SELinux type label enforcement

Similar documents
OS Security III: Sandbox and SFI

CMPSC 497 Attack Surface

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Ordinary Operating Systems

Security Architecture

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Access Control. Tom Chothia Computer Security, Lecture 5

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Demystifying SELinux:

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Introduction to Computer Security

CS 356 Operating System Security. Fall 2013

Discretionary Access Control

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Secureworld Conference

SELinux. Daniel J Walsh SELinux Lead Engineer

Data Security and Privacy. Unix Discretionary Access Control

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

A Survey of Access Control Policies. Amanda Crowell

SELinux. Don Porter CSE 506

Confinement. Steven M. Bellovin November 1,

LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER

SELinux: A New Approach to Secure Systems

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Operating systems and security - Overview

Operating systems and security - Overview

SELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com

Software Security and Exploitation

CS 161 Computer Security. Design Patterns for Building Secure Systems

Physical and Logical structure. Thursday, December 02, 2004

Arvind Krishnamurthy Spring Implementing file system abstraction on top of raw disks

Advanced Systems Security: Multics

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

Access Control/Capabili1es

Operating System Security

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

Unix System Architecture, File System, and Shell Commands

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

CompTIA SY CompTIA Security+

I run a Linux server, so we re secure

Secure Architecture Principles

CSE 565 Computer Security Fall 2018

Final Examination CS 111, Fall 2016 UCLA. Name:

Computer Security Spring 2010 Paxson/Wagner Notes 1/29. Patterns for Building Secure Software. 1 The Trusted Computing Base (TCB)

SELinux For Mere Mortals

Security Principles & Sandboxes

Architectural Support for A More Secure Operating System

CSE 544 Advanced Systems Security

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Web Servers and Security

CSE 451: Operating Systems. Sec$on 8 Project 2b wrap- up, ext2, and Project 3

G/On OS Security Model

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Advanced Systems Security: Confused Deputy

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

[S9I ] gtmsecshr vulnerability Security Advisory Page 1 of 6

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Web Servers and Security

Secure Architecture Principles

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

The UNIX Time- Sharing System

Adding Groups to Groups

Secure Architecture Principles

CSE543 - Computer and Network Security Module: Virtualization

Architecture. Steven M. Bellovin October 27,

The Functionality-based Application Confinement Model

CSE543 - Computer and Network Security Module: Virtualization

Access Control Mechanisms

Penetration Testing Scope

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

[This link is no longer available because the program has changed.] II. Security Overview

Introduction to Computer Security

Filesystem Hierarchy and Permissions

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Lecture 3: Web Servers / PHP and Apache. CS 383 Web Development II Monday, January 29, 2018

System Administration for Beginners

Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

Secure Architecture Principles

Architecture. Steven M. Bellovin October 31,

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 4 Introduction to SELinux

LAPP/SELinux. A secure web application stack using SE-PostgreSQL. KaiGai Kohei NEC OSS Promotion Center

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Secure Architecture Principles

1 Installation (briefly)

PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

Login und Authentifizierung

Linux Kernel Security Overview

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Security Fundamentals

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

SELinux Workshop Redux. Jamie Duncan, Senior Technical Account Manager RVaLUG - 18 April 2014

Transcription:

SELinux type enforcement -Demonstration -General description David Morgan Demonstration

Trying to access a resource (permissions vs SELinux) permissions system cares which user account SELinux cares which program user can access more files than a particular program should my progx doesn't need access to all the same files as my progy, just because they're both mine! gaining illicit control, which access do you want attacker to get? Why should I use SELinux? In short because SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do. http://selinuxproject.org/page/faq SELinux policy creation: language, tools, procedure traditional from: SELinux: NSA s Open Source Security Enhanced Linux

Who gets to write the rules? Access control types: discretionary vs manadatory users may control access decisions for some objects but policy is by central authority (sysadmin), never a user policy is the mandate in mandatory mandatory and discretionary can be combined multics ACLs (discretionary) + MLS (mandatory) linux permissions (discretionary) + SELinux type enforcement (mandatory) co-existing, independent systems operate as perms && selinux ie perms first What s are there? where are SELinux s? filenames those are s themselves (on data) permission strings those are s (on files) SELinux contexts another set of lables (also on files) ( context == ) context/ 4 components secon shows them individually we care only about the type or type ( net_conf_t in this case)

SELinux -- where are the files s? disk: inode table data pointer data data pointer - or - data pointer lbl pointer data data inode field structure 16 th field give you the file's permissions here pointer to additional data of variable length here ( extended attributes ) e.g., ACL, SELinux s

Apache filesystem map (default) / etc var ServerRoot httpd www DocumentRoot conf httpd.conf logs access_log error_log your webpage files (index.html et.al.) html cgi-bin error your executables manual noindex.html index.html Labels on files and processes a a process of this type, can access a file ed with that type objects (files) apparent correspondence/match (at least by string tokens) httpd looks somehow related to the /var/www and /etc/httpd directories subjects (processes)

