RBAC Tutorial. Brad Spengler Open Source Security, Inc. Locaweb

Transcription

1 RBAC Tutoial Bad Spengle Open Souce Secuity, Inc. Locaweb

2 Oveview Why Access Contol? Goals Achitectue Implementation Lookup example Subject example Questions/Requests

3 Why Access Contol? Access Contol is just one pat of system secuity Useful tool, not a cue-all Moden mandatoy access contol uses decadesold technology and etains its antiquated assumptions See Labeled Secuity Potection Pofile (LSPP) Not Intenet-connected o even heteogenous Intanet-connected (3.3.4) No active attacke o caeless admin (3.3.0, 3.3.2) Basically only accidental downgade of sensitive info (4.1)

4 Why Access Contol? (cont.) Despite what Red Hat wants you to think, this is not the pupose of access contol:

5 Why Access Contol? (cont.) Often used as a last line of defense (memoy couption post-exploitation) Font line defense fo cetain bug classes (abitay file disclosue,../../../../etc/shadow) Typically not involved in educing TCB attack suface Pope sandboxes help hee, but sufficiently complex/efficient code will touch ae paths pef_counte()

6 Why Access Contol? (cont.) Paticulaly useful in combination with a hostile attack envionment NX, ASLR, othe useland hadening PaX can povide emoval of abitay code execution in memoy Access Contol can povide the same at the filesystem level

7 Goals Design aound Access Contol stengths in combination with anti-exploitation measues Potect entie system, not just specific fist-paty apps Don t ceate a famewok, ceate a system with specific intent Allows detection of stupid/wong usage and enables use education Human eadable, intuitive policy with undestandable eo messages and suggestions

8 Goals (cont.) Foce uses towad policies whee base ambient pemission is estictive and unpivileged Povide full-system leaning to automatically poduce secue policies Geneally bette than those a disto o use could ceate Tailoed to how softwae is used, not how it could be used in all configuations (inflation of ambient pemission)

9 Goals (cont.) Povide simple configuation fo leaning based on questions like what infomation is sensitive? Pefomance: < 1% impact SELinux claims 7% aveage hit, 10% hit on Apache

10 Files Sockets Resouces Capabilities Files Sockets Resouces Capabilities Achitectue Kenel modifications pefom policy enfocement and geneates leaning logs Useland tool pases and analyzes policy Policies have the following basic stuctue: Role 1 Role N Subjects Subjects

11 Achitectue - Roles Roles can be applied to a use o goup Eveything without a specific ole is given the default ole Abitay special oles can be ceated that can be enteed with optional authentication PAM-based authentication is also povided Access to a ole can be esticted by taintpopagated souce IP Maximum umask can be enfoced pe-ole

12 Achitectue - Subjects Subjects efe to binaies o scipts Nested subjects ae allowed: a subject whose policy is only applied when executed by anothe specified subject Subjects can inheit policy fom a moe geneic subject Allows to have a geneic subject fo unpivileged apps All othe subjects essentially show a diff of what makes them pivileged

13 Achitectue - Objects Objects ae files, sockets, esouces, capabilities, and PaX makings Files suppot access like ead, wite, execute, append-only, ceate, delete, hadlink, set suid/sgid, and hidden Can also ceate audit logs fo any of these accesses Sockets can be esticted by family (inet, netlink, etc) IPv4 sockets can be esticted by socket type, potocol, bind addess, connect destination, and pot

14 Achitectue Objects (cont.) Resouce policies oveide those set by setlimit() CPU time, memoy usage, max file size, etc Capabilities ae subsets of oot pivilege See False Boundaies and Abitay Code Execution ( PaX flag suppot allows mandatoy enfocement of PaX flags on use binaies o mandatoy emoval of flags fo poblem apps (e.g. PAX_MPROTECT on java)

15 Implementation Does not use LSM Histoy is inteesting initially a tojan hose to allow fo a commecial secuity module fom Immunix A decade late, still does not suppot stacking RBAC does much moe than the LSM inteface allows Meanwhile, gsecuity has emained compatible with all othe LSMs

16 Implementation (cont.) Gsecuity s RBAC system uses a combination of pathname and inode-based matching File objects suppot egula expessions, use anchos An ancho is the longest valid path component fom fs oot not containing a egex E.g.: /home/*/.ssh ancho is /home Inode/device pais ae detemined fo files that exist at enable time

17 Implementation (cont.) Non-existent files at enable time ae specially maked intenally Filenames ae kept stoed, used when ceating a file to find and instantiate the object Enables idea of policy eceation : an object s ules acoss all oles/subjects will pesist acoss deletion/enaming/e-ceation Filenames ae based on the system s default namespace, not pocess fs oot E.g. In a /sv1 choot, policy on and logging of a /bin/sh file will appea as /sv1/bin/sh

18 Implementation (cont.) Much talk in the past fom othe camps about insecuity of pathname-based matching Mostly aimed towad AppAmo (with some legitimate concens thee) Pitfalls of pathname-only matching: Rename Symlink Hadlink Mount

19 Implementation (cont.) Gsecuity s RBAC avoids poblems via hybid appoach Rename: equies ead/wite access on both the souce and destination name, ceate on new name (and delete if it exists), and delete on old name Symlink: Not followed by useland tool (e.g. policy on a /tmp/hello.txt symlink to /etc/shadow can t be ticked to gant access to /etc/shadow) Hadlink: Requies ceate and link pemission in addition to any pemission existing on souce Mount: equies CAP_SYS_ADMIN, not suppoted while RBAC is enabled

20 Implementation (cont.) No suppot yet fo filesystem namespaces (used by LXC) Use is somewhat nebulous, in concet with many combinations of namespaces (pid, net, use) Single-application sandbox Entie system in a containe Only handle cases whee files involved with the namespace ae accessible via the main namespace?

