Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

Similar documents
Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Security Enhanced Linux. Thanks to David Quigley

SELinux. Don Porter CSE 506

Advanced Systems Security: Security-Enhanced Linux

Module 4: Access Control

Security Enhanced Linux

Operating system security models

Meeting Critical Security Objectives with Security-Enhanced Linux

Security Enhanced Linux

Roles and Users Security Policy Development Primer for Security Enhanced Linux (Module 8)

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Discretionary Access Control

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

General Access Control Model for DAC

Type Enforcement Rules and Macros

SE Linux Implementation LINUX20

Practical Techniques to Obviate Setuid-to-Root Binaries

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

CIS 5373 Systems Security

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Data Security and Privacy. Topic 3: Operating System Access Control Enhancement

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

Secure Architecture Principles

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions

FreeBSD Advanced Security Features

Access Control/Capabili1es

A Survey of Access Control Policies. Amanda Crowell

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Virtual File System. Don Porter CSE 506

Secure Architecture Principles

Secure Architecture Principles

Operating Systems Security Access Control

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Distribution Kernel Security Hardening with ftrace

Capability and System Hardening

SELinux. Daniel J Walsh SELinux Lead Engineer

Secure Architecture Principles

Data Security and Privacy. Unix Discretionary Access Control

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Secureworld Conference

CSE Computer Security

Operating System Architecture. CS3026 Operating Systems Lecture 03

Secure Architecture Principles

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

Protection Kevin Webb Swarthmore College April 19, 2018

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Virtual File System. Don Porter CSE 306

How Linux Capability Works in

SELinux For Mere Mortals

Security Models Trusted Zones SPRING 2018: GANG WANG

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

Advanced Systems Security: Security-Enhanced Linux

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

Information Security CS 526

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux

Landlock LSM: toward unprivileged sandboxing

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Introduction to Computer Security

PREVENTING ZERO-DAYS WITH SELinux:

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Kernel Types Simple OS Examples System Calls. Operating Systems. Autumn CS4023

Unix, History

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 & TECHNOLOGY (IJCET) PROCESS BEHAVIOUR MODELLING USING LSM

Privilege Escalation

CSC 553 Operating Systems

Access Control. Tom Chothia Computer Security, Lecture 5

Fun with SELinux. Writing SELinux Policy Permissive Domains Real bugs. Miroslav Grepl Presented by

LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER

Application of the Flask Architecture to the X Window System Server

Advanced Systems Security: Securing Commercial Systems

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Chapter 14: Protection. Operating System Concepts 9 th Edition

Chapter 4: Access Control

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

SELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany

SELinux type label enforcement

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

TOMOYO Linux for Secure Embedded

Extensible Kernel Security through the TrustedBSD MAC Framework

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

Linux Kernel Security Overview

Advanced Systems Security: Ordinary Operating Systems

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

SELinux: A New Approach to Secure Systems

IS 2150 / TEL 2810 Information Security and Privacy

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Filesystem Hierarchy and Permissions

LFJ Symposium BoF The role of "pathname based access control" in security. Tetsuo Handa

Chapter 10: File System. Operating System Concepts 9 th Edition

CS 378 (Spring 2003)

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Privileges: who can control what

Transcription:

Securing Linux Hyungjoon Koo and Anke Li

Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity (SID), role, type/domain AppArmor Key elements Application policy profile SELinux vs AppArmor

Why a new access control model Limited traditional access control for Linux Discretionary Access Control (DAC) Provide only a coarse access control 9 bits model (rwx per owner, group and others) Has setuid, setgid and sticky bit - not enough Cases when a fine-grained access control needs Does passwd require root access to printers? Suppose I have a secret diary and the app to read it Can I restrict my app from reading/writing a socket over network? Alice might have multiple roles Surfing the web, writing a report, and managing a firewall

Brief history Increasing the demand for reference monitor in Linux A mechanism to enforce access control Originate from orange book from the NSA: too generic Adopting LSM in Linux Kernel Originally a set of kernel modules in 2.2, updated in 2.4 LSM (Linux Security Module) Feature in 2.6 SELinux developed by the NSA and released in 2001 Default choice for Fedora/RedHat Linux Lots of early works Subdomain (AppArmor), Flask (SELinux), OpenWall,

Reference monitor A component that authorizes access requests at the RMI defined by individual hooks which invokes module to submit a query to the policy store From Operating System Security (Fig 2.3)

Core concepts Idea: Define policies to decide if applications/users have the privilege to proceed a given operation MAC: Mandatory access control Least Privileges Broadly covered security policy To all subjects, all objects and all operations As everything in Linux is represented as a FILE files, directories, devices, sockets, ports, pipes, and IPCs

Linux Security Module (LSM) Implementation of a reference monitor Requirements Modularized security Loadable modules Centralized MAC LSM API

