Pastures: Towards Usable Security Policy Engineering

Similar documents
Security Architecture

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

OS Containers. Michal Sekletár November 06, 2016

Using GConf as an Example of How to Create an Userspace Object Manager

Partitioning a Server with NSA SE Linux

Landlock LSM: toward unprivileged sandboxing

Confinement. Steven M. Bellovin November 1,

PREVENTING EXPLOITS WITH SECURITY ENHANCED LINUX

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Operating Systems 4/27/2015

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

Labels and Information Flow

Advanced Systems Security: Virtual Machine Systems

Data Security and Privacy. Topic 3: Operating System Access Control Enhancement

SELinux. Don Porter CSE 506

Security Enhanced Linux. Thanks to David Quigley

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

COMP3891/9283 Extended OS

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Virtual Machine Systems

SE Linux Implementation LINUX20

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

IMPLEMENTING SOLARIS CONTAINERS TO INCREASE PERFORMANCE AND SCALABILITY OF FINANCIAL MANAGEMENT SOFTWARE Genti Daci, Polytechnic University of Tirana

OS Security III: Sandbox and SFI

NON SCHOLAE, SED VITAE

Secureworld Conference

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 & TECHNOLOGY (IJCET) PROCESS BEHAVIOUR MODELLING USING LSM

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Virtualisation: Jails and Unikernels

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Practical Techniques to Obviate Setuid-to-Root Binaries

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

OS Virtualization. Linux Containers (LXC)

Security Enhanced Linux

Virtual Machine Security

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

Minix over Linux: A User-space Multiserver Operating System

Confinement (Running Untrusted Programs)

Data Security and Privacy. Unix Discretionary Access Control

SegSlice: new primitives for trustworthy computing

Advanced Systems Security: Principles

CS 356 Operating System Security. Fall 2013

Advanced Systems Security: Securing Commercial Systems

CIS 5373 Systems Security

The new VVorld. FreeBSD jail based virtualization. Bjoern Zeeb, Robert Watson. The FreeBSD Project. BSDCan 2010

Operating system hardening

FreeBSD Advanced Security Features

Docker for HPC? Yes, Singularity! Josef Hrabal

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

1 Virtualization Recap

LINUX Virtualization. Running other code under LINUX

SELinux type label enforcement

Information Security CS 526

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

User Mode Linux. An Introduction to UML William Stearns ISTS/Dartmouth College

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Reference Policy for Security Enhanced Linux Christopher J. PeBenito, Frank Mayer, Karl MacMillan Tresys Technology

Core Policy Management Infrastructure for SELinux

Introduction to Computer Security

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

Topics in Systems and Program Security

EXPERIENCES WITH VIRTUALIZATION TECHNOLOGY IN EDUCATION

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Distribution Kernel Security Hardening with ftrace

Virtual Machines Measure Up

8.3 Mandatory Flow Control Models

Extensible Kernel Security through the TrustedBSD MAC Framework

Justifying Integrity Using a Virtual Machine Verifier

Virtualization. join, aggregation, concatenation, array, N 1 ühendamine, agregeerimine, konkateneerimine, massiiv

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Flip the Switch to Container-based Clouds

ECE 598 Advanced Operating Systems Lecture 19

CSE506: Operating Systems CSE 506: Operating Systems

Travis Cardwell Technical Meeting

SELinux: A New Approach to Secure Systems

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Introduction to Assurance

Concepts. Virtualization

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

SELinux. Daniel J Walsh SELinux Lead Engineer

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

Advanced Systems Security: Integrity

Towards High Assurance Networks of Virtual Machines

File Systems: Allocation Issues, Naming, and Performance CS 111. Operating Systems Peter Reiher

Module 1: Virtualization. Types of Interfaces

, Inc

Virtualization and memory hierarchy

Faculty of Computer Science Institute for System Architecture, Operating Systems Group. Naming. Stefan Kalkowski. Dresden,

Advanced Systems Security: Security-Enhanced Linux

Chapter 8: Filesystem Implementation

Virtual File System. Don Porter CSE 306

Access Control/Capabili1es

Transcription:

Pastures: Towards Usable Security Policy Engineering Institute for Security Technology Studies Department of Computer Science Dartmouth College

A practitioner s look at the field Powerful formalisms exist: But: Older: The Orange Book, Bell LaPadula, Biba,... (MLS) Newer: FLASK type enforcement (SELinux) Admins, app writers (even vendors) appear to shun them. Security-conscious practitioners create and use other solutions. Why? To answer this, we will try to: 1 Review existing design space from the usability viewpoint. 2 Formalize ideas already in use. 3 Combine them in a new approach to a set of more usable policy primitives.

At a first glance Available high assurance systems have large and complex policies. Example Hard to write and maintain Crafted by trial and error SELinux in Fedora Core 3: Policy makes use of M4 macros 2000+ lines in core M4 macro base Mediates 160+ domains ( daemons and applications), 145 operations ( syscalls) 227275 lines in the strict policy

A 10,000 miles review of SELinux internals (1) Each process and each resource (file) operated on has a domain or type label. task struct, inode, super block structs have a (void *) security member that points to respective SELinux policy structures. System call hooks (LSM) check the process and file labels for each mediated operation, and deny access unless permitted by the policy: allow sshd t sshd key t:file {getattr read}; allow ssh keygen t urandom device t:chr file {getattr read}; All objects in the root filesystem are pre-labeled /etc/ssh/ssh host key -- system u:object r:sshd key t

Simplified type diagram

A 10,000 miles review of SELinux internals (2) New files and processes are assigned labels based on the labels of: for files, parent directory and creating process, file type auto trans(ssh keygen t, etc t, sshd key t, file) for processes, parent process and executable file, daemon base domain(ssh keygen) type transition sysadm t ssh keygen exec t:process ssh keygen t; Permitted operations can be specified in terms of type attributes (sets of labels, e.g., sysadmfile.) type sshd key t, file type, sysadmfile; allow sysadm t sysadmfile:file { getattr read write create unlink... relabelfrom relabelto };

The ssh-keygen example ssh keygen t is the type of the ssh-keygen program when run by the admin to generate the host key or at install time. file contexts/program/ssh.fc: /usr/bin/ssh-keygen -- system u:object r:ssh keygen exec t domains/program/ssh.te policy.conf: type ssh keygen exec t, file type, sysadmfile, exec type; allow initrc t ssh keygen exec t:file {read { getattr execute }}; allow sysadm t ssh keygen exec t:file {read { getattr execute }}; allow ssh keygen t ssh keygen exec t:file entrypoint; type transition initrc t ssh keygen exec t:process ssh keygen t; type transition sysadm t ssh keygen exec t:process ssh keygen t; allow ssh keygen t ssh keygen exec t:file {read getattr lock execute ioctl};...

Observations SELinux case study One policy language and mechanism for 1 Access control, Integrity, Confidentiality 2 Host intrusion alerts 3 Inevitable admin exceptions & delegation Issues: Using one language for all goals causes policy bloat: good expressive power for some goals, not enough for others. Structure imposed by M4 macros is implicit. Flow properties are not first class language objects and must be derived (Apol & other Tresys tools, SLAT, PAL, etc.)

Audit2allow A first cut at a type description: A tool and approach to generating new types: 1 Run application in non-enforcing mode, record accesses that would be denied. 2 Generate policy from the log trail by allowing relevant accesses. 3 Repeat until all legitimate code paths are covered. Problems: Friendly network: too little diversity. Real network: what is the average time to attack?

Observations summarized Principal usability obstacles: Any degree of integrity protection requires a large and complex policy that profiles all allowed accesses. Policy mimics software s execution profile, and becomes as complex as software itself (but without software engineering tools). No protection before profiles are compiled. The reason for these inconveniences is fundamental: The Least Privilege principle Deny all accesses and operations unless explicitly allowed by the policy.... but is it really a security goal in and of itself?

