integrating selinux and security typed languages
play

Integrating SELinux and Security-typed Languages Sandra Rueda - - PowerPoint PPT Presentation

Jan 06, 2024 •230 likes •492 views

Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab -

  1. Integrating SELinux and Security-typed Languages Sandra Rueda - ruedarod@cse.psu.edu Boniface Hicks, Trent Jaeger, Patrick McDaniel Systems and Internet Infrastructure Security Lab Department of Computer Science and Engineering SIIS Lab - Spring 2007 - Sandra Rueda Page 1

  2. The Issue • Operating systems like SELinux enforce information flow policies at the granularity of application inputs and outputs. • …but… some applications need privileges (access to multiple security levels): – Server software – Client software: e-mail clients, web browsers – High integrity programs with low integrity inputs SIIS Lab - Spring 2007 - Sandra Rueda Page 2

  3. The Issue [2] • The OS trusts that privileged applications preserve information flow policies SELinux: Policy management tools secadm, load_policy, setrans, setfiles, semanage , restorecon, newrole Startup utilities bootloader, initrc, init, local_login File tools dpkg_script, dpkg, rpm, mount, fsadm Network utilities iptables, sshd, remote_login, NetworkManager Auditing, logging services logrotate, klogd, auditd, auditctl Hardware, device mgmt hald, dmidecode, udev, kudzu Miscellaneous services passwd, tmpreaper, insmod, getty, consoletype, pam_console SIIS Lab - Spring 2007 - Sandra Rueda Page 3

  4. The Issue [3] • Neither SELinux nor any other operating system have any means of tracing information flow management within an application Public Public Out In Secret • • Secret SIIS Lab - Spring 2007 - Sandra Rueda Page 4

  5. Information Flow Enforcement • Can applications show they are enforcing information flow policies? → This is the goal of security-typed languages Public Public Out In Secret • X • Secret SIIS Lab - Spring 2007 - Sandra Rueda Page 5

  6. Security-typed Languages • Security-typed compilers guarantee enforcement of lattice information flow policies. If a program does not meet the policy → it does not compile SIIS Lab - Spring 2007 - Sandra Rueda Page 6

  7. Security-typed Languages [2] • Variables are augmented with annotations that define a policy • Policies are enforced by compile-time type checking Pseudo-code: InputStream {sec} in = stdin(…); String {sec} passwd = in.readLine(…); Socket {pub} leak = openSocket(…); leak.print(passwd); // Compiler message: // Illegal Flow! SIIS Lab - Spring 2007 - Sandra Rueda Page 7

  8. Analysis: Client Application • JPmail : information flow aware email client – Single interface to read all levels of emails. It must preserve noninterference! – Secret e-mails must be encrypted before sending them out – Any reply should be sent out at the same level as the original message SIIS Lab - Spring 2007 - Sandra Rueda Page 8

  9. Analysis: System Application • logrotate – It is a service that rotates logs – Logs may span various security levels on a system – It works based on a configuration file – It is required to have separation among: • log files of different programs • log files and configuration files for a single domain and among domains SIIS Lab - Spring 2007 - Sandra Rueda Page 9

  10. Related Work • Options to handle applications that require access to multiple security levels: – Separation of privilege (virtual or physical gap) Require additional resources, more complex management – Manual Inspection Prone to error – User level policy server No guarantee of completeness We are still subject to manual inspection SIIS Lab - Spring 2007 - Sandra Rueda Page 10

  11. Our Solution • Develop applications that enforce system information flow policies and are able to prove it to the operating system SIIS Lab - Spring 2007 - Sandra Rueda Page 11

  12. How ? • Two main tasks: – Develop applications aware of → T1. Develop with Security Typed security goals and with means to Languages prove information flow enforcement – Integrate these applications with → T2. Integration Framework SELinux SIIS Lab - Spring 2007 - Sandra Rueda Page 12

  13. T1. Application Development • We use Jif – Jif = Java + Information Flow – Currently, Jif is the most mature security-typed language – Where are the real Jif applications ? • JPmail [Understanding practical application development in security-typed languages. ACSAC 2006] – High level configurable policy – Connected with existing system SIIS Lab - Spring 2007 - Sandra Rueda Page 13

  14. T2. Integration Framework • We identify three main tasks: – Implement mechanisms for the application to determine the label of its input channels → a) Label Exchange ( ⇒ ) – Implement mechanisms for the application to communicate to the operating system the label of the outputs → b) Label Exchange ( ⇐ ) – Implement mechanisms by which an application can prove its information flow enforcement is consistent with the system policy → c) Policy Compliance Testing SIIS Lab - Spring 2007 - Sandra Rueda Page 14

  15. a,b) Label Exchange • Tasks a,b: – to get labels for inputs – to assign labels to outputs • To do so we need: – A mapping between SELinux and application labels – Be able to exchange labels at runtime (application inputs and outputs) SELinux file label FileInputStream {sec} in = FileInputStream(…); String {sec} data = in.readLine(…); SELinux socket label Socket {pub} leak = openSocket(…); leak.print(passwd); SIIS Lab - Spring 2007 - Sandra Rueda Page 15