LSM design Definition How to invoke permission check? By calling the initiated function pointers in security_ops Aka LSM hooks One hook is shown below: static inline int security_inode_create (struct inode *dir, struct dentry *dentry, int mode) { if (unlikely (IS_PRIVATE (dir))) return 0; return security_ops->inode_create (dir, dentry, mode); } Placement Implementation

LSM design - hooking Simple diagram of hooking Process 1 Process 2 Process N System Call Handler int 0x80 User Space Kernel Space System call Func ptr Hook to LSM open() 0xffffaaaa lsm_open(), 0xffffbbbb read() 0xffffaaba lsm_read(), 0xffffbbcb write() 0xffffaaca lsm_write(), 0xffffbbdb getdents() 0xffffaada lsm_getdents(), 0xffffbbeb LSM lsm_open() lsm_read() lsm_write() lsm_getdents()

LSM design Definition Placement Where to place those hooks? Entry of system call (not all of them) Determined by source code analysis Inline function E.g., security_inode_create Implementation

LSM design hooking example open() hook process Process syscall in user file path operation Invoke syscall in kernel Lookup inode Check DAC Hook & check MAC Grant access From Operating System Security (Fig 9.2)

LSM design Definition Placement Implementation Where to find the function which hooks point to? SELinux, AppArmor, LIDS, etc. Does placement need to change in different LSMs? Theoretically yes Practically, the placement of hooks is stabilized

SELinux at a glance Security Policies Centralized store for access control Can be modified by the SELinux system administrator Determined by security contexts (=user, role, type) Specification of permissions Labeled with information for each file Based on TE (Type Enforcement) and RBAC model Operations to objects for subjects append, create, rename, rwx, (un)link, (un)lock, Object classes file, IPC, network, object,

Some valid questions How can SELinux internally incorporate with DAC? DAC then MAC Who writes the policy? Admin Isn't it hard to write a policy? Indeed, and complicated (for SELinux) What happens if there is wrong policy? Hell API names are admittedly confusing

Security context Consist of three security attributes User identity (SID, Security identifier) SELinux user account associated with a subject or object Different from traditional UNIX account (i.e /etc/passwd) Type or domain Role (RBAC)

Security context Consist of three security attributes User identity (SID, Security identifier) Type or domain Postfix _t (i.e user_t, passwd_t, shadow_t, ) Divide subjects and objects into related groups Typically type is assigned to an object, and domain to a process Primary attribute to make fine-grained authorization decisions Role (RBAC)

Security context Consist of three security attributes User identity (SID, Security identifier) Type or domain Role (RBAC) Postfix _r (i.e sysadm_r, user_r, object_r, ) User might have multiple roles Associate the role with domains (types) that it can access Not assign permissions directly Limits a set of permission ahead of time If role is not authorized to enter a domain then denied

Security context example Putting all together Alice wants to change her password SID alice with the user role, user_r Role permitted to run typical user processes Any process with user_t to execute the passwd_exec_t label role user_r types {user_t user_firefox_t} <perm> <sub_type> <obj_type>:<obj_class> <op_set> Allow user_t passwd_exec_t:file execute Allow passwd_t shadow_t:file {read write} <file_path_expr> <obj_context> /usr/bin/passwd system_u:object_r:passwd_exec_t /etc/shadow.* system_u:object_r:shadow_t

Decision making with policy Access decision Based on security context allow, auditallow, dontaudit, and neverallow Q: how can we decide policy for a temporary object? temp processes (i.e fork) and files A: transition decision Process creation: domain transmission File creation: type transmission (labelling) type_transition <curr_type> <exe_file_type>:process <res_type> type_transition user_t passwd_exec_t:process passwd_t

Transition decision examples Process creation Domain decision File creation Type decision From SELinux Ch2

Implementation Policy sources.te files (type enforcement) Define rules and macros(m4) & assign permissions.fc files (file context) Define file contexts, supporting regular expression RBAC files User declarations Makefile (target: policy, install, ) Policy compiler Merge all policies to policy.conf Generate policy binary, centralized policy storage

AppArmor at a glance Another mainstream of LSM implementation Much simpler framework than SELinux Targeted policy An application security system Pathname based Work in two modes: enforce mode and complain mode One policy file per application Used by some popular Linux distributions Ubuntu, opensuse, etc.

How AppArmor works? Designed to be a complement to DAC Can t provide complete access control Born to be targeted policy unconfined_t in SELinux Application based access control One policy file per application Protect system against applications File + POSIX capabilities

AppArmor profile Capability rules: capability setuid, capability dac_override, Network rules: network (read, write) inet, deny network bind inet, File rules: /path/to/file rw, /dir/** r,

SELinux vs AppArmor Whole system vs. only a set of applications Types & domains vs. defining permission directly Strict MAC implementation vs. Partially implement Extended attributes vs. pathname Difficulty to configure SELinux needs 4x bigger conf. file than AppArmor Overhead? 7% vs. 2%

Conclusion SELinux and AppArmor can both greatly enhance OS security. Choice depends on what you need.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback