SLIDE 1
1
Department of Computer Science & Engineering
2
Department of Computer Science & Engineering
SELinux Protected Paths Revisited Trent Jaeger Department of - - PowerPoint PPT Presentation
SELinux Protected Paths Revisited Trent Jaeger Department of - - PowerPoint PPT Presentation
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science & Engineering 1 Talk Topics Mechanism for MAC enforcement between
SLIDE 2
SLIDE 3
3
Department of Computer Science & Engineering
Mandatory Access Control
Linux Kernel SELinux Module
MAC Policy
Appl Appl Appl
SLIDE 4
4
Department of Computer Science & Engineering
Mandatory Access Control
Linux Kernel SELinux Module
MAC Policy
Appl Appl Appl
File
X
SLIDE 5
5
Department of Computer Science & Engineering
Network MAC
Linux Kernel
SELinux Module MAC Policy
Appl Appl Appl
System
Linux Kernel
SELinux Module MAC Policy
Appl Appl Appl
System X
SLIDE 6
6
Department of Computer Science & Engineering
Client-Server MAC
Linux Kernel
SELinux Module MAC Policy
Appl Appl
Client
Linux Kernel
SELinux Module MAC Policy
Appl Appl
Server
Server
Appl
Worker
SLIDE 7
7
Department of Computer Science & Engineering
Location-independent MAC
Linux Kernel
SELinux Module MAC Policy
Appl Appl New
Remote System
Linux Kernel
SELinux Module MAC Policy
Appl Appl
Master
Base System
Create
SLIDE 8
8
Department of Computer Science & Engineering
Labeled IPsec
Leverage IPsec Advantages Secure communication Easy to integrate to kernel MAC Add MAC Labeling to IPsec Control application access to IPsec “channels” Can only send/receive with MAC permission Results Application to application control is possible BLP controls between applications on different machines Applications can use labeling information
Label child processes
Part of Linux 2.6.16-rc* kernel Will be in 2.6.16 kernel
SLIDE 9
9
Department of Computer Science & Engineering
Client-Server Usage
OS Kernel
Access Control Module
MAC Policy
Appl Appl
System
OS Kernel
Access Control Module
MAC Policy
Appl Appl Appl
System
Appl
Worker
(1) Black must be able to access green policy (among others) (2) Black can extract label of SA for socket (3) Prototyped using getsockopt(…, SO_PEERSEC)
SLIDE 10
10
Department of Computer Science & Engineering
Get Peer Label
TCP
Is a socket connected? (TCP_ESTABLISHED) getsockopt(.. SO_PEERSEC ..) dst_entry cache of socket (labeled SA)
UDP
Connectionless Set IP_PASSSEC socket option recvmsg now returns context as well
For UNIX stream, dgram (soon) and INET stream, dgram Work by Catherine Zhang at IBM Research
SLIDE 11
11
Department of Computer Science & Engineering
Use Labels in Client Control
Network Services
vsftpd, xinetd
Get label using TCP method
Configuration
Get xinetd to use labels based on configuration
Storage Security
Proxy-based Server proxy limits access based on client label
Server is trusted
Client proxy connects based on client label
Client proxy processes need not be trusted
SLIDE 12
12
Department of Computer Science & Engineering
Distributed MAC Goal
Protected Paths
From “Inevitability of Failure”
Direct, Authenticated Communication
Integrity-preserved from input to output Get peer’s label reliably
Comparable to
Authenticated IPC UNIX domain sockets
Where are we relative to achieving protected paths for real? Are protected paths enough?
SLIDE 13
13
Department of Computer Science & Engineering
Protected Paths
Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver
SLIDE 14
14
Department of Computer Science & Engineering
Protected Paths
Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver
MAC Label
SLIDE 15
15
Department of Computer Science & Engineering
Protected Paths
Xserver Window Manager Application Operating Systems Network Operating Systems Application Window Manager Xserver
Attest MAC Label User
SLIDE 16
16
Department of Computer Science & Engineering
Protected Path Challenges
User-to-Application
Xserver Control Window Manager Control
Application-to-OS
Labeled IPsec Application Control Using Label
OS-to-OS
Reference Monitoring MAC Policy, Labeling Remote Attestation, Building Trust from Secure Hardware
SLIDE 17
17
Department of Computer Science & Engineering
Existing Solutions
Distributed Policy Management
E.g., Tivoli Access Manager, Microsoft Windows Domains
Virtual Machine Systems
NetTop Terra
Logic of Authentication
Taos and Secure Boot
Trust Management Systems
E.g., PolicyMaker, KeyNote, etc.
Trust Negotiation
SLIDE 18
18
Department of Computer Science & Engineering
Secure Coalition System
Recent IBM Technical Report -- RC23865 Work with J. McCune at CMU; S. Berger, R. Caceres, R. Sailer at IBM Research
SLIDE 19
19
Department of Computer Science & Engineering
Distributed, Shared Monitor
Distributed, Shared Reference Monitor TPM attestation of each physical machine’s reference monitor Common enforcement properties: monitoring, MAC policy
SLIDE 20
20
Department of Computer Science & Engineering
Virtual Machines
Advantages
Coarser-grained protections
Coarser-grained policy Simpler reference monitor
VM per application (simplify policy within VM)
Challenges
Dynamic policy (Yin and Wang, USENIX 2005) Doesn’t fix user-to-user (Nitpicker’s, ACSAC 2005) Translate into client-specific rights (finer-grained) Scalable construction, maintenance of trust
SLIDE 21
21
Department of Computer Science & Engineering
Building Trust
Build Trust in Other System’s Reference Monitoring
And MAC Policy And Labeling of Subjects and Objects
Why is this necessary?
Internet-scale
Register TPM and physical protection, but a different admin
Administration errors
Misconfiguration of a machine
Malice
Compromised platform
Build trust from secure hardware up
SLIDE 22
22
Department of Computer Science & Engineering
Internet-Scale Distributed Systems
Simple Langauge of Trust
Limited by Reference Monitoring Properties Monotonic Reasoning
Multiple Layers of Reasoning
Machine Virtual Machine Coalition
Building Systems to Test Soundness/Completeness
Web Hosting Internet Suspend/Resume Distributed Computations -- Student Testing
SLIDE 23
23
Department of Computer Science & Engineering
Summary
Aim: Network MAC to Distributed System MAC Have IPsec MAC controls What is an appropriate goal for distributed system MAC Protected Paths plus Remote Attestation plus Virtual Machines? Distributed, Shared Reference Monitor Several Challenges Remain Trust across systems Compatibility (policy, labeling) across systems Service awareness Building all the way to the user
SLIDE 24
24
Department of Computer Science & Engineering