SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science & Engineering 1
Talk Topics Mechanism for MAC enforcement between 2 machines Labeled IPsec Protected Paths Are we ready? Distributed System MAC What else do we need? Claims Distributed enforcement: distributed, shared monitor Trust in that enforcement: trust representation Simplicity and scalability: can virtual machines help? Department of Computer Science & Engineering 2
Mandatory Access Control Appl Appl Appl SELinux MAC Linux Kernel Policy Module Department of Computer Science & Engineering 3
Mandatory Access Control Appl Appl Appl SELinux MAC X File Policy Module Linux Kernel Department of Computer Science & Engineering 4
Network MAC System System X Appl Appl Appl Appl Appl Appl Linux Kernel SELinux MAC Linux Kernel SELinux MAC Module Policy Module Policy Department of Computer Science & Engineering 5
Client-Server MAC Server Client Worker Appl Appl Appl Appl Appl Server Linux Kernel SELinux MAC Linux Kernel SELinux MAC Module Policy Module Policy Department of Computer Science & Engineering 6
Location-independent MAC Base System Remote System Appl Appl New Appl Appl Master Create Linux Kernel SELinux MAC Linux Kernel SELinux MAC Module Policy Module Policy Department of Computer Science & Engineering 7
Labeled IPsec Leverage IPsec Advantages Secure communication Easy to integrate to kernel MAC Add MAC Labeling to IPsec Control application access to IPsec “channels” Can only send/receive with MAC permission Results Application to application control is possible BLP controls between applications on different machines Applications can use labeling information Label child processes Part of Linux 2.6.16-rc* kernel Will be in 2.6.16 kernel Department of Computer Science & Engineering 8
Client-Server Usage System System Worker Appl Appl Appl Appl Appl Appl Access Access OS Kernel MAC OS Kernel MAC Control Control Policy Policy Module Module (1) Black must be able to access green policy (among others) (2) Black can extract label of SA for socket (3) Prototyped using getsockopt(…, SO_PEERSEC) Department of Computer Science & Engineering 9
Get Peer Label TCP Is a socket connected? (TCP_ESTABLISHED) getsockopt(.. SO_PEERSEC ..) dst_entry cache of socket (labeled SA) UDP Connectionless Set IP_PASSSEC socket option recvmsg now returns context as well For UNIX stream, dgram (soon) and INET stream, dgram Work by Catherine Zhang at IBM Research Department of Computer Science & Engineering 10
Use Labels in Client Control Network Services vsftpd, xinetd Get label using TCP method Configuration Get xinetd to use labels based on configuration Storage Security Proxy-based Server proxy limits access based on client label Server is trusted Client proxy connects based on client label Client proxy processes need not be trusted Department of Computer Science & Engineering 11
Distributed MAC Goal Protected Paths From “Inevitability of Failure” Direct, Authenticated Communication Integrity-preserved from input to output Get peer’s label reliably Comparable to Authenticated IPC UNIX domain sockets Where are we relative to achieving protected paths for real? Are protected paths enough? Department of Computer Science & Engineering 12
Protected Paths Operating Systems Operating Systems Window Manager Window Manager Application Application Xserver Xserver Network Department of Computer Science & Engineering 13
Protected Paths Operating Systems Operating Systems Window Manager Window Manager Application Application Xserver Xserver Network MAC Label Department of Computer Science & Engineering 14
Protected Paths Operating Systems Operating Systems Window Manager Window Manager Application Application Xserver Xserver Network Attest MAC Label User Department of Computer Science & Engineering 15
Protected Path Challenges User-to-Application Xserver Control Window Manager Control Application-to-OS Labeled IPsec Application Control Using Label OS-to-OS Reference Monitoring MAC Policy, Labeling Remote Attestation, Building Trust from Secure Hardware Department of Computer Science & Engineering 16
Existing Solutions Distributed Policy Management E.g., Tivoli Access Manager, Microsoft Windows Domains Virtual Machine Systems NetTop Terra Logic of Authentication Taos and Secure Boot Trust Management Systems E.g., PolicyMaker, KeyNote, etc. Trust Negotiation Department of Computer Science & Engineering 17
Secure Coalition System Recent IBM Technical Report -- RC23865 Work with J. McCune at CMU; S. Berger, R. Caceres, R. Sailer at IBM Research Department of Computer Science & Engineering 18
Distributed, Shared Monitor Distributed, Shared Reference Monitor TPM attestation of each physical machine’s reference monitor Common enforcement properties: monitoring, MAC policy Department of Computer Science & Engineering 19
Virtual Machines Advantages Coarser-grained protections Coarser-grained policy Simpler reference monitor VM per application (simplify policy within VM) Challenges Dynamic policy (Yin and Wang, USENIX 2005) Doesn’t fix user-to-user (Nitpicker’s, ACSAC 2005) Translate into client-specific rights (finer-grained) Scalable construction, maintenance of trust Department of Computer Science & Engineering 20
Building Trust Build Trust in Other System’s Reference Monitoring And MAC Policy And Labeling of Subjects and Objects Why is this necessary? Internet-scale Register TPM and physical protection, but a different admin Administration errors Misconfiguration of a machine Malice Compromised platform Build trust from secure hardware up Department of Computer Science & Engineering 21
Internet-Scale Distributed Systems Simple Langauge of Trust Limited by Reference Monitoring Properties Monotonic Reasoning Multiple Layers of Reasoning Machine Virtual Machine Coalition Building Systems to Test Soundness/Completeness Web Hosting Internet Suspend/Resume Distributed Computations -- Student Testing Department of Computer Science & Engineering 22
Summary Aim: Network MAC to Distributed System MAC Have IPsec MAC controls What is an appropriate goal for distributed system MAC Protected Paths plus Remote Attestation plus Virtual Machines? Distributed, Shared Reference Monitor Several Challenges Remain Trust across systems Compatibility (policy, labeling) across systems Service awareness Building all the way to the user Department of Computer Science & Engineering 23
Questions? Contact Trent Jaeger, tjaeger@cse.psu.edu Penn State SIIS Lab, siis.cse.psu.edu www.cse.psu.edu/~tjaeger DSRM prototype report IBM Tech Report RC23865 -- With McCune, Berger, Caceres, Sailer Linux kernel www.kernel.org SELinux www.nsa.gov/selinux Department of Computer Science & Engineering 24
Recommend
More recommend