Security model for embedded systems using Smack * Simple but secure - - PowerPoint PPT Presentation

security model for embedded systems
SMART_READER_LITE
LIVE PREVIEW

Security model for embedded systems using Smack * Simple but secure - - PowerPoint PPT Presentation

Aug 02, 2023 157 likes •376 views

Security model for embedded systems using Smack * Simple but secure * S implified M andatory A ccess C ontrol K ernel - Jos Bollo - - Jos Bollo - Con Contex text Jos Bollo Intel Eurogiciel Tizen Smack Linux 2

slide-1
SLIDE 1
  • José Bollo -
  • José Bollo -

Security model for embedded systems using Smack*

Simple but secure

* Simplified Mandatory Access Control Kernel

slide-2
SLIDE 2

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (2 2/16) /16)

  • José Bollo -
  • José Bollo -

Con Contex text

  • José Bollo
  • Eurogiciel
  • Intel
  • Linux
  • Smack
  • Tizen
slide-3
SLIDE 3

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (3 3/16) /16)

  • José Bollo -
  • José Bollo -

Sma mack ck ove vervie rview

  • The author of Smack

Smack is mainly Casey Schaufler Casey Schaufler.

  • In Linux since kernel 2 6 25

since kernel 2 6 25 – 17 April 2008 – as a LSM LSM (Linux Security Module)

  • Evoluting since this first days.
  • Inside Tizen

Tizen since the first days (2012).

  • Use extended file attributes

extended file attributes to store data relating to files.

  • Controlled via a filesystem interface: smackfs

smackfs.

  • Controls accesses of processes to files, IPC, sockets

and processes (ptrace, signals, ...).

slide-4
SLIDE 4

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (4 4/16) /16)

  • José Bollo -
  • José Bollo -

Th The Sm e Smack ck rule rules

  • Smack's rules have 3 items:

– the subject's label

subject's label

– the object's label

  • bject's label

– the access

access

System User rwx

This rule tells to allow read, write and execute access to objects labelled User for the processes labelled System.

What are labels? What are subjects? What are objects? How to set? Simple !!!

slide-5
SLIDE 5

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (5 5/16) /16)

  • José Bollo -
  • José Bollo -

The Smac he Smack voc

  • cabu

abulary lary

  • Labels

Labels are just text (of valid ASCII characters) without any special meaning: they are compared to equality (case sensitive: a≠A).

  • Subjects

Subjects are running processes: any running process has a smack label.

  • Objects

Objects are files files, IPC IPC, sockets sockets, processes processes.

  • The label of a running process is called its context

context.

– The commands id, ps (option -Z or -M), ls (option -Z) are prompting

the contexts of the current process, the running processes, the files.

  • The grantables accesses

accesses are: read read (r), write write (w), execute execute (x), append append (a), lock lock (l), transmute transmute (t).

slide-6
SLIDE 6

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (6 6/16) /16)

  • José Bollo -
  • José Bollo -

Set Setting Smac ting Smack

  • How to set context? You can't!

You can't! Except if you have the capability CAP_MAC_ADMIN CAP_MAC_ADMIN.

  • How to set rules? You can only reduce

You can only reduce accesses accesses for the current thread (inherited by cloning). But if you have the capability CAP_MAC_ADMIN CAP_MAC_ADMIN, you can change all rules.

# chsmack --access label file # echo -n label > /proc/$$/attr/current # echo “subject object rwt” > /sys/fs/smackfs/load-self2 # echo “subject object rwt” > /sys/fs/smackfs/load2 # echo “subject object rwt” > smackload

slide-7
SLIDE 7

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (7 7/16) /16)

  • José Bollo -
  • José Bollo -

Target rgets de s devices es

mobile hansets In-vehicle infotainment (IVI) NUCs and boxes television

slide-8
SLIDE 8

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (8 8/16) /16)

  • José Bollo -
  • José Bollo -

Targ argets ets us usag ages es

Single seat Multi seats Single user handsets boxes Multi users tablets - laptops NUC IVI Multi seats is meaning that several users are using the same system through several interfaces. IVI is using Wayland Wayland

slide-9
SLIDE 9

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (9 9/16) /16)

  • José Bollo -
  • José Bollo -

Inst Installe ler r on

  • nly model

model

Installed Applications (untrusted) Trusted System (installed, signed) Installer Installed Application with manifest The installer enable the application and configure the system according to the manifest. Trusted environment

Smack rules for authorised services

process

slide-10
SLIDE 10

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (10 10/16) /16)

  • José Bollo -
  • José Bollo -

Ins Insta taller + ller + l laun unche cher m r model del

Installed Applications (untrusted) Trusted System (installed, signed) Installer Installed Application with manifest launcher The installer enable the application and configure it according to the manifest. The launcher prepare the environment in agreement with the manifest and launch the application. Trusted environment

Smack rules for authorised services

process

slide-11
SLIDE 11

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (11 11/16) /16)

  • José Bollo -
  • José Bollo -

Sec Security urity of ap

  • f applica

plications tions

Web RunTime Widget Applications Native Applications Services Service 1 Kernel Service 2 Service 3 ... Tizen offers the possibility to install applications that are either natives or widgets (W3C compliant) or a mix of the both. Each application has potentially access to a wide variety of services. The accessed services MUST be conform to what the manifest of the application is claiming for. That is the condition to have a trusted system, a secure system.

