advanced systems security security enhanced linux
play

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger - PowerPoint PPT Presentation

Apr 17, 2023 •204 likes •474 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: � Security-Enhanced Linux Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Reference Monitor for Linux • LSM provides a reference monitor interface for Linux ‣ Complete Mediation • You need a module and infrastructure to achieve the other two goals ‣ Tamperproofing ‣ Verifiability • SELinux is a comprehensive reference validation mechanism aiming at reference monitor guarantees Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. SELinux History • Origins go back to the Mach microkernel retrofitting projects of the 1980s ‣ DTMach (1992) ‣ DTOS (USENIX Security 1995) ‣ Flask (USENIX Security 1999) ‣ SELinux (2000-…) • Motivated by the security kernel design philosophy ‣ But, practical considerations were made Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Inevitability of Failure • Philosophy of the approach • Flawed Assumption: That security can be managed by the application space ‣ without OS security support (protection is not sufficient) • Paraphrase: Can’t build a secure system without a reference monitor and MPS And a secure operating system needs an entire ‣ ecosystem • Come back to this later… Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. The Rest of the SELinux Story • Tamperproof ‣ Protect the kernel ‣ Protect the trusted computing base ‣ Use MPS to provide tamperproofing of TCB? • Verifiability ‣ Code correctness ‣ Policy satisfy a security goal ‣ Use MPS to express secrecy and integrity requirements Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Design MPS • Do not believe that classical integrity is achievable in practice Too many exceptions ‣ Commercial systems will not accept constraints of ‣ classical integrity • Instead, focus on providing comprehensive control of access aiming for Confining root processes (tamperproof) ‣ Least privilege in general (verifiability) ‣ • How does ‘least privilege’ affect security? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. SELinux Policy Model • See slides in 07-TypeEnforcement… Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. SELinux Policy Rules • SELinux Rules express an MPS Protection state – ALLOW subject-label object-label ops ‣ Labeling state – TYPE_TRANSITION subject-label object- ‣ label new-label (at create – objects) Default is to label to same state as creator • Transition state – TYPE_TRANSITION subject-label object- ‣ label new-label (at exec – processes) • Tens of thousands of rules are necessary for a standard Linux distribution Protect system processes from user processes ‣ User data can be protected by MLS ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. SELinux “Setuid” • How does SELinux enable a normal user to run a privileged (setuid) process, such as passwd ? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  10. SELinux Transition State • For user to run passwd program Only passwd should have permission to modify /etc/shadow ‣ • Need permission to execute the passwd program allow user_t passwd_exec_t:file execute (user can exec /usr/bin/passwd) ‣ allow user_t passwd_t:process transition (user gets passwd perms) ‣ • Must transition to passwd_t from user_t allow passwd_t passwd_exec_t:file entrypoint (run w/ passwd perms) ‣ type_transition user_t passwd_exec_t:process passwd_t ‣ • Passwd can the perform the operation allow passwd_t shadow_t:file {read write} (can edit passwd file) ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  11. SELinux Deployment • You’ve configured your SELinux policy Now what is left? ‣ • Surprisingly, a lot Many services must be aware of SELinux ‣ Got to get the policy installed in the kernel ‣ Got to manage all this policy ‣ • And then there is the question of getting the policy to do what you want Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  12. User-space Services • What kind of security decisions are made by user-space services? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  13. User-space Services • What kind of security decisions are made by user-space services? Authentication (e.g., sshd) ‣ Access control (e.g., X windows, DBs (servers), ‣ browsers (middleware), etc.) Configuration (e.g., policy build and installation) ‣ • Also, many services need to be aware of SELinux to enable usability E.g., Listing files/processes with SELinux contexts (ls/ps) ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  14. User-space Services • Authentication Various authentication services need to create a ‣ “SELinux subject context” on a user login Like login in general, except we set an SELinux context ‣ and a UID for the generated shell • How do you get all these ad hoc authentication services to interact with SELinux? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  15. Authentication for SELinux • Pluggable Authentication Modules There is a module for SELinux that various ‣ authentication services use to create a subject context Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  16. User-space Services • Access Control Many user-space services are shared among mutually ‣ untrusting clients Problem: service may leak one client’s secret to another • • If your SELinux policy allows multiple, mutually untrusting clients to talk to the same service, what can SELinux do to prevent exploits? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  17. User-space Services • Add SELinux support to the service X Windows, postgres, dbus, gconf, telephony server ‣ • E.g., Postgres with the SELinux user-space library Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  18. User-space Services • Configuration You need to get the SELinux policy constructed and ‣ loaded into the kernel Without allowing attacker to control the system policy • And policy can change dynamically • • How to compose policies? • How to install policies? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  19. Compose Policies • The SELinux policy is modular Although not in a pure, object-oriented sense ‣ Too much had been done • • Policy management system composes the policy from modules, linking a module to previous definitions and loads them Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  20. Installing Policies • How would you enable user-space processes to push data (e.g., MPS configuration) into the kernel? Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  21. sysfs Background • During the 2.5 development cycle, the Linux driver model was introduced to fix several shortcomings of the 2.4 kernel: No unified method of representing driver-device ‣ relationships existed. There was no generic hotplug mechanism. ‣ procfs was cluttered with lots of non-process information. ‣ • Main uses Configure drivers ‣ Export driver information ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  22. sysfs Example: load_policy From kernel: security/selinux/selinuxfs.c enum sel_inos { SEL_ROOT_INO = 2, SEL_LOAD, /* load policy */ SEL_ENFORCE, /* get or set enforcing status */ static struct tree_descr selinux_files[] = { [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR}, [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR}, static struct file_operations sel_load_ops = { .write = sel_write_load, }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  23. sysfs Example: load_policy From userspace: libselinux/src/load_policy.c int security_load_policy(void *data, size_t len) { char path[PATH_MAX]; int fd, ret; snprintf(path, sizeof path, "%s/load", selinux_mnt); fd = open(path, O_RDWR); if (fd < 0) return -1; ret = write(fd, data, len); close(fd); Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  24. sysfs Example: load_policy From kernel: security/selinux/selinuxfs.c static ssize_t sel_write_load(struct file * file, const char __user * buf, size_t count, loff_t *ppos) { … length = task_has_security(current, SECURITY__LOAD_POLICY); if (length) goto out; … if (copy_from_user(data, buf, count) != 0) goto out; length = security_load_policy(data, count); --- ss/services.c if (length) goto out; Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  25. When Are We Done? • There is a significant configuration effort to get the SELinux system deployed Who does this? ‣ What happens if I want to change ‣ something? Does it prevent the major threats? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research G roup National Security Agency Co-author: Stephen D. Smalley, NAI Labs 1 roup Inform ation A ssurance R esearch G

476 views • 43 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides
Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security Kernels Trent Jaeger

555 views • 35 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

589 views • 23 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

420 views • 24 slides
Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Multics Trent Jaeger Systems and

569 views • 33 slides
Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Virtual Machine Systems Trent

783 views • 43 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design in Smart Service Systems Paul Maglio, University of California, Merced John Carroll, Penn

479 views • 15 slides
A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

Computer Science A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard West, Xin Qi Boston University RTSS 2004 RTSS 2004 Motivating Applications Computer Science Multimedia &amp; weakly-hard

406 views • 25 slides
Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian Brussels, 02. February 2013 Andreas Tille (Debian) Debian Med Brussels, 02. February 2013 1 / 12 What is Debian Med? practice management system

610 views • 39 slides
SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH

SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH

Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are

272 views • 25 slides
Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed application - a software system in which components communicate over the network and coordinate their actions in order to achieve a common goal.

1.01k views • 33 slides
Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light

Installing a Web Server 1. Install a sample web server, which supports Servlets/JSPs. A light weight web server is Apache Tomcat server. You can get the server from http://tomcat.apache.org/ 2. Follow the installation directions and install the

199 views • 5 slides
Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for

Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for

Internet Programming Session 9 Servlet Intro Session 9 Introduction to Servlets Lecture Objectives Understand the foundations for client/server Web interactions Understand the servlet life cycle 2 Robert Kelly, 2018 1

494 views • 18 slides
Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019

Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019

Objectives Review: HTML Forms Intro to Java Server-side Web Technology April 26, 2019 Sprenkle - CS335 1 Review: HTML Forms What attribute is required in a form form tag? What attribute is optional? What attribute do we use to

730 views • 13 slides

More recommend