SLIDE 1
Modern Security Model for Linux Operating Systems
Aleksander Zdyb
SOFTWARE ENGINEER TIZEN PLATFORM SECURITY
Aleksander Zdyb
a.zdyb@samsung.com https://github.com/azdyb
Modern Security Model for Linux Operating Systems Aleksander Zdyb S - - PowerPoint PPT Presentation
Modern Security Model for Linux Operating Systems Aleksander Zdyb S - - PowerPoint PPT Presentation
Aleksander Zdyb Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P LATFORM S ECURITY a.zdyb@samsung.com https://github.com/azdyb Briefly about security requirements About Tizen operating system
SLIDE 2
SLIDE 3
- Briefly about security requirements
- About Tizen operating system
- Dedicated security model
- Application lifecycle
- Summary
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 3/46
SLIDE 4
ABOUT SECURITY
REQUIREMENTS
SLIDE 5
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 5/46
(CC ) Stiftelsen Elektronikkbransjen (CC ) Intel Free Press (CC ) Sascha Müsse
SLIDE 6
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 6/46
SLIDE 7
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 7/46
SLIDE 8
- Classic approach: software acts on behalf of user to full extent
- Usage of many kinds of privileges is more and more common
- There is a conflict between privileges granularity
and comfort of usage and administration
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 8/34
SLIDE 9
ABOUT TIZEN
SLIDE 10
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 10/46
- Modern operating system
for embedded devices
- A Linux distribution
- Developed by Open Source
community
- Main contribution from Samsung
at the moment
SLIDE 11
- Smartphones, smartwatches,
smart TVs
- IVI systems (In-Vehicle Infotainment)
- And more
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 11/46
wiki.tizen.org
SLIDE 12
TIZEN 2.x
- Commercially released in many
Samsung's devices (smartwatches, smart TVs, smartphones)
- Security ensured with classic
mechanisms of Linux TIZEN 3.0
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 12/46
- Still in developent
- Works on ODROID XU3 (arm),
MinnowBoard MAX (x86_64) and other architectures
- Modern, dedicated security model
SLIDE 13
SERVICES, RESOURCES
AND PRIVILEGES
SLIDE 14
Example services and resources
- Camera
- Networking
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 14/46
SLIDE 15
Example services and resources
- Camera
- Networking
Related privileges
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 15/46
- Reading, sending messages
- Contacts preview
- Taking photos
- Browsing pictures
- Accessing remote hosts
- Usage of different protocols
SLIDE 16
Camera Internet Location Contacts Applications Services and resources
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 16/46
Mapy Kalkulator Przeglądarka Gra
SLIDE 17
Camera Internet Location Contacts
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 17/46
Mapa Kalkulator Przeglądarka Gra
Access control
Applications Services and resources
SLIDE 18
DEDICATED SECURITY MODEL
SLIDE 19
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 19/46
- DAC – Discretionary Access Control
(classic access control system)
- Smack – Simplified Mandatory
Access Control Kernel (one of LSMs)
- Cynara – dedicated privilege
checker (userspace)
Cynara DAC Smack
SLIDE 20
- Protects resources on filesystem
- Access control set by owner
- f the resource
- Access types: r w x
- Subject is identified by its id
and groups it belongs to
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 20/46
Larry Ewing and The GIMP
SLIDE 21
- Protects resources on filesystem
- Access control set by owner
- f the resource
- Access types: r w x
- Subject is identified by its id
and groups it belongs to
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 21/46
SLIDE 22
- Both object and subject are
identified by their labels
- Access control is set
by administrator
- Access types: a r w x t l
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 22/46
(GFDL) Casey Schaufler
SLIDE 23
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 23/46
action
(a r w x l)
- bject
(label 2)
subject
(label 1)
SLIDE 24
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 24/46
Floor (_)
- Read-only system
directories
- Kernel’s helper
processes
System
- /run, /dev, /var/log
- System services
User
- Home directories
- Launcher
and users’ services
Domains are sets of labels with common prefix. There are other labels, like System::Shared, User::Home and more.
