security model for embedded systems
play

Security model for embedded systems using Smack * Simple but secure - PowerPoint PPT Presentation

Security model for embedded systems using Smack * Simple but secure * S implified M andatory A ccess C ontrol K ernel - Jos Bollo - - Jos Bollo - Con Contex text Jos Bollo Intel Eurogiciel Tizen Smack Linux 2


  1. Security model for embedded systems using Smack * Simple but secure * S implified M andatory A ccess C ontrol K ernel - José Bollo - - José Bollo -

  2. Con Contex text ● José Bollo ● Intel ● Eurogiciel ● Tizen ● Smack ● Linux 2 February 2014 - José Bollo - Smack for embeddeds (2 2/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  3. Sma mack ck ove vervie rview ● The author of Smack Smack is mainly Casey Schaufler Casey Schaufler . ● In Linux since kernel 2 6 25 since kernel 2 6 25 – 17 April 2008 – as a LSM (Linux Security Module) LSM ● Evoluting since this first days. ● Inside Tizen Tizen since the first days (2012). ● Use extended file attributes extended file attributes to store data relating to files. ● Controlled via a filesystem interface: smackfs smackfs . ● Controls accesses of processes to files, IPC, sockets and processes (ptrace, signals, ...). 2 February 2014 - José Bollo - Smack for embeddeds (3 3/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  4. Th The Sm e Smack ck rule rules ● Smack's rules have 3 items: Simple !!! – the subject's label subject's label – the object's label object's label – the access access System User rwx This rule tells to allow read , write and execute access to objects labelled User for the processes labelled System . What are labels? What are subjects? What are objects? How to set? 2 February 2014 - José Bollo - Smack for embeddeds (4 4/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  5. The Smac he Smack voc ocabu abulary lary ● Labels Labels are just text (of valid ASCII characters) without any special meaning: they are compared to equality (case sensitive: a≠A). ● Subjects Subjects are running processes: any running process has a smack label. ● Objects Objects are files files , IPC IPC , sockets sockets , processes processes . ● The label of a running process is called its context context . – The commands id , ps (option -Z or -M), ls (option -Z) are prompting the contexts of the current process, the running processes, the files. ● The grantables accesses accesses are: read read (r), write write (w), execute (x), append append (a), lock lock (l), transmute transmute (t). execute 2 February 2014 - José Bollo - Smack for embeddeds (5 5/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  6. Setting Smac Set ting Smack ● How to set context? You can't! You can't! Except if you have the capability CAP_MAC_ADMIN CAP_MAC_ADMIN . # chsmack --access label file # echo -n label > /proc/$$/attr/current ● How to set rules? You can only reduce You can only reduce accesses for the current thread (inherited by accesses cloning). But if you have the capability CAP_MAC_ADMIN , you can change all rules. CAP_MAC_ADMIN # echo “subject object rwt” > /sys/fs/smackfs/load-self2 # echo “subject object rwt” > /sys/fs/smackfs/load2 # echo “subject object rwt” > smackload 2 February 2014 - José Bollo - Smack for embeddeds (6 6/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  7. Target rgets de s devices es In-vehicle infotainment (IVI) television mobile hansets NUCs and boxes 2 February 2014 - José Bollo - Smack for embeddeds (7 7/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  8. Targ argets ets us usag ages es Single seat Multi seats handsets Single user boxes IVI is using tablets - laptops Multi users IVI Wayland Wayland NUC Multi seats is meaning that several users are using the same system through several interfaces. 2 February 2014 - José Bollo - Smack for embeddeds (8 8/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  9. Installe Inst ler r on only model model Trusted System Installed (installed, signed) Applications (untrusted) Installer Installed Application with manifest The installer enable the application and configure the system according to the manifest. Smack rules process for authorised services Trusted environment 2 February 2014 - José Bollo - Smack for embeddeds (9 9/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  10. Ins Insta taller + ller + l laun unche cher m r model del Trusted System Installed (installed, signed) Applications The installer enable the application (untrusted) and configure it according to the Installer manifest. Installed Application with manifest launcher The launcher prepare the environment in agreement with the manifest and launch the application. Smack rules process for authorised services Trusted environment 2 February 2014 - José Bollo - Smack for embeddeds (10 10/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  11. Sec Security urity of ap of applica plications tions Tizen offers the possibility to install applications that are either natives or widgets (W3C compliant) or a mix of the both. Each application has potentially access to a wide variety of services. The accessed services MUST be conform to what the manifest of the application is claiming for. That is the condition to have a trusted system, a secure system. Services Widget Service 1 Service 2 Service 3 Applications ... Native Web RunTime Applications Kernel IPC Ok, but how to do that??? 2 February 2014 - José Bollo - Smack for embeddeds (11 11/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  12. Imple mplemen menta tations tions ● The problem is difficult due to its power characteristic: controlling N ressources for M kinds of accesses brings to M N cases! ● For Tizen 2.0 there was many smack rules (for a basic mobile hanset, not less than 33232 rules! ) – Each application have a own context label – The rules are the spare matrix of all the authorised accesses ● For tizen 3.0 IVI the three-domains model will be used. – Basically, three subject labels exist: _ _ , System System and User User – There few more object labels – The rules are restricted to the minimum – It requires a launcher to achieve the full control of accesses 2 February 2014 - José Bollo - Smack for embeddeds (12 12/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  13. Three- Thre e-domain domains mode s model overvie ove rview Base system: _ The floor domain provides the foundation upon which the system is built Services: System The System domain is comprised of the basic System::Run system services and the System::Shared data they maintain. System::Log Applications: User The User domain is comprised of the services that interact directly with the person using the Tizen system and the data those services maintain. 2 February 2014 - José Bollo - Smack for embeddeds (13 13/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  14. Links ks ● LSM Smack http://schaufler-ca.com/ ● https://www.kernel.org/doc/Documentation/security/Smack.txt ● ● Smack utilities https://github.com/smack-team/smack ● ● Tizen https://www.tizen.org/ ● https://wiki.tizen.org/wiki/Security:Smack ● https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel ● 2 February 2014 - José Bollo - Smack for embeddeds (14 14/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  15. Summary Summary ● It works well and is really simple to learn. ● You can activate it on any Linux kernel. ● The embedded linux distribution TIZEN implements it and its community can help you. ● You can contribute to improve the smack tools and models. 2 February 2014 - José Bollo - Smack for embeddeds (15 15/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  16. Que Questions tions Thanks 2 February 2014 - José Bollo - Smack for embeddeds (16 16/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  17. EUROGICI EUROGICIEL EL ● Open source development and integration: ● Maintainers for tizen.org (Base, Test, Web Framework,... domains) ● Embedded systems for real-time multimédia: – Widi/Miracast stack, – Wayland/Weston, – Webkit2 browser with HW acceleration, ● Application: HTML5/CSS3, jquery, jqmobi, Cordova ● Location : Brittany – France ● http://www.eurogiciel.fr/ 2 February 2014 - José Bollo - Smack for embeddeds (17 17/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

  18. Evolution olutions of s of S Sma mack ck ● The author of Smack Smack is mainly Casey Schaufler Casey Schaufler . ● In Linux since kernel 2 6 25 since kernel 2 6 25 – 17 April 2008 – as a LSM LSM (Linux Security Module) ● Evoluting since this first days. ● Lock access mode (kernel 3.13) ● Support for multi-rule write to load2 and change-rule (kernel 3.12) ● Maximum value for CIPSO category change from 63 to 184 (kernel 3.12) ● Longer Smack labels (24->255) and recursive transmute (kernel 3,5) ● Transmute access mode (kernel 2.6.38) 2 February 2014 - José Bollo - Smack for embeddeds (18 18/16) /16) 2 February 2014 - José Bollo - Smack for embeddeds (

Recommend


More recommend