Mandatory Access Control Systems CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007- Professor Jaeger
Mandatory Access Control • System-Defined Policy – Fixed Set of Subject and Object Labels – Fixed Permission Assignments – Fixed Label Assignments: (e.g., file to object label) O 1 O 2 O 3 J R R R W W S 2 N R R W S 3 N R R W CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2
MAC and Systems • What is necessary to be a system that enforces MAC policies? – Specify: MAC Policy Model – Enforce: Reference Monitor – Transitions: Changes of privilege must be controlled • Plus, others – Management: Policy development tools – Services: MAC-aware services – Applications: Work with MAC limitations • What do these systems look like? – We ’ ll examine Multics and SELinux CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3
Multics • Multiplexed Information and Computing Service – Project started as a timesharing system in 1965 -- Used until 2000 – Research project that led to a commercial product • Invented a number of important OS features – Segmented and Virtual Memory – Shared Memory Multiprocessor – Online Reconfiguration – Hierarchical File Systems CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4
Multics Security Features • Also, a number of security features were pioneered – First Multilevel Secure (MLS) system – Isolation based on segments and rings – Ring crossing mechanisms to protect integrity – Guard-like functions for integrity protection (Gatekeepers) – One-way encrypted passwords – Covert channel defenses – And software assurance techniques... • But, function over security – Multics Security Evaluation, 1974 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 5
Protection Rings • Successively less-privileged “domains” • Example: Multics (64 rings in theory, 8 in practice) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 6
What do rings mean? • What ’ s in a ring? – Processes, with the code that they can access – Data they can access directly • Execute in ring i – Process runs with rights of ring i – Data in rings >= i can be accessed – Any procedure may be accessible • Ring-crossings (generalized) – If process calls procedure in a different ring – Traps to kernel to authorize transition – If authorized, process runs the new procedure in the new ring CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 7
Multics Ring Interpretation • Kernel resides in ring 0 • Process runs in a ring r – Access based on current ring • Process accesses data segments – Each data segment has an access bracket : (a1, a2) • a1 <= a2 – Describes read and write access • r is the current ring • r <= a1: access permitted • a1 < r <= a2: r permitted; w denied • a2 < r: all access denied CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 8
Multics Ring Interpretation (con’t) • Also different procedure segments – with call brackets : (c1, c2) • c1 <= c2 – and access brackets (a1, a2) – Rights to execute code in a new procedure segment • (1) r < a1: access permitted with ring-crossing fault • (2) a1 <= r <= a2 = c1: access permitted and no fault • (3) a2 < r <= c2: access permitted through a valid gate • (4) c2 < r: access denied • What ’ s it mean? – case 1: ring-crossing fault changes procedure ’ s ring • increases from r to a1 – case 2: keep same ring number – case 3: gate checks args, decreases ring number (to a2) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 9
Examples • Process in ring 3 accesses data segment – access bracket: (2, 4) – What operations can be performed? • Process in ring 5 accesses same data segment – What operations can be performed? • Process in ring 5 accesses procedure segment – access bracket (2,4) – call bracket (4, 6) – Can call be made? – Can new procedure segment access the data segment above? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 10
Multics Community • Multicians CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 11
Secure Operating Systems • Provably Secure OS (PSOS) • GEMSOS • KeyKOS and EROS (capability systems) • IX (Secure UNIX variant) • Trusted Solaris • Trusted IRIX (SGI) • Trusted Mach • Distributed Trusted Mach • XTS-400 and STOP (BAE Systems) • Flask (Microkernel based system) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 12
MAC in Linux • In 2000, Linus authorized the development of a reference monitor for Linux – So, he didn ’ t have to choose a single security approach • Linux Security Modules framework was born – LSM defines an interface for reference monitoring modules – Anybody could build an LSM! • Introduced in Linux 2.6 – Version built for BSD – Underway for MAC OS X CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 13
Linux Security Modules Approach • Linux Security Modules framework • What security function and how does implementation satisfy it? Entry Points Entry Points System System Interface Interface Access Access Hook Hook Authorize Request? Security-sensitive Security-sensitive Access Access Operation Operation Access Access Monitor Monitor Hook Hook Hook Hook Policy Policy Security-sensitive Security-sensitive Security-sensitive Security-sensitive Operation Operation Operation Operation Yes/No CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 14
SELinux • LSM + much more SELinux SELinux-aware System Bootstrap Services Processes (1) Load Policy (2) Authenticate (3) Syscalls SELinuxfs Linux Kernel SELinux LSM CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 15
SELinux uses Type Enforcement • MAC Policy O 1 O 2 O 3 – Subjects and Objects Labeled • Access Matrix Policy S 1 Y Y N – Processes with subject label – Can access object of object label S 2 N Y N – If operations in matrix cell allow • Focus: Least Privilege S 3 N Y Y – Integrity bias CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 16
SELinux Execute Transitions • Run the privileged passwd program • Simplified view -- takes 4 policy rules to do this Fork User Proc user_t User Proc user_t Exec passwd_t Root Proc passwd_t CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 17
MAC Systems • Policy – Define a fixed access policy (mandatory access control) – Multics MLS and ring policies; SELinux TE • Enforcement – Use a reference monitor (remember the guarantees required) – Multics kernel; Linux LSM (SELinux) • Transitions – Enable controlled transition between privilege levels – Complexity most due to limiting transitions – Multics ring transitions; SELinux execute transitions • Challenge – Getting programs to run with limited information flows CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 18
Assurance • We want to know – Security model we are enforcing (Security Function) – That it enforces this model correctly (Assurance) • Suppose – We have a system that enforces Bell-LaPadula – What should a system do that enforces BLP? – How do we know that the implementation is correct? • Assurance – aims to answer these questions CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 19
Rainbow Series • Trusted Computer Systems Evaluation Criteria • From 1983-1999 – A variety of documents to help build secure systems – Password Management – Audit – Configuration Management • Orange Book (1985) – Defined 6 classes of security systems • Function that the class provides • Requirements for verifying that implementation met the class – Requirements fall into a number of categories • Access control mechanism/policy • Authentication • Audit CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 20
Orange Book Classes • C1 and C2 – Discretionary protection • Authentication, audit for discretionary access • Testing and documentation – C2 is the most common class for commercial products • B1, B2, and B3 – Labeled security protection: • Multi-level security (Bell-LaPadula) • More testing and more documentation – B1: MLS on some objects; B2: MLS on all • B2 also introduces covert channel protections and config mgmt – B3 more software engineering documentation • A1: Verified protection – Requires correspondence between code and formal model CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 21
Recommend
More recommend