SLIDE 25
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 25/46
- System service keeping and
managing security policies
- Dedicated solution for Tizen 3.0
- Generic – can be easily deployed
in other Linux distributions
SLIDE 26
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 26/46
Application Service Cynara
Extension
SLIDE 27
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 27/46
Cynara
Built-in Manifests Privacy Manager Administrator
SLIDE 28
LIFECYCLE
OF APPLICATION
SLIDE 29
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 29/46
- Security Manager – service
managing and configuring all of security modules in operating systems
- Made for Tizen 3.0
- Can be deployed in other Linux
distributions
SLIDE 30
Security Manager is involved in:
- installing applications – populates
Cynara's database, creates Smack labels for apps
- launching applications – applies
security context (labels, groups) on behalf of launcher
- managing security policies –
supports edition of policies by administrator and users (Privacy Manager)
- managing users
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 30/46
(CC) Patrick Breen
SLIDE 31
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 31/46
Installator Unpacking files Globally For user Security Manager Populating Cynara’s db Creating labels for apps Labelling files
Depends on configuration and privileges
manifest
Installator configures application with help from Security Manager
SLIDE 32
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 32/46
Launcher
- Spawns a process
Cynara
- SM checks in Cynara what groups
to apply for process
DAC
- SM sets effective groups to allow access
to some special files (e.g. devices)
Smack
- SM sets a proper Smack label
for process
SLIDE 33
Hi Cynara! Can Maps haz perms to read location? Yep, them can haz dat!
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 33/46
GPS
SLIDE 34
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 34/46
Client User Privilege
Cynara
Client is a Smack label identifying the application One of privileges in Tizen 3.0, e.g. http://tizen.org/privilege/location Service managing protected resource (e.g. GPS location) checks in Cynara, if the access should be granted Application (e.g. maps) run with a proper label and by a given user (e.g. Suzan, uid=1001) requests access GPS location (bound to privilege http://tizen.org/privilege/location) User is an uid
- f user running
the application
GPS
MAPS
SLIDE 35
SLIDE 36
Hi Cynara! Can Calculator haz Camera, if them want? No, man! No way we gib them dat!
Launcher
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 36/46
SLIDE 37
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 37/46
Application (e.g. Camera) run with a proper label and by a given user (e.g. Susan, uid=1001) requests access to device /dev/camera
/dev/camera
Linux checks (DAC) if process belongs to a proper group (e.g. camera_users) Groups are assigned by Security Manager on every launch
SLIDE 38
BONUSES
SLIDE 39
- Serving on D-Bus? We’ve got your back
- Nether – networking access control
- nice-lad – auditing
- Vasum – containers
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 39/46
SLIDE 40
SUMMARY
SLIDE 41
- Security of embedded systems and privacy of stored data are very important
- Classic security mechanisms are not enough
- Security must be taken into account from the very beginning
- Security doesn't have to be burdensome for developers
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 41/46
SLIDE 42
QUESTIONS?
SLIDE 43
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 43/46
- https://wiki.tizen.org/wiki/Main_Page
- https://wiki.tizen.org/wiki/Security/Overview
- https://wiki.tizen.org/wiki/Security:Cynara
- https://wiki.tizen.org/wiki/Security:nice-lad
SLIDE 44
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 44/46
- https://github.com/Samsung/security-manager
- https://github.com/Samsung/nether
- https://github.com/Samsung/nice-lad
- https://github.com/Samsung/vasum
- https://github.com/Samsung/cynara
SLIDE 45
- https://www.flickr.com/photos/elektronikkbransjen/15523115208/
- https://www.flickr.com/photos/intelfreepress/8047838494/
- https://www.flickr.com/photos/saschamuesse/15563157851/
- https://wiki.tizen.org/wiki/File:IVISimulator2.png
- http://en.wikipedia.org/wiki/Tux#/media/File:Tux.png
- http://en.wikipedia.org/wiki/Smack_(software)#/media/File:Smack-tux.svg
A.ZDYB | „MODERN SECURITY MODEL FOR LINUX OPERATING SYSTEMS” | BRUSSELS 2016-01-30 | 45/46
SLIDE 46