advanced systems security linux security modules
play

Advanced Systems Security: Linux Security Modules Trent Jaeger - PowerPoint PPT Presentation

Jan 23, 2023 •554 likes •872 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: � Linux Security Modules Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Linux Authorization circa 2000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Linux Security circa 2000 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Linus ’ Dilemna Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. The Answer • The solution to all computer science problems • Add another layer of indirection Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Linux Security Modules Was Born Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Linux Before and After Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. LSM Requirements Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. LSM – A Reference Monitor • To enforce mandatory access control We need to develop an authorization mechanism that ‣ satisfies the reference monitor concept • How do we do that? And satisfy all the other goals? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. LSM – Complete Mediation • First requirement is complete mediation • Add security hooks to mediate various operations in the kernel These hooks invoke functions defined by the chosen ‣ module • These hooks construct “authorization queries” that are passed to the module Subject, Object, Operations ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. LSM Hooks Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. LSM Hooks Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. LSM – Complete Mediation • First requirement is complete mediation • Enables authorization by module • Linux extends “sensitive data types” with opaque security fields Modules manage these fields – e.g., store security labels ‣ • Which Linux data types are sensitive? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  14. LSM Security Fields Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  15. LSM – Complete Mediation • First requirement is complete mediation • How do we know LSM implements complete mediation? • Asked one of the lead developers (Cowan) His reply? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  16. LSM – Complete Mediation • First requirement is complete mediation • How do we know LSM implements complete mediation? • Asked one of the lead developers (Cowan) His reply? ‣ • “We don’t” Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  17. LSM Analysis • Static analysis of Zhang, Edwards, and Jaeger [USENIX Security 2002] Based on a tool called CQUAL ‣ • Approach Objects of particular types can be in ‣ two states Checked, Unchecked • All objects in a “security-sensitive ‣ operation” must be checked Structure member access on some types • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  18. LSM Analysis /* from fs/fcntl.c */ • Static analysis of Zhang, Edwards, long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg) { and Jaeger [USENIX Security struct file * filp; ... filp = fget(fd); ... 2002] err = security ops->file ops ->fcntl(filp, cmd, arg); ... err = do fcntl(fd, cmd, arg, filp); Based on a tool called CQUAL ... ‣ } static long do_fcntl(unsigned int fd, unsigned int cmd, • Found a TOCTTOU vulnerability unsigned long arg, struct file * filp) { ... switch(cmd){ ... case F_SETLK: Authorize filp in sys_fcntl ‣ err = fcntl setlk(fd, ...); ... } ... But pass fd again to fcntl_getlk ‣ } /* from fs/locks.c */ fcntl_getlk(fd, ...) { struct file * filp; • Many supplementary analyses ... filp = fget(fd); /* operate on filp */ were necessary to support ... } CQUAL Figure 8: Code path from Linux 2.4.9 containing an ex- ploitable type error. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  19. LSM Analysis • Runtime analysis of Edwards, Zhang, and Jaeger [ACM CCS 2002] Built a runtime kernel monitor ‣ Logs structure member ‣ accesses and LSM hook calls Rules describe expected ‣ consistency Figure 5: Authorization graph for fcntl calls for F SETLEASE (controlled operations in lease modify and fput ) and F SETOWN (controlled operations in do fcntl and put ). When command is F SETOWN both FCNTL and • Good for finding missing SET OWNER are authorized, but only FCNTL is authorized for F SETLEASE . hooks where one is specified Six cases were found ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  20. LSM Analysis • Automatically inferring security specifications from code – Tan, Zhang, Ma, Xiong, Zhou [USENIX Security 2008] Automate look at which fns are behind pointers ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  21. LSM – Tamperproof • Second requirement is tamperproof • Prevent adversaries from modifying the reference monitor code or data • How is LSM code protected? • How is LSM data protected? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  22. LSM – Tamperproof • Second requirement is tamperproof • Prevent adversaries from modifying the reference monitor code or data • How is LSM code protected? • How is LSM data protected? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  23. LSM – Tamperproof • Second requirement is tamperproof • Add functions to register and unregister Linux Security Modules Implemented as a set of function pointers defined at ‣ registration time • LSM module defines code • LSM function pointers define targets of hooks These are data – modifiable ‣ • Implications? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