  16. Label Exchange [2] • Mapping between SELinux and application labels Label Mapping: Jif SELinux user_u:object_r:jpmail_t:s3 → {.*:.*:.*:s3} • Exchange of labels at runtime (application inputs and outputs) Jif runtime environment was extended OS functions supporting the extension Socket [{s3:}] stream = getfd() openSocket(host,port,new label( fsetfilecon() “user_u:object_r:jpmail_t:s3”)); getsockopt() SIIS Lab - Spring 2007 - Sandra Rueda Page 16

  17. c) Policy Compliance • We want to prove that the application enforces a policy that is consistent with the SELinux policy → it does not add flows that are not allowed in the operating system SELinux Domain Jif Domain os_channel1 {s1} jif_input {p1} jif_intermediate {p2} jif_output {p3} os_channel2 {s2} Jif guarantees p1 ≤ p2 and p2 ≤ p3 s1 ≤ s2 ? (p3 is at least as secret as p2 and p2 is at least as secret as p1) SIIS Lab - Spring 2007 - Sandra Rueda Page 17

  18. Policy Compliance [2] • Implementation: 1. Detect information flows allowed in the OS and the App 2. Determine the security levels that are shared between the OS and the App 3. Flows allowed in App ⊆ Flows allowed in the OS 1. OS flows: {s1 -> s2, s4 -> s5} Application flows: {p1 -> p2, p2 -> p3, p1 -> p3} 2. SELinux Jif os_1 {s1} Label Mapping: jif_in {p1} Jif SELinux user_u:object_r:jpmail_t:s1 ←→ {.*:.*:.*:p1} jif_int {p2} user_u:object_r:jpmail_t:s2 ←→ {.*:.*:.*:p3} jif_out {p3} renaming shared levels: os_2 {s2} p2 is not shared p1 -> p3 becomes s1 -> s2 3. {s1 -> s2} ⊆ {s1 -> s2, s4 -> s5} SIIS Lab - Spring 2007 - Sandra Rueda Page 18

  19. Policy Compliance [3] • Implementation [NAS-TR-0058-2007. CSE SIIS Lab 07] – Translation of policy rules to Prolog statements – XSB Prolog engine • Tracing of flows allowed by the OS • Tracing of flows allowed by the application Code for Jif Policy Code for XSB XSB yes / no SELinux Engine Engine Policy get all verify OS-relevant flows flows SIIS Lab - Spring 2007 - Sandra Rueda Page 19

  20. Implementation Example • We integrated JPmail and JPlogrotate with SELinux • SELinux rules for JPmail: – We assigned MLS-related attributes to our application – We allowed our application to set up the level of its output resources (at run-time those levels depend on the level of the input) – We used Labeled IPsec to create appropriate network connections type jpmail_t typeattribute jpmail_t mlsnetreadtoclr typeattribute jpmail_t mlsnetwritetoclr allow jpmail_t self:tcp_socket relabelfrom relabelto allow jpmail_t self:association recvfrom sendto spdadd addr1 addr2 any -ctx 1 1 “user_u:object_r:jpmail_t:s1” -P in|out ipsec esp/transport//require; SIIS Lab - Spring 2007 - Sandra Rueda Page 20

  21. Summary • Overview of the system: 1. Application is developed in security-typed language 2. Developer defines high-level policy for the application 3. Application is invoked 4. The operating system checks policy compliance 5. Application is initiated SIIS Lab - Spring 2007 - Sandra Rueda Page 21

  22. Our Contribution • We developed a model to build applications that enforce system information flow policies and are able to prove it to the OS – Jif for application information flow management – SELinux for system information flow management – Service to run the applications that meet our requirements • We implemented and tested the model! • We designed and implemented a comprehensive framework that enables the integration of security-typed applications and SELinux to enforce end-to-end information flow policies. SIIS Lab - Spring 2007 - Sandra Rueda Page 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

693 views • 45 slides
Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli

Hands-on SELinux: A Practical Introduction Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Roadmap Day 1: Why SELinux? Overview of SELinux Using SELinux SELinux Permissive Domains Day

1.71k views • 60 slides
What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley sds@tycho.nsa.gov Information Assurance Research Group National Security Agency (Slight modifications by David

542 views • 19 slides
Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting

Security- -Enhanced Darwin: Enhanced Darwin: Security Porting SELinux to Mac OS X Porting SELinux to Mac OS X SELinux Symposium 2007 ELinux Symposium 2007 S Chris Vance Information Systems Security Operation, SPARTA, Inc.

700 views • 26 slides
Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with

Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with

Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with Jamie Morgenstern Carnegie Mellon University Security-Typed Programming Access control: who gets access to what? read a file play a song make an

860 views • 62 slides
Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with

Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with

Security-Typed Programming within Dependently-Typed Programming Dan Licata Joint work with Jamie Morgenstern Carnegie Mellon University Supported by NSF CCF-0702381 and CNS-0716469 Security-Typed Programming Access control: who gets access

1.06k views • 79 slides
SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What?

