stateful access control using lsm
play

Stateful access control using LSM CS547 Thomas Uphill Stateful - PowerPoint PPT Presentation

Oct 01, 2022 •381 likes •576 views

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

  1. Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1

  2. Why? ● Maintaining state allows for decisions to be made based on runtime conditions. ● State based policy can be more concise ● State based policy can achieve different results than stateless. Stateful access cont rol using LSM 11 December 2007 2

  3. Background UNIX Files Permissions LSM Stateful access cont rol using LSM 11 December 2007 3

  4. UNIX ● everything is a file (keyboards, screens, printers, hardware, kernel internal structures) ● kernel is the master process process id (pid) = 0 * ● pid is unique processes have children and parents ● init is pid 1 ● /proc filesystem contains process information * (some kernel processes appear in as low process numbers, e.g. [migration/0]) Stateful access cont rol using LSM 11 December 2007 4

  5. UNIX ● kernel space vs user space applications kernel CPU memory hardware Stateful access cont rol using LSM 11 December 2007 5

  6. Files ● Files are inodes + blocks ● inodes are information nodes ● blocks contain data on disk block block owner group block block permissions extended attributes block Stateful access cont rol using LSM 11 December 2007 6

  7. Permissions ● Classis UNIX permissions: user group other read write execute ● POSIX Access Control Lists (ACLs): list of access control entries (ACEs) requires special storage in inodes - extended attributes on filesystem - access control structure in kernel Stateful access cont rol using LSM 11 December 2007 7

  8. LSM ● Linux security module framework GNU General Public License ● Crispin Cowan 2001 ● hooks return 0 to allow return non-zero to deny ● security fields structs modified Stateful access cont rol using LSM 11 December 2007 8

  9. application kernel open lookup inode LSM module DAC LSM hook inode Stateful access cont rol using LSM 11 December 2007 9

  10. struct inode { uid_t i_uid; gid_t i_gid; struct inode_security_struct { ... struct inode *inode; void *i_security; struct list_head list; ... u32 sid; } u32 tsid; u32 fsid; } struct task_security_struct { struct task_struct { struct task_struct *task; pid_t pid; u32 sid; struct task_struct *parent; u32 tsid; ... u32 fsid; void *security; int exec; ... int read; } int write; int del; } Stateful access cont rol using LSM 11 December 2007 10

  11. Implementation ● subset of lsm hooks used inode, bprm and task ● inode security cache kmem_cache_alloc/kmem_cache_create/kmem_cache_free ● sid /* unique identifier for runtime */ ● tsid /* unique identifier for task */ ● fsid /* unique identifier for file */ ● counters read/write/del/exec Stateful access cont rol using LSM 11 December 2007 11

  12. Law Language user username operation { action/sid comp action/sid} group groupname operation { action/sid comp action/sid} Examples: user thomas exec { exec > 20 } user apache exec { tsid != tsid } Stateful access cont rol using LSM 11 December 2007 12

  13. init_module /proc/lsmlgi lawloader register_security create procfile LAW cache_alloc check_law user process inode_alloc_security task_alloc_security inode task Stateful access cont rol using LSM 11 December 2007 13

  14. Demonstration visitor.law Stateful access cont rol using LSM 11 December 2007 14

  15. Demonstration apache.law Stateful access cont rol using LSM 11 December 2007 15

  16. Demonstration budget.law Stateful access cont rol using LSM 11 December 2007 16

  17. Sources/References Wikipedia on LSM http://en.wikipedia.org/wiki/Linux_Security_Modules LSM Source Code: http://lsm.bkbits.net UseNIX Security’02 Abstract: http://www.usenix.org/event/sec02/wright.html NSA’s SELinux http://www.nsa.gov/selinux/ Stateful access cont rol using LSM 11 December 2007 17

  18. Questions/Comments? http://ramblings.narrabilis.com/wp/linux/stateful-access-control-using-lsm/ Stateful access cont rol using LSM 11 December 2007 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Traffic Engineering for the Modern MPLS Backbone Extending PCEP for Stateful Control of MPLS

Traffic Engineering for the Modern MPLS Backbone Extending PCEP for Stateful Control of MPLS

Traffic Engineering for the Modern MPLS Backbone Extending PCEP for Stateful Control of MPLS RSVP-TE Attributes Edward Crabbe, Google Jan Medved, Juniper Robert Varga, Juniper "...it is generally desirable to ensure that subsets of

394 views • 37 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings Increase Building Security Improperly delivered packages are at risk for theft. Drafting of residents through gates and doors cannot be

376 views • 13 slides
Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database

Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database

Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database Security Solutions June 21, 2010 Oracle is currently reviewing the existing Secernos product roadmap and will be providing guidance to customers

512 views • 10 slides
P trt t t

P trt t t

t Pr r P trt t t

793 views • 36 slides
FF Group ANPR App on Hanwha cameras f o r s a l e s a n d p r o d u c t m a n a g e r s PL

FF Group ANPR App on Hanwha cameras f o r s a l e s a n d p r o d u c t m a n a g e r s PL

FF Group ANPR App on Hanwha cameras f o r s a l e s a n d p r o d u c t m a n a g e r s PL PL LV LV PL PL IRL FIN PL IRL FIN GEO GEO GEO GEO H H H H IRL IRL IRL IRL LV H LV H FIN FIN PL PL LV LV PL PL PL

385 views • 17 slides
Secrets at Planet-Scale: Engineering the Internal Google Key Management System (KMS) Anvita

Secrets at Planet-Scale: Engineering the Internal Google Key Management System (KMS) Anvita

Secrets at Planet-Scale: Engineering the Internal Google Key Management System (KMS) Anvita Pandit Google LLC QCon San Francisco 2019, Nov 11-13 Anvita Pandit - Software engineer in Data Protection / Security and Privacy org in Google for

1.63k views • 78 slides
Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution Key Features Advanced Access Control Emergency Handling Monitoring and Controlling Hardware Access Control Reports and Features

1.3k views • 77 slides
Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1 Center For Research Compu1ng (CRC), University of Notre Dame, Indiana Security in HPC

265 views • 22 slides
How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About

How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About

How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About Fijoport. Fijoport gives you remote access to equipment management and control over a secure IP network. No unnecessary call-outs. Simple to install.

264 views • 8 slides

More recommend