  24. LSM – Tamperproof • Second requirement is tamperproof • Add functions to register and unregister Linux Security Modules Implemented as a set of function pointers defined at ‣ registration time • Adversaries could modify the code executed by Linux by modifying these function pointer data values Some people opposed this idea and refused to participate ‣ Eventually changed to require compiled-in LSM modules ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 25

  25. LSM API Systems and Internet Infrastructure Security (SIIS) Laboratory Page 26

  26. LSM Tasks Systems and Internet Infrastructure Security (SIIS) Laboratory Page 27

  27. Hook Details Systems and Internet Infrastructure Security (SIIS) Laboratory Page 28

  28. LSM Performance Systems and Internet Infrastructure Security (SIIS) Laboratory Page 29

  29. LSM Use Systems and Internet Infrastructure Security (SIIS) Laboratory Page 30

  30. Take Away • Aiming for mandatory controls in Linux But everyone had their own approach ‣ • Linux Security Modules is a general interface for any* authorization module Much finer controls – interface is union of what everyone ‣ can do • What does this effort say about Achieving complete mediation? • Whether complete mediation should be policy-dependent? • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook <keescook@google.com> (pronounced Case) Who is

474 views • 33 slides
Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security Kernels Trent Jaeger

555 views • 35 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

420 views • 24 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

589 views • 23 slides
Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Multics Trent Jaeger Systems and

569 views • 33 slides
Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Virtual Machine Systems Trent

783 views • 43 slides
Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Capability Systems Trent Jaeger

622 views • 36 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security & Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Advanced Systems Security: Control-Flow Integrity Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Control-Flow Integrity Trent

1.55k views • 36 slides
Establishing an AAI service in DFN Ulrich Khler, DFN-Verein kaehler@dfn.de Jrgen

Establishing an AAI service in DFN Ulrich Khler, DFN-Verein kaehler@dfn.de Jrgen

Establishing an AAI service in DFN Ulrich Khler, DFN-Verein kaehler@dfn.de Jrgen Rauschenbach, DFN-Verein jrau@dfn.de Events and plans March 2006: 1. Meeting of an advisory group and early adopters: Libraries, GRIDs, eLearning,

408 views • 12 slides
three forces and moments Forces & Moments 1 Architectural Structures F2018abn Lecture 3

three forces and moments Forces & Moments 1 Architectural Structures F2018abn Lecture 3

A RCHITECTURAL S TRUCTURES : F ORM, B EHAVIOR, AND D ESIGN A RCH 331 D R. A NNE N ICHOLS F ALL 2018 lecture three forces and moments Forces & Moments 1 Architectural Structures F2018abn Lecture 3 ARCH 331 Structural Math quantify

649 views • 60 slides
mu-differentiability of an internal function Ricardo Almeida and V tor Neves University of

mu-differentiability of an internal function Ricardo Almeida and V tor Neves University of

mu-differentiability of an internal function Ricardo Almeida and V tor Neves University of Aveiro, Portugal May 2006 Definition [Reeken, 1992] Let E and F be normed spaces, U E open set and f : U F an internal function. f

327 views • 17 slides
Task Coarsening Through Polyhedral Compilation for a Macro-Dataflow Programming Model Alina

Task Coarsening Through Polyhedral Compilation for a Macro-Dataflow Programming Model Alina

Task Coarsening Through Polyhedral Compilation for a Macro-Dataflow Programming Model Alina Sbirlea, Louis-Nol Pouchet, Vivek Sarkar Rice University Ohio State University January 19, 2014 IMPACT15 Amsterdam Overview: IMPACT15 DFGR

294 views • 3 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
iLab Dynamic Routing Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and

iLab Dynamic Routing Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and

iLab Dynamic Routing Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 3 18ss 1 / 42 Outline Recap Background: Internet Architecture Internet

780 views • 61 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
On approximate geometric k - clustering Jiri Matousek DCG 2000 Problem Given n -point set

On approximate geometric k - clustering Jiri Matousek DCG 2000 Problem Given n -point set

On approximate geometric k - clustering Jiri Matousek DCG 2000 Problem Given n -point set and k>1 find a partition of minimum cost Geometric cost function Approximately

607 views • 21 slides

More recommend