The Simplified Mandatory Access Control Kernel Casey Schaufler

  • Slides: 35
Download presentation
The Simplified Mandatory Access Control Kernel Casey Schaufler January 2008

The Simplified Mandatory Access Control Kernel Casey Schaufler January 2008

Casey Schaufler • Ported Unix Version 6 to 32 bit • Started Development of

Casey Schaufler • Ported Unix Version 6 to 32 bit • Started Development of TSOL • Architect of Trusted Irix – B 1, CAPP, LSPP evaluated • US NSA’s Trusix Group • POSIX P 1003. 1 e/2 c • TSIG

Today’s Talk • • • Mandatory Access Control (MAC) What MAC is good for

Today’s Talk • • • Mandatory Access Control (MAC) What MAC is good for How Smack implements MAC What Smack is good for Details of Smack

Mandatory Access Control • Concepts – Subject is an active entity – Object is

Mandatory Access Control • Concepts – Subject is an active entity – Object is a passive entity – Access is an operation preformed on an object by a subject

Mandatory Access Control • Principles – User has no say in it – Based

Mandatory Access Control • Principles – User has no say in it – Based on system controlled attributes

Mandatory Access Control • Jargon – MAC – Label – Bell & La. Padula

Mandatory Access Control • Jargon – MAC – Label – Bell & La. Padula – Multilevel Security – CIPSO

Mandatory Access Control

Mandatory Access Control

MAC Implementations • Bell & La. Padula Sensitivity – Multics, Unix • Type Enforcement

MAC Implementations • Bell & La. Padula Sensitivity – Multics, Unix • Type Enforcement – SELinux • Pathname Controls – App. Armor, TOMOYO

Uses of MAC Systems • Security Checkbox • Sharing an expensive machine • Disjoint

Uses of MAC Systems • Security Checkbox • Sharing an expensive machine • Disjoint sets of users – B&L Catagories • Hierarchical use of shared data – B&L Levels

Where Did Smack Come From? • Traditionally – Label relationships hard coded – Names

Where Did Smack Come From? • Traditionally – Label relationships hard coded – Names map to label values • Mythtory: Top. Secret, Skeeve, Ahz, Chumly • Level=4, Catagories=17, 49, 113 – Users only use names • Why use anything but names?

Smack Label Mechanism • • • Labels and label names are the same No

Smack Label Mechanism • • • Labels and label names are the same No implicit relationship between labels List of explicit access relationships Every subject gets a label Every object gets a label Objects get creating Subject’s label

Subjects Access Objects • • lstat() reads a file object’s attributes kill() writes to

Subjects Access Objects • • lstat() reads a file object’s attributes kill() writes to a process object send() writes to a process object bind() is uninteresting

System Labels ^ • _ floor • ^ hat • * star – Objects

System Labels ^ • _ floor • ^ hat • * star – Objects Only • Any single special character * _

User Labels ^ SEAsia * _ Dap

User Labels ^ SEAsia * _ Dap

Explicit Access Rules • Dap SEAsia r • Med Pop w SEAsia Med Dap

Explicit Access Rules • Dap SEAsia r • Med Pop w SEAsia Med Dap Pop

Access Rule Specification • /etc/smack/accesses – Subject Object [–rwxa] • /smack/load – Strict fixed

Access Rule Specification • /etc/smack/accesses – Subject Object [–rwxa] • /smack/load – Strict fixed format • /sbin/smackload – Writes to /smack/load

Bell & La. Padula Levels • Secret more sensitive than Unclass • Top. Secret

Bell & La. Padula Levels • Secret more sensitive than Unclass • Top. Secret more sensitive than Secret • Secret Unclass rx • Top. Secret Unclass rx • All relationships must be specified

Bell & La. Padula Categories • Categories Skeeve and Ahz • Labels: – “Skeeve,

Bell & La. Padula Categories • Categories Skeeve and Ahz • Labels: – “Skeeve, Ahz” – “Skeeve” – “Ahz” • Skeeve, Ahz Skeeve rx • Skeeve, Ahz rx

