Access Control Casey Schaufler August 2010 Casey Schaufler - - PowerPoint PPT Presentation

File Content Based Access Control

Casey Schaufler August 2010

Casey Schaufler

• Trusted Solaris, Trusted Irix, Linux LSM
• Various Government Efforts

– Trusix, CMM, CHATS

• Standards

– P1003.1e/2c, TSIG

• Smack Linux Security Module

Today’s Talk

• Access Control
• File Contents
• Looking
• Enforcement
• Implementation

Access Control

• Concepts

– Subject, Object, Access

• Principles

– Always Invoked – Not Circumventable

• Jargon

– Discretionary, Mandatory – Sensitivity, Integrity

Containers

• The thing with a name

– An object

• Traditional attributes

– Mode bits, owner, group

• Extended attributes

– ACL, SELinux context, Smack label

Container Rationalizations

• Owner knows best

– Fundamental tenant of DAC

• Like breeds like

– Fundamental tenant of MAC

• Don’t care what is in the container

– Container is appropriately marked

Rationalizations Break Down

• DAC
• MAC

– Secret file with location of the donuts

File Contents

• You have to look
• You have to keep looking
• You can spend all your time looking

When To Look

• New empty files are uninteresting
• Newly modified files are interesting
• Any modification makes them interesting
• Stay interesting until examined

Is it Time To Look?

• Filesystem scan

– A’La Windows Virus Scanning

• Inotify

– You have to ask for each file – Limited number of watches

Keeping In Mind

• Kernels don’t do data
• Pathnames are transient
• Existing behaviors can’t change much

Keeping Track

• Mark file when modified

– Easy for the kernel

• Mark file when scanned

– Easy for an application

• Kernel knows who needs scanning

Data Flow

Kernel Scanner

Data 1 2 3 4 Metadata

Data States

• Kernel marks modified file
• Kernel announces pathname
• Application opens file, looks for mark
• Examine marked files
• Remark them for access control

Enforcement Mechanisms

• Overloading the familiar leads to tears
• LSM schemes aren’t so familiar
• SELinux would work

– “All it would take is policy”

• Smack would do

– Still more than you need

Creating a Mechanism

• LSM schemes are easy to write
• Access control based on marks been done
• Right place for notification, too

The Datastate Implementation

• Special purpose LSM
• Scanner dispatcher
• Scanner applications

The Datastate LSM

• Marks files as they are modified
• Provides names of modified files
• Enforces Smack style access rules
• Only cares about regular files

Modifications

• Any data write operation counts
• Files marked –open are ignored
• Files marked +anything are ignored
• All others are marked –open

Notification

• Pathname collected with d_path
• Written to /datastate/changed

– Only if not marked –open

Access Control

• Process mark

– /proc/self/attr/current

• Process mark and file mark rules

– Developer GPLv3 n – Lawyer GPLv3 y – Careful –open n – -system +logfile y

The Datastate Dispatcher

• Reads /datastate/changed
• Checks if file exists
• Checks if file is marked –open
• Invokes scanner

The Datastate Scanner

“ Wait a second. This isn’t Windows with viruses. Why do I care?“

The Datastate Scanner

… under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, ...

The labelgpl3 Scanner

• Checks if file is marked –open
• Checks for GPL version 3
• Marks GPL3 files GPLv3
• Marks others -closed

Unsolved Mysteries

• Repudiation
• Rename of –open file
• Should open fail, or wait?
• Avoid an initial scan

What have you learned?

• Content based access control is

– Important – Viable

• It could be done with existing facilities
• It is easier to do from scratch

Can I get it?

• Hosted by the Smack Project
• http://schaufler-ca.com/datastate

– Kernel patch – Dispatcher program datastate – Scanner application labelgpl3

Dedication Sue Schaufler 1929 – 2010

Contact Information

• http://schaufler-ca.com
• casey@schaufler-ca.com