21 Implementation (cont.) Full-system leaning ceates a new subject fo a binay when it: Pefoms netwok activity Modifies a file in a potected path Reads a sensitive file Uses a capability When many files in a given diectoy ae accessed in the same way, access is educed to the diectoy Gives leaning pedictive powe many detemined by configuation

22 Lookup Example Given the following elevant objects: / h /home wcd /home/*/.bashc We will pefom a lookup on: /home/spende/.bashc /tmp/exploit

23 Lookup Example (cont.) At each step: Does an inode/dev exist fo this path component in policy? Match is ancho Found match Is this a egex ancho? Check egexes fo match (fist matches fist) Tavese to paent diectoy

24 Lookup Example (cont.) No inode/dev fo /home/spende/.bashc No inode/dev fo /home/spende Inode/dev found fo /home It s also an ancho Check /home/*/.bashc against /home/spende/.bashc Match found, ead-only access

25 Lookup Example (cont.) No inode/dev fo /tmp/exploit No inode/dev fo /tmp Inode/dev found fo / Also called the default object, as it catches all files without moe specific objects Match found, not able to ceate, not able to see file if it aleady exists

26 Subject Example /us/bin/cvs Inteesting binay as it opeates both as a seve and client, depending on the context Policy is fo the seve context (in pseve mode) un as use cvs, staight fom gsecuity.net

27 Subject Example (cont.) ole cvs u subject / / h -CAP_ALL connect disabled bind disabled subject /us/bin/cvs / /* h /etc/fstab /etc/ld.so.cache /etc/localtime /etc/nsswitch.conf /etc/mtab /etc/passwd /etc/goup /poc/meminfo /dev/uandom /dev/log w /dev/null w /lib x /us/lib x /home/cvs /home/cvs/cvsroot/val-tags /home/cvs/cvsroot/histoy /tmp wcd /va/lock/cvs wcd /va/un/.nscd_socket w /poc/sys/kenel/ngoups_max /poc/sys/kenel/vesion /va/un w a Allows chdi( / ) but no file/diectoy listing in /

28 Subject Example (cont.) ole cvs u subject / / h -CAP_ALL connect disabled bind disabled subject /us/bin/cvs / /* h /etc/fstab /etc/ld.so.cache /etc/localtime /etc/nsswitch.conf /etc/mtab /etc/passwd /etc/goup /poc/meminfo /dev/uandom /dev/log w /dev/null w /lib x /us/lib x /home/cvs /home/cvs/cvsroot/val-tags /home/cvs/cvsroot/histoy /tmp wcd /va/lock/cvs wcd /va/un/.nscd_socket w /poc/sys/kenel/ngoups_max /poc/sys/kenel/vesion /va/un No o mode, so inheits file and capability policy fom subject /, no capability use pemitted w a

29 Subject Example (cont.) ole cvs u subject / / h -CAP_ALL connect disabled bind disabled subject /us/bin/cvs / /* h /etc/fstab /etc/ld.so.cache /etc/localtime /etc/nsswitch.conf /etc/mtab /etc/passwd /etc/goup /poc/meminfo /dev/uandom /dev/log w /dev/null w /lib x /us/lib x /home/cvs /home/cvs/cvsroot/val-tags /home/cvs/cvsroot/histoy /tmp wcd /va/lock/cvs wcd /va/un/.nscd_socket w /poc/sys/kenel/ngoups_max /poc/sys/kenel/vesion /va/un No modification of CVS epositoy w a No abitay modification of CVS histoy

30 Subject Example (cont.) ole cvs u subject / / h -CAP_ALL connect disabled bind disabled subject /us/bin/cvs / /* h /etc/fstab /etc/ld.so.cache /etc/localtime /etc/nsswitch.conf /etc/mtab /etc/passwd /etc/goup /poc/meminfo /dev/uandom /dev/log w /dev/null w /lib x /us/lib x /home/cvs /home/cvs/cvsroot/val-tags /home/cvs/cvsroot/histoy /tmp wcd /va/lock/cvs wcd /va/un/.nscd_socket w /poc/sys/kenel/ngoups_max /poc/sys/kenel/vesion /va/un w a No wx access to filesystem

31 Subject Example (cont.) ole cvs u subject / / h -CAP_ALL connect disabled bind disabled subject /us/bin/cvs / /* h /etc/fstab /etc/ld.so.cache /etc/localtime /etc/nsswitch.conf /etc/mtab /etc/passwd /etc/goup /poc/meminfo /dev/uandom /dev/log w /dev/null w /lib x /us/lib x /home/cvs /home/cvs/cvsroot/val-tags /home/cvs/cvsroot/histoy /tmp wcd /va/lock/cvs wcd /va/un/.nscd_socket w /poc/sys/kenel/ngoups_max /poc/sys/kenel/vesion /va/un w a Waning! No netwok policy specified, allows any nomallypemitted netwok activity! Gadm will alet you to this

32 Questions/Requests? Tied RBAC befoe and had a policy question? Featues you would like to see? Thank you fo suppoting the eseach and development of gsecuity