IP_PASSSEC socket option recvmsg now returns context as well For UNIX stream, dgram (soon) and INET stream, dgram Work by Catherine Zhang at IBM Research 10

11 Use Labels in Client Control Network Services vsftpd, xinetd Get label using TCP method Configuration Get xinetd to use labels based on configuration Storage Security Proxy-based Server proxy limits access based on client label Server is trusted Client proxy connects based on client label Client proxy processes need not be trusted 11

12 Distributed MAC Goal Protected Paths From Inevitability of Failure Direct, Authenticated Communication Integrity-preserved from input to output Get peer s label reliably Comparable to Authenticated IPC UNIX domain sockets Where are we relative to achieving protected paths for real? Are protected paths enough? 12

13 Protected Paths Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver 13

14 Protected Paths Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver MAC Label 14

15 Protected Paths Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver Attest MAC Label User 15

16 Protected Path Challenges User-to-Application Xserver Control Window Manager Control Application-to-OS Labeled IPsec Application Control Using Label OS-to-OS Reference Monitoring MAC Policy, Labeling Remote Attestation, Building Trust from Secure Hardware 16

17 Existing Solutions Distributed Policy Management E.g., Tivoli Access Manager, Microsoft Windows Domains Virtual Machine Systems NetTop Terra Logic of Authentication Taos and Secure Boot Trust Management Systems E.g., PolicyMaker, KeyNote, etc. Trust Negotiation 17

18 Secure Coalition System Recent IBM Technical Report -- RC23865 Work with J. McCune at CMU; S. Berger, R. Caceres, R. Sailer at IBM Research 18

19 Distributed, Shared Monitor Distributed, Shared Reference Monitor TPM attestation of each physical machine s reference monitor Common enforcement properties: monitoring, MAC policy 19

20 Virtual Machines Advantages Coarser-grained protections Coarser-grained policy Simpler reference monitor VM per application (simplify policy within VM) Challenges Dynamic policy (Yin and Wang, USENIX 2005) Doesn t fix user-to-user (Nitpicker s, ACSAC 2005) Translate into client-specific rights (finer-grained) Scalable construction, maintenance of trust 20

21 Building Trust Build Trust in Other System s Reference Monitoring And MAC Policy And Labeling of Subjects and Objects Why is this necessary? Internet-scale Register TPM and physical protection, but a different admin Administration errors Misconfiguration of a machine Malice Compromised platform Build trust from secure hardware up 21

22 Internet-Scale Distributed Systems Simple Langauge of Trust Limited by Reference Monitoring Properties Monotonic Reasoning Multiple Layers of Reasoning Machine Virtual Machine Coalition Building Systems to Test Soundness/Completeness Web Hosting Internet Suspend/Resume Distributed Computations -- Student Testing 22

23 Summary Aim: Network MAC to Distributed System MAC Have IPsec MAC controls What is an appropriate goal for distributed system MAC Protected Paths plus Remote Attestation plus Virtual Machines? Distributed, Shared Reference Monitor Several Challenges Remain Trust across systems Compatibility (policy, labeling) across systems Service awareness Building all the way to the user 23

24 Questions? Contact Trent Jaeger, Penn State SIIS Lab, siis.cse.psu.edu DSRM prototype report IBM Tech Report RC With McCune, Berger, Caceres, Sailer Linux kernel SELinux 24