Biba Integrity • Floor is highest integrity • Hat is lowest Integrity

Biba Integrity • Floor is highest integrity • Hat is lowest Integrity

Ring of Vigilance SEAsia Med Dap • SEAsia Dap r • Med SEAsia r

Ring of Vigilance SEAsia Med Dap • SEAsia Dap r • Med SEAsia r • Dap Med r

Messaging • Informant Reporter w • Reporter Editor w • Editor Reporter w

Messaging • Informant Reporter w • Reporter Editor w • Editor Reporter w

Time of Day • At 17: 00 – Worker. Bee Game x • At

Time of Day • At 17: 00 – Worker. Bee Game x • At 08: 00 – Worker. Bee Game –

Implementation • • • Label Scheme Access Checks File Systems Networking The LSM Audit

Implementation • • • Label Scheme Access Checks File Systems Networking The LSM Audit

Label Scheme • Labels are short text strings • Compared for equality • Stored

Label Scheme • Labels are short text strings • Compared for equality • Stored in a list – secid – Optional CIPSO value – Never forgotten

Access Checks • • • Rules written to /smack/load Hard Coded Labels Subject and

Access Checks • • • Rules written to /smack/load Hard Coded Labels Subject and object equal Find the subject/object pair Check the request against the rule

File Systems • Use xattrs if supported • Hard coded behavior – smackfs, pipefs,

File Systems • Use xattrs if supported • Hard coded behavior – smackfs, pipefs, sockfs, procfs, devpts • Superblock values – File system root – File system default – File system floor and hat • Not yet implemented

Networking Model • Sender writes to receiver – Sender is subject, receiver is object

Networking Model • Sender writes to receiver – Sender is subject, receiver is object • Socket, packet not policy components • William Janet w – Allows a UDP packet • Janet William r – Does not allow a UDP Packet

Packet Labeling • Unlabeled packets get ambient label • CIPSO option on every local

Packet Labeling • Unlabeled packets get ambient label • CIPSO option on every local packet • CIPSO value from the label list – Set via /smack/cipso • CIPSO direct mapping – Level 250 – Label copied into category bits • Same CIPSO as SELinux

The LSM • Provides a restrictive interface • Evolved in step with SELinux •

The LSM • Provides a restrictive interface • Evolved in step with SELinux • Imperfectly defined – Networking – Audit – USB • Module Stacking

Programming interfaces • getxattr(), setxattr() – SMACK 64 • /proc/<pid>/attr/current

Programming interfaces • getxattr(), setxattr() – SMACK 64 • /proc/<pid>/attr/current

Socket Interfaces • Socket Attributes – fgetxattr(), fsetxattr() – SMACK 64. IPIN – SMACK

Socket Interfaces • Socket Attributes – fgetxattr(), fsetxattr() – SMACK 64. IPIN – SMACK 64. IPOUT • Packet Attributes – SO_PEERSEC • TCP – SCM_SECURITY • UDP

Administrative Interfaces • /smack/load • /smack/cipso • /smack/doi • /smack/direct • /smack/nltype

Administrative Interfaces • /smack/load • /smack/cipso • /smack/doi • /smack/direct • /smack/nltype

What Have You Learned? • Smack is a modern implementation of old school Mandatory

What Have You Learned? • Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted. • Smack is designed for simplicity • Smack is designed as a kernel mechanism

Special Thank You • Paul Moore – Network interfaces • Ahmed S. Darwish –

Special Thank You • Paul Moore – Network interfaces • Ahmed S. Darwish – Work on smackfs • And a host of reviewers, including – Stephen Smalley, Seth Arnold, – Joshua Brindle, Al Viro, – James Morris, Kyle Moffett, – Pavel Machek

Contact Information • http: //schaufler-ca. com • casey@schaufler-ca. com • rancidfat@yahoo. com

Contact Information • http: //schaufler-ca. com • casey@schaufler-ca. com • rancidfat@yahoo. com