Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 - - PowerPoint PPT Presentation

systems moving flask to bsd systems
SMART_READER_LITE
LIVE PREVIEW

Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 - - PowerPoint PPT Presentation

Sep 15, 2023 379 likes •611 views

Moving FLASK to BSD Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris Vance Information Systems Security Operation, SPARTA, Inc. Vance_20060301_01 Overview Overview Security Frameworks A

slide-1
SLIDE 1

Vance_20060301_01

Moving FLASK to BSD Moving FLASK to BSD

Systems

Systems

S SELinux ELinux Symposium 2006 Symposium 2006

Chris Vance

Information Systems Security Operation, SPARTA, Inc.

slide-2
SLIDE 2

Vance_20060301_02

Overview Overview

  • Security Frameworks
  • A Brief History
  • SELinux Inspired…

– Security Enhanced BSD – Security Enhanced Darwin

slide-3
SLIDE 3

Vance_20060301_03

Security Frameworks Security Frameworks

  • Traditional UNIX security isn’t enough

– OS hardening – Mandatory protection – Flexible, manageable, scalable protection

  • Support required in the operating system for new security

services – Costs of locally maintaining security extensions are high – Framework offers extensibility so that policies may be enhanced without changing the base operating system

  • There does not appear to be one perfect security model or

policy – Sites may have different security/performance trade-offs – Sites may have special local requirements – Vendors unlikely to adopt a single policy

  • Bottom Line: Frameworks for Linux, FreeBSD, Darwin
slide-4
SLIDE 4

Vance_20060301_04

How How We Got Here We Got Here… …

slide-5
SLIDE 5

Vance_20060301_05

Focus Focus and Reuse and Reuse

  • Don’t “reinvent” security

– Learn from the past – The research is often decades old – A good design is durable, doesn’t require constant change – FLASK hasn’t changed much recently, what’s that mean?

  • Leverage existing technology, focus on “new” issues

– Focus on improving operating system security – Spend the time to get Frameworks correct – Work with vendor for acceptance – Develop rule sets that work – Develop effective tools to manage policy

  • Do innovate

– Don’t stop thinking! – Don’t squash new ideas – Re-factor old ideas

slide-6
SLIDE 6

Vance_20060301_06

  • Use MAC Framework to isolate policy

from enforcement

  • Build on Darwin’s source code and

structural similarities to FreeBSD

  • Port MAC Framework from FreeBSD
  • Port FLASK components from

SELinux

  • Expand scope for Darwin-specific

functionality (Mach IPC)

  • Minimize Vendor diffs (OS & SELinux)
  • Leverage existing policy & tools

FreeBSD Kernel MAC Framework FLASK Type Enforcement Linux Kernel LSM FLASK Type Enforcement Darwin Kernel MAC Framework FLASK Type Enforcement

Strategy Strategy

Strong, useful security without sacrificing features, performance, or utility.

slide-7
SLIDE 7

Vance_20060301_07

Security Policy

FLASK Architecture FLASK Architecture

Policy Enforcement

Object Manager Security Server Query Decision

Client

Policy Enforcement Object Request

slide-8
SLIDE 8

Vance_20060301_08

FreeBSD and Mac OS X FreeBSD and Mac OS X

  • Two related operating systems

– FreeBSD - Server-class network operating system » Appropriate for embedded devices, network appliances, storage appliances, web services, firewalls, etc. » Already had FLASK components ported from SELinux » Already has MAC Framework – Mac OS X - Workstation-class operating system » Desktop environment, MS office suite, Adobe tools, etc.

» Provides application and GUI components necessary for widespread adoption

  • Open Source availability (Darwin)
  • Shared BSD code heritage (user space and kernel)
  • Audit support
  • We understood FreeBSD, Mac OS X was new to us!
slide-9
SLIDE 9

Vance_20060301_09

Mac OS X Mac OS X

  • Mac OS X is Apple's next generation operating system

– Builds on elements of Mach, NeXTStep, FreeBSD, and Mac OS 9, as well as other open source elements such as KDE – Continues Apple's tradition of user interface innovation – Potential for a larger user base (desktop users with application suites, programs people are familiar with)

  • Security

– UNIX security model as base – Mach Ports from NeXTStep for user space to represent privilege and capability – Rich application layer services: SecurityServer, SecurityFramework, SecurityAgent, CDSA crypto framework – Blend of Unix and Mach offers challenges

  • Mach IPC used extensively, must be considered

– Thousands of Mach messages per second!

slide-10
SLIDE 10

Vance_20060301_010

Scheduling Virtual Memory Mach IPC

Mach Kernel

Libinfo system_cmds DirectoryServices … mach_init

Applications Applications Open source libraries and daemons XNU Kernel Carbon Cocoa Java(JDK) Application Services Core Services Closed source frameworks and daemons

System Call Boundary

IOKit

Libsystem Processes UNIX IPC Networking VFS

BSD Kernel

MAC Framework Boundary

Mac OS X System Architecture Mac OS X System Architecture

slide-11
SLIDE 11

Vance_20060301_011

User Process User Process User Process

...

System Call Interface VFS Socket IPC Process Signaling Mach IPC

...

MAC Framework mac_test mac_mls (proprietary)

...

SEDarwin

MAC Framework Big Picture MAC Framework Big Picture

slide-12
SLIDE 12

Vance_20060301_012

SEBSD/SEDarwin SEBSD/SEDarwin Policy Module Policy Module

  • Policy module wraps FLASK

and TE implementations

– FLASK provides access control abstractions – Access Control Vector Cache (AVC) caches policy decisions – TE/RBAC/MLS engine stores and implements file-backed policy

  • User space components from

SELinux

  • Kernel components ported easily

– “normal” issues with allocators, locking primitives, logging, printf, audit, etc.

MAC Framework

Instruments kernel access control logic, provides label infrastructure, provides application security APIs …

SEDarwin

Maps between MAC Framework abstractions and FLASK abstractions, invokes FLASK+AVC checks

Flask