Policy complexity vs. admin concerns Not all profile violations are of the same concern;...but all may kill the offending process. Policy must be debugged

Policy complexity vs. admin concerns Not all profile violations are of the same concern;...but all may kill the offending process. Policy must be debugged

Policy complexity vs. admin concerns Not all profile violations are of the same concern;...but all may kill the offending process. Policy must be debugged

Policy complexity vs. admin concerns Not all profile violations are of the same concern;...but all may kill the offending process. Policy must be debugged

Questions of goals and trade-offs In an actual operational environment: 1 Can we avoid or postpone the up-front cost of developing a policy for a new application? 2 How bad are crashes due to missing a legitimate access in the policy? 3 For how long can we afford to debug a policy?

Alternatives? Popular practical solutions: 1 BSD jails ( chroot on steroids + private IP address) 2 Linux Vserver (separate non-communicating process contexts, separate virtual filesystems) 3 Solaris 10 Zones (no sharing by default, high privilege granularity, resource access can be inherited) 4 OS emulation approaches: User Mode Linux (UML), Xen, VMWare, Qemu,... The lesson appears to be: Usability Virtualization

Is virtualiztion the cure for policy complexity woes? Pro: Simpler management, less attention to partition insides. Flows between partitions are absent by default. Integrity is provided by separation rather than by profiling. Contra: VMs are conceptually simple, but too many VMs are hard to manage (updates, version difference creep). When the overhead of managing multiple OS instances makes one service per machine (physical or virtual) a bad idea?

Vserver review (1) At a glance One kernel: no virtual machines, no OS emulation. BSD Jails, Solaris 10 Zones. Security through by-default isolation. Processes Processes are assigned to Security Contexts and labeled with a context ID (XID) label (added to task struct and elsewhere). These is no communication between processes in different contexts separation enforced by system call hooks. The system starts in Host context (XID = 1). Each context has its own root filesystem (via chroot + extra anti-escaping measures. But: see Unification.

Vserver review (2) File systems But: Each context has its own FS root. Inodes store the context ID (XID) of the creating context Inode access checked against XID (except for the special Spectator context). No pre-labeling: untagged files are OK to access, modified files get the creator s XID. Maintaining separate filesystems is expensive: Library and utility upgrades, Security updates, Matching configurations between partitions.

Vserver Unification A truly great idea Share files between contexts when they are unlikely to change (libraries, standard binaries) Reduces admin effort Reduces inode caches and memory mappings. The contexts filesystems start out populated with special type of hard links: immutable but unlink-able. Once changed from within and context, the link is removed and replaced with a new file, private to a context. Combines the benefits of: a single FS/namespace for admin tasks, keeps file changes private to a context.

Observations We see a pattern in the use of virtualization-based solutions: 1 Isolation and separation by default 2 The de-facto access policy exists as exceptions to (1): Some files can be shared between Vserver contexts Some host filesystems can be mounted live from inside a VM (UML, BSD jails) 3 A unified admin view of partitions filesystems saves effort. Not all would-be policy violations are of the same concern w.r.t. the actual security goals It is often preferable to let a process continue after an access violation rather than kill it outright. (Liang, Sekar, ACSAC 03, Alcatraz )

Our approach Copy-on-write (COW) as a fundamental policy primitive. Protected processes run in isolated pastures. 1 All accesses not explicitly allowed or denied by a policy statement result in COW duplication of the accessed object, rather than a denial. 2 Sharing objects between pastures becomes a basic policy statement type. Advantages: New progams can be introduced without audit2allow risks. Write flow properties are specified rather than derived. Less crashes: EACCESS errors fatal under SELinux but not critical to security goals are no longer fatal.

What s in a name? We thought of calling our compartments COW jails... But that sounds cruel...

What s in a name? We thought of calling our compartments COW jails... So we called them COW pastures instead ;-) Also, this reflects our more permissive approach to applications.

COW pastures (1) The policy specifies that certain processes are to be placed in a pasture. For a process placed in a pasture, any file modifications are private by default. Any write-type access results in creating a private copy: Global Pasture Private Pasture

COW pastures (2) If processes in different pastures need to share resources, the policy explicitly specifies the allowed sharing. References from sharing pastures will resolve to the same underlying object. This object may be global or private to those pastures: Global Pasture Private Pasture

Policy elements Unidirectional write-flow G A: changes made to the namespace of pasture G by processes running in G are visible to processes in the pasture A, but not vice versa. Example Introducing a new server/application into a set of trusted ones. Bidirectional write-flow A B on file spec: specified files are shared between pastures A and B. Example Servers sharing access to a database or filesystem.

Examples Placing processes into pastures: /usr/sbin/httpd => A /usr/sbin/ftpd => A /opt/matlab => D /opt/lic-server => D Sharing files: A <-> B: /path/to/file1 /path/to/file2

Disadvantages Effort saved up-front doesn t magically disappear To merge an application into the trusted fold, its private changes need to be merged or discarded. Also: Unlike SELinux, lacks granularity for use as a Host Intrusion Detection system (HIDS). But, should policy enforcement also double as a HIDS? May let an attacker proceed farther should a process be successfully attacked. But the damage is localized where it was judged to be non-critical. Does not virtualize physical devices (e.g., network interfaces) yet. (Vservers and Zones address resource allocation fairness).

Prototype implementation A patch for the Linux 2.6.12 kernel. Modifications to the ext2 filesystem. Uses /proc pseudo-filesystem for control: /proc/pastures/ active pastures /proc/<pid>/pasture pasture ID /proc/pastures/<pasture id>/cows/ links to COW-ed files Write-flows only. Future work Creating parametrized pastures on the fly (by user ID, sudoers-style aliasing) Read flow control policy primitives. Support for other filesystems? LSM integration?

References LIDS: The linux intrusion detection system, http://www.lids.org/. Linux vserver project, http://linux-vserver.org/paper. L. Badger, D. F. Sterne, D. L. Sherman, and K. M. Walker. A domain and type enforcement UNIX prototype. Computing Systems, 9(1):47 83, 1996. K.-H. Baek and S. W. Smith. Preventing Theft of Quality of Service on Open Platforms. In IEEE/CREATE-NET SecQoS 2005, September 2005. W. Boebert. The lock demonstration. In Proceedings of the 11th National Computer Security Conference, 1988. J. Dike. User-mode linux. P.-H. Kamp and R. N. M. Watson. Jails: Confining the omnipotent root. P.-H. Kamp and R. N. M. Watson. Building systems to be shared securely. ACM Queue, 2(5), July/August 2004. D. Langille. Virtualization with freebsd jails, 2006. Z. Liang, V. Venkatakrishnan, and R. Sekar. Isolated program execution: An application transparent approach for executing untrusted programs. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), December 2003. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the linux operating system. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (FREENIX 01). The USENIX Association, 2001. D. Price and A. Tucker. Solaris zones: Operating system support for consolidating commercial workloads. Sergey Bratus, In Proceedings Alex Ferguson, of the Doug 18th Large McIlroy, Installation Sean Smith Systems Pastures: Administration Towards Conference Usable Security (USENIX Policy LISA Engineering 04). The

Projects that provided the details SELinux and the NSA Sample policies + FC3 policies Linux Vserver, http://www.linux-vserver.org BSD Jails, http://docs.freebsd.org/44doc/papers/jail/ Jeff Dike, User Mode Linux, http://user-mode-linux.sf.net Liang, Sekar, Alcatraz (a ptrace-based private sandbox for an application). Solaris 10 Zones, http://www.sun.com/bigadmin/content/zones/...

Questions? Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback