Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 ‘06
Outline • Motivation – Review of type enforcement transitions – Attack graphs • Domain transition graphs – Global transition graphs – Concentrated graphs • What’s next and conclusions SE Linux Symposium Attack- based DTA 2 ‘06
Problem: Understanding Policy • SE Linux TE policy is expressive but can be massive – Need to figure out if policy matches higher level security goals • Several approaches – Ensure that TE policy matches higher level goals – Determine what happens when things go wrong SE Linux Symposium Attack- based DTA 3 ‘06
Attack- based Approach • Assume a process running under a particular domain can be co- opted – What will happen? – Ideally compartmentalized, but leaks happen in real workable systems SE Linux Symposium Attack- based DTA 4 ‘06
TE Transitions • Information Flow A B C D • Domain Transition A C B SE Linux Symposium Attack- based DTA 5 ‘06
Information Spread on Attack M P W E A Q N R U O S C V T SE Linux Symposium Attack- based DTA 6 ‘06
Estimating Attack Impact • A single attacker is bound by the domain transitions it can make from the initial subverted domain • Good news and bad news – Domain transition graph is smaller than information flow graph, but – Global domain transition graph is still really big SE Linux Symposium Attack- based DTA 7 ‘06
Building Global Domain Transition Graph • Use Apol framework – Apol at the time calculated domain transitions that involve a single domain • Added algorithm to compute the graph of all domain transitions in the policy – Apol team has since independently added this calculation • Export graph in XML – Used yEd to display – Almost useful in classical hierarchical layout SE Linux Symposium Attack- based DTA 8 ‘06
Global Domain Transition Graph 297 nodes and 863 arcs SE Linux Symposium Attack- based DTA 9 ‘06
Concentrate Attention • Help user analyze scenarios – Suspect domains where attack is suspected – Sensitive domains working with very sensitive information that must be protected at all cost • Create subgraph that includes the transitive closure of all domain transitions that start at suspect domains and end at sensitive domains SE Linux Symposium Attack- based DTA 10 ‘06
Using the DT SubGraph • If Suspect and Sensitive domains are disconnected – No problems! • Otherwise, look for edge or node cut sets – Separate suspect and sensitive domains SE Linux Symposium Attack- based DTA 11 ‘06
pppd_t Domain Transition Subgraph SE Linux Symposium Attack- based DTA 12 ‘06
Breaking the Chains • Worry less about long paths in DT SubGraph • Mitigate edges (domain transition) – Review programs and determine transition is not needed. Remove it – Guard transition with boolean. Turn off when attacks seem likely. – Increase log analysis of worrisome transitions. • Mitigate nodes (domains) SE Linux Symposium Attack- based DTA 13 ‘06
Node Mitigations A A Analyze that B B programs running In B cannot be misused C C SE Linux Symposium Attack- based DTA 14 ‘06
Node Mitigations A A Proxy B B Insert High Assurance B Proxy C C SE Linux Symposium Attack- based DTA 15 ‘06
Node Mitigations A A B1 Split Domain B B2 C C SE Linux Symposium Attack- based DTA 16 ‘06
What’s Next • Integrate with information flow graph • Automate some of the resolution options – Systematically examine more policy scenarios • Update to integrate into new modular policy framework SE Linux Symposium Attack- based DTA 17 ‘06
In Closing • Understanding Domain Transitions aid in understanding attack impact • Visualization can greatly help the ISSO understand policy configuration – Ask the right questions to get appropriate level of detail • Use the graph to systematically mitigate dangers SE Linux Symposium Attack- based DTA 18 ‘06
Recommend
More recommend