Ok, but how to do that???

IPC

slide-12
SLIDE 12

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (12 12/16) /16)

  • José Bollo -
  • José Bollo -

Imple mplemen menta tations tions

  • The problem is difficult due to its power characteristic:

controlling N ressources for M kinds of accesses brings to MN cases!

  • For Tizen 2.0 there was many smack rules (for a basic

mobile hanset, not less than 33232 rules!)

– Each application have a own context label – The rules are the spare matrix of all the authorised accesses

  • For tizen 3.0 IVI the three-domains model will be used.

– Basically, three subject labels exist: _

_, System System and User User

– There few more object labels – The rules are restricted to the minimum – It requires a launcher to achieve the full control of accesses

slide-13
SLIDE 13

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (13 13/16) /16)

  • José Bollo -
  • José Bollo -

Thre Three- e-domain domains mode s model

  • ve
  • vervie

rview

Applications: User Services: System Base system: _ The floor domain provides the foundation upon which the system is built The System domain is comprised of the basic system services and the data they maintain. The User domain is comprised

  • f the services that interact

directly with the person using the Tizen system and the data those services maintain.

System::Run System::Shared System::Log

slide-14
SLIDE 14

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (14 14/16) /16)

  • José Bollo -
  • José Bollo -

Links ks

  • LSM Smack
  • http://schaufler-ca.com/
  • https://www.kernel.org/doc/Documentation/security/Smack.txt
  • Smack utilities
  • https://github.com/smack-team/smack
  • Tizen
  • https://www.tizen.org/
  • https://wiki.tizen.org/wiki/Security:Smack
  • https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel
slide-15
SLIDE 15

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (15 15/16) /16)

  • José Bollo -
  • José Bollo -

Summary Summary

  • It works well and is really simple to learn.
  • You can activate it on any Linux kernel.
  • The embedded linux distribution TIZEN

implements it and its community can help you.

  • You can contribute to improve the smack

tools and models.

slide-16
SLIDE 16

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (16 16/16) /16)

  • José Bollo -
  • José Bollo -

Que Questions tions

Thanks

slide-17
SLIDE 17

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (17 17/16) /16)

  • José Bollo -
  • José Bollo -

EUROGICI EUROGICIEL EL

  • Open source development and

integration:

  • Maintainers for tizen.org (Base, Test,

Web Framework,... domains)

  • Embedded systems for real-time

multimédia:

– Widi/Miracast stack, – Wayland/Weston, – Webkit2 browser with HW acceleration,

  • Application: HTML5/CSS3, jquery,

jqmobi, Cordova

  • Location : Brittany – France
  • http://www.eurogiciel.fr/
slide-18
SLIDE 18

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (18 18/16) /16)

  • José Bollo -
  • José Bollo -

Evolution

  • lutions of

s of S Sma mack ck

  • The author of Smack

Smack is mainly Casey Schaufler Casey Schaufler.

  • In Linux since kernel 2 6 25

since kernel 2 6 25 – 17 April 2008 – as a LSM LSM (Linux Security Module)

  • Evoluting since this first days.
  • Lock access mode (kernel 3.13)
  • Support for multi-rule write to load2 and change-rule (kernel 3.12)
  • Maximum value for CIPSO category change from 63 to 184 (kernel

3.12)

  • Longer Smack labels (24->255) and recursive transmute (kernel 3,5)
  • Transmute access mode (kernel 2.6.38)
slide-19
SLIDE 19

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (19 19/16) /16)

  • José Bollo -
  • José Bollo -

Three hree-doma

  • domains

ins mod model rules el rules

Subject Object Rights System System::Run rwxat System System::Shared rwxat System User rwx System ^ rwxa System _ l User System wx User System::Run rwxat User System::Shared rx User _ l Subject Object Rights ^ System rwxa ^ System::Run rwxat _ System wx _ System::Run rwxat _ ^ * Y _ rwxatl rwxatl ^ rx rwxatl rwxatl rx * X rx rwxatl rwxatl

if X=Y

Explicit rules 1/2 Explicit rules 2/2 Some implicit rules Subject Object

slide-20
SLIDE 20

2 February 2014 2 February 2014 Smack for embeddeds ( Smack for embeddeds (20 20/16) /16)

  • José Bollo -
  • José Bollo -

Se Security curity se serve rver

But there is no Smack here?!

Service Installed Application Security server

  • 1. get cookie
  • 2. cookie
  • 3. request service with cookie
  • 4. ask priviledge
  • f cookie
  • 5. result

(granted or not)

  • 6. response of service