Processes ed too. What s s where? processes (subjects) get their own s user space kernel space (OS) compiled in-kernel blob of all the policy rules (selinux engine ) compiled in-kernel blob of all the firewall rules (iptables engine ) process descriptor array 1 filesystem objects and their s 2 policy store (rules in ascii) 3 kernel-loadable blob file mv (unlike cp) is not an inode operation ( mv /etc/hello.txt / ) disk: inode table pointer pointer bin etc home hello.txt hosts passwd pointer Hello!

demo 2 files web-readable create web pages on client (one in-place in apache territory, one elsewhere then moved into apache territory) browse them from server demo now enforce SELinux policy the one created in place remains web readable the one moved into place does not (though neither file permissions nor apache configuration has changed)

demo why? s must match! s on the 2 objects s on the subject now we ve changed it to match demo web-readablility restored

General description Confinement in cyber security Systems should do 1) what they are designed to do 2) and nothing else. cyber confinement examples memory storage the easy part memory management process isolation chroot at filesystem/directory granularity SELinux at individual file granularity

Confinement in SELinux [SELinux] compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days-- when someone gets a toe-hold on a computer through a vulnerability in a local networked application and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system. book press release Beating the 0-day vulnerability threat book cover banner Trying to access a resource permissions system cares which user account SELinux cares which program user can access more files than a particular program should my progx doesn't need access to all the same files as my progy, just because they're both mine! gaining illicit control, which access do you want attacker to get? Why should I use SELinux? In short because SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do. http://selinuxproject.org/page/faq

Central concept of access control active subjects reference passive objects - reference means propose access government example - subjects are employees - objects are documents cyber example - subjects are processes - objects may be filesystem objects (unix) or memory segments (multics) each access mediated by some arbitration mechanism - approved or disapproved We call it a file system but in unix,, everything is a file object types subject to management (beyond just files)

reference monitor another, similar possibility centerpiece of security kernels in trusted OS's (runs low-level in/at the heart of a trusted OS kernel) sits between subjects and objects uses an authorization database as input supplies audit (event) rmation as output reference monitor authorization database subject reference monitor object audit

ref monitor enforces policy the database holds rules covering each interaction type for every subject/object combination e.g. a population of 3 subjects and 5 objects with 2 operations would need 30 rules each rule allows or disallows the rule collection is called the policy Well then, policy is prerequisite the policy is the law absent the law you can't enforce the law so the database must get pre-populated by the system admin ref monitor is the cop, but sysadmin is the legislature everything flows from policy

Rules can be fashioned from s multics did it with s on memory segments selinux does it with s on processes and filesystem objects so do traditional permissions Access control policy list of ordered triples < subject, object, mode > express what is disallowed

Who gets to write the rules? Access control types: discretionary vs manadatory users may control access decisions for some objects but policy is by central authority (sysadmin), never a user policy is the mandate in mandatory mandatory and discretionary can be combined multics ACLs (discretionary) + MLS (mandatory) linux permissions (discretionary) + SELinux type enforcement (mandatory) co-existing, independent systems operate as perms && selinux ie perms first What s are there? where are SELinux s? filenames those are s themselves (on data) permission strings those are s (on files) SELinux contexts another set of lables (also on files) ( context == ) context/ 4 components secon shows them individually we care only about the type or type ( net_conf_t in this case)

Labeling for access control MSDOS/FAT had none linux/ext2 perms/user/group on a file, as against user identity in a process by a particular (well-known) interaction methodology SELinux type on a file, as against type ( domain ) in a process by some particular interaction methodology/rules inode field structure 16 th field give you the file's permissions here pointer to additional data of variable length here ( extended attributes ) e.g., ACL, SELinux s

Labels on files and processes a a process of this type, can access a file ed with that type objects (files) apparent correspondence/match (at least by string tokens) httpd looks somehow related to the /var/www and /etc/httpd directories subjects (processes) Directories sit in their own files files names are in there finding /etc/hello.txt directory files (for / and /etc ) disk: inode table pointer pointer bin etc home hosts passwd hello.txt pointer Hello!

mv (unlike cp) is not an inode operation ( mv /etc/hello.txt / ) disk: inode table pointer pointer bin etc home hello.txt hosts passwd pointer Hello! SELinux -- where are the files s? disk: inode table data pointer data data pointer - or - data pointer lbl pointer data data

Policy creation: language, tools, procedure traditional from: SELinux: NSA s Open Source Security Enhanced Linux Processes ed too. What s s where? processes (subjects) get their own s user space kernel space (OS) compiled in-kernel blob of all the policy rules (selinux engine ) compiled in-kernel blob of all the firewall rules (iptables engine ) process descriptor array 1 filesystem objects and their s 2 policy store (rules in ascii) 3 kernel-loadable blob file

SELinux -- where are the files s? disk: inode table data pointer data data pointer - or - data pointer lbl pointer data data

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback