mandatory access control in linux
play

Mandatory Access Control in Linux CMPSC 443 - Spring 2012 - PowerPoint PPT Presentation

Apr 04, 2024 •31 likes •231 views

Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  1. Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  2. In the early 2000s • Root and administrator – Many programs needed privilege, so they ran will full system permissions • Consider a network-facing daemon – Services requests at a well-known port – Low-numbered, so needs root access – But, also accessible to adversaries – A bad combination... • What should we do? CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 2

  3. Confining Network-Facing Daemons • Limit permissions of network-facing daemons –“Confine” them • Keep them confined –Cannot change their permissions • How do we do that? –Short answer & a long story... CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 3

  4. Mandatory Access Control • System-Defined Policy – Fixed Set of Subject and Object Labels – Fixed Permission Assignments – Fixed Label Assignments: (e.g., file to object label) – Fixed Transitions (e.g., setuid) O 1 O 2 O 3 J R R R W W S 2 N R R W S 3 N R R W CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 4

  5. Multi-Level Security is MAC Access is allowed if subject clearance level >= object access class and object categories subset-of subject categories ( read down ) Q: What would write-up be? Hence, Trent: TS, {CRYPTO, NUC, INTEL}) Bob: CONF., {INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocB: (SECRET, {CRYPTO}) DocA: (CONFIDENTIAL, {INTEL}) DocC: (UNCLASSIFIED , {NUC}) CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 5

  6. Why MLS Won’t Work • Lots of information flows that violate MLS – For secrecy – And integrity • Have to manage manually – No way... • So, what do we do? – LOMAC – MIC – Others • Type Enforcement CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 6

  7. MAC in Linux • In 2001, Linus Torvalds authorized the development of a reference monitor for Linux – So, he didn’t have to choose a single security approach • Linux Security Modules framework was born – LSM defines an interface for reference monitoring modules – Anybody could build an LSM! • Introduced in Linux 2.6 – Version built for FreeBSD – Underway for MAC OS X – Also, implemented in a variety of user-space programs (X) • MAC has been in Trusted Solaris for years... – But, only one MLS approach (now includes more) CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 7

  8. Linux Security Modules Approach • Reference monitor interface, module, policy En Entry y Po Points nts System System Inte Interface rface Access Access Ho Hook Authorize Request? Secu Security-sen rity-sensitiv sitive Access Access Operat Operation ion Access Access Monitor Mon itor Ho Hook Hook Ho Po Policy cy Security-sen Secu rity-sensitiv sitive Secu Security-sen rity-sensitiv sitive Operation Operat ion Operat Operation ion Yes/No CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 8

  9. Where Do Hooks Go? • What property must an authorization hook placement satisfy? – Think reference monitor • How do you know when you have satisfied this property? – Not easy – Several missing placements were later identified • Still looking for an automated method to place authorization hooks in legacy code CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 9

  10. MAC and Systems • What is necessary to be a system that enforces MAC policies? – Specify: Mandatory Protection System – Enforce: Reference Monitor • Plus, others – Management: Policy development tools – Services: MAC-aware services – Applications: Work with MAC limitations • What do these systems look like? – We’ll examine SELinux CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 10

  11. SELinux • LSM + much more SELinux SELinux-aware System Bootstrap Services Processes (1) Load Policy (2) Authenticate (3) Syscalls SELinuxfs Linux Kernel SELinux LSM CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 11

  12. SELinux uses Type Enforcement • MAC Policy O 1 O 2 O 3 – Subjects and Objects Labeled • Access Matrix Policy S 1 Y Y N – Processes with subject label – Can access object of object label S 2 N Y N – If operations in matrix cell allow • Focus: Least Privilege S 3 N Y Y – Just permissions necessary CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 12

  13. SELinux Protection State • The permissions in an SELinux system are produced by a runtime analysis (same with AppArmor) • Step 1: Run programs – In a controlled (no attacker) environment – No enforcement is on • Step 2: Audit all permissions used • Step 3: Generate policy file – Give the subject label associated with that program – All the permissions in the audit file • Why does this satisfy confidentiality or integrity? CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 13

  14. SELinux Labeling State • Files and users known to the system at boot-time must be associated with their MAC policy labels – Map file paths to labels (regular expressions) – Map users to labels (by name) • These labels are assigned to their initial processes • How are new files/processes labeled? • How does “setuid” work? CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 14

  15. SELinux Transition State • Run the privileged passwd program • Simplified view -- takes 4 policy rules to do this Fork User Proc user_t User Proc user_t Exec passwd_t Root Proc passwd_t CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 15

  16. SELinux Mandatory Protection System • How many rules are necessary for a Linux distribution? – Labeling State - every file and process – Protection State - every subject, object, operation – Transition State - every process and file transition on access CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 16