SELinux Policy Within Package Managers Why policy is special 1 SELinux? Policy? What? SELinux is a MAC system for Linux Enabled by default on Fedora, RHEL Available on Ubuntu, Gentoo, Debian, etc Policies are available for

579 views • 16 slides
Dynamically Typed Programming Languages Part 1: The Untyped -Calculus Jim Royer CIS 352

Dynamically Typed Programming Languages Part 1: The Untyped -Calculus Jim Royer CIS 352

Dynamically Typed Programming Languages Part 1: The Untyped -Calculus Jim Royer CIS 352 April 16, 2019 Royer Dynamically Typed Programming Languages 1 / 22 Reference Practical Foundations for Programming Languages, 2/e, Part VI:

408 views • 28 slides
Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec

Using SELinux with container runtimes Because privileged containers are scary Lukas Vrabec Senior Software Engineer Security Technologies 1 Who am I ? Lukas Vrabec SELinux Evangelist Member of Security Technologies team at Red

971 views • 70 slides
SELinux Example: I may chmod o+a the file containing 506 grades, which violates

SELinux Example: I may chmod o+a the file containing 506 grades, which violates

12/6/12 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) SELinux Example: I may chmod o+a the file containing 506 grades,

412 views • 5 slides
Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin Wang School of Informatics and Computing Indiana University Overview Work done as two internships at

797 views • 65 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
Dynamically Typed Programming Languages Part 2: Dynamic PCF Jim Royer CIS 352 April 16, 2019

Dynamically Typed Programming Languages Part 2: Dynamic PCF Jim Royer CIS 352 April 16, 2019

Dynamically Typed Programming Languages Part 2: Dynamic PCF Jim Royer CIS 352 April 16, 2019 Reference Practical Foundations for Programming Languages, 1/e, Part VI: Dynamic Types , by Robert Harper, Cambridge University Press, 2013,

107 views • 9 slides
We focus on embedding a typed object language into a typed metalanguage. The benefit of types in

We focus on embedding a typed object language into a typed metalanguage. The benefit of types in

Finally Tagless, Partially Evaluated Tagless Staged Interpreters for Simpler Typed Languages Jacques Carette 1 , Oleg Kiselyov 2 , and Chung-chieh Shan 3 1 McMaster University carette@mcmaster.ca 2 FNMOC oleg@pobox.com 3 Rutgers University

649 views • 16 slides
i 1 / 61 Introduction and Context 2 / 61 3 / 61 3 / 61 3 / 61 3 / 61 Exotic design rules,

i 1 / 61 Introduction and Context 2 / 61 3 / 61 3 / 61 3 / 61 3 / 61 Exotic design rules,

Representing and Computing with Types in Dynamically Typed Languages Extending Dynamic Language Expressivity to Accommodate Rationally Typed Sequences Jim Edward Newton Thesis defense for the title: Doctorat de lUniversit e Sorbonne

2k views • 178 slides
The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus <Stephan.Neuhaus@disi.unitn.it> Thomas Zimmermann <tzimmer@microsoft.com> Vulnerabilities are important because fixing them costs a lot of money (2005

1.9k views • 73 slides
String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo

String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo

String Solving with Word Equations and Transducers: Anthony W. Lin (Yale-NUS), Pablo Barcelo (Univ. of Chile) String

394 views • 27 slides
Major problem for biologists using SAS Major problem for biologists using SAS In the past,

Major problem for biologists using SAS Major problem for biologists using SAS In the past,

Ab initio methods: how/why do they work D.Svergun, EMBL-Hamburg Major problem for biologists using SAS Major problem for biologists using SAS In the past, many biologists did not believe that SAS yields more than the radius of gyration

855 views • 27 slides
Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB

Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB

COMPUTER FORENSIC INVESTIGATION OF {mobile} BANKING TROJAN Ivanov Boris #whoami Ivanov Boris: Senior Computer Forensics Specialist LLC Group-IB Graduate student 05.13.19 - Defense methods and systems of information, information

664 views • 39 slides
Extinction Class 5 Jan 26, 2009 Last Class Today Endemism

Extinction Class 5 Jan 26, 2009 Last Class Today Endemism

Extinction Class 5 Jan 26, 2009 Last Class Today Endemism Species Ecosystem Role Estimating extinction Extinct Species Rate of Extinction Cause of

695 views • 38 slides
Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct 1922 Tasmanian Tiger Gastric brooding frog Extinct ? Extinct 1936 Not found since 1985 Table 2.2. A sample of species once thought extinct,

301 views • 7 slides
on Low- & Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome

on Low- & Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome

Insights on the Impact of Fees on Low- & Moderate-Income Communities Wednesday, November 7, 2018 | 3:30-4:00 ET Welcome Carmen Shorter Sr. Manager for Learning, Field Engagement Prosperity Now Smart Growth for Credit Counseling

495 views • 18 slides
Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making

Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making

Building a self-contained auto-configuring Linux system on an iso9660 filesystem or Making Linux run from CD knoppix@knopper.net Klaus Knopper V2.1 August 24, 2001 Abstract Knoppix (Knoppers *nix) is an attempt to not

411 views • 15 slides

More recommend