  17. Configuring Secure Systems • How do administrators manage MAC systems? • Step 1: Choose an OS distribution – Has a MAC policy already • Step 2: Configure a firewall policy – Connects MAC processes with network access to network – Most processes are given network access • Step 3: Track vulnerabilities – Pick your favorite site - CERT, CVE, BugTraq, SANS, ... • Step 4: Run vulnerability scanners on your system – See if you are vulnerable – If so, remove/update that program or change network • NOTE: Do not change the MAC policy CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 17

  18. MAC Upsides • Security – Limits access of root processes – Controls network-facing daemons – Protects system processes – Protects kernel • Usability – Default configuration with OS Distros – Mostly enables system to run – Does not require any effort for admins • Bottom line: MAC is here, but in a more limited way than people expected CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 18

  19. (Commodity) MAC Myths • Security – MAC protects one of your processes from another – MAC protects one of your processes from another user’s processes – MAC controls processes use of network – MAC ensures that system processes only receive trusted data – MAC makes the adversary compromise several processes to access the kernel – MAC enforces confidentiality and integrity CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 19

  20. Take Away • In the early part of the last decade adversaries were taking advantage of weak access protections • MAC was introduced into commodity systems to prevent this • MAC threat model is network attacks – Network-facing daemons • MAC and code hardening of these daemons have improved the situation – but now escalation from untrusted clients through local exploits is common • Could SELinux prevent Stuxnet? CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page 20

Recommend

Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project)

Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project)

Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project) Miroslaw.Zakrzewski@Ericsson.ca Ericsson Research Canada Open System Lab Montral Canada http://www.risq.ericsson.ca Rev PA1 2002-05-22 1 Ericsson

841 views • 42 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant OS trust and assurance University

303 views • 9 slides
Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Stephen McCamant Capability-based access control University of Minnesota, Computer

245 views • 5 slides
Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Stephen McCamant Capability-based access control University of Minnesota, Computer

486 views • 7 slides
Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown: read, write Employee Brown Read Employee Black Brown: read write Black, Brown: read, write REJECTED! Blacks Employee Black is not allowed

565 views • 38 slides
D e f i n i t i o n o f S E L i n u x 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF

D e f i n i t i o n o f S E L i n u x 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF

D e f i n i t i o n o f S E L i n u x 80:20:DE:AD:BE:EF 80:20:DE:AD:BE:EF Mandatory Access Control ... refers to a type of access control by which the operating system constrains the ability of a subject or initiator to

599 views • 47 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen Fall 2014:: CSE

Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen Fall 2014:: CSE

Fall 2014:: CSE 506:: Section 2 (PhD) Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen Fall 2014:: CSE 506:: Section 2 (PhD) Categorization: Access Control Mechanisms Discretionary Access Control (DAC): Owner

1k views • 33 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
DAC and Trojan Horse Brown: read, write Employee Mandatory Access Control Brown B Read

DAC and Trojan Horse Brown: read, write Employee Mandatory Access Control Brown B Read

DAC and Trojan Horse Brown: read, write Employee Mandatory Access Control Brown B Read Employee R d E l Black, Brown: read, write REJECTED! Blacks Employee Black is not allowed To access Employee Black 1 2 Mandatory Access

433 views • 6 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control

Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control

Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control to graphics/input devices VT102 terminal emulator VGACON + FBCON What is it used-for? session dispatcher lightweight UI with little hardware

592 views • 21 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
CSE543 - Introduction to Computer and Network Security Module: Mandatory Access Control Professor

CSE543 - Introduction to Computer and Network Security Module: Mandatory Access Control Professor

735 views • 44 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

File Content Based Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix, Linux LSM Various Government Efforts Trusix, CMM, CHATS Standards P1003.1e/2c, TSIG Smack Linux Security Module

497 views • 30 slides
Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21,

Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21,

Lisbon Channel Access Project Non-Mandatory Pre-Bid Please Sign In 1 Lisbon Channel Access Project Non-Mandatory Pre-Bid Conference February 21, 2018 NMDOT CN A301870 2 Lisbon Channel Access Project Introductions: SSCAFCA Staff

268 views • 12 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
1 Mandatory Fee Proposal 2 What are Mandatory Fees? Mandatory Fees are paid by both

1 Mandatory Fee Proposal 2 What are Mandatory Fees? Mandatory Fees are paid by both

1 Mandatory Fee Proposal 2 What are Mandatory Fees? Mandatory Fees are paid by both undergraduate and graduate students. Mandatory Fees are paid on a per hour rate up to a maximum per semester. Mandatory Fees have been introduced over

449 views • 32 slides
Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who

Advanced Linux File Permission Access Control Dr. John Yoon How do you know yours? Finding about you and the system $ who $ hostname $ whoami $ uname $ id $ date $ ps -aux Environment Variables Environment Settings of a

530 views • 25 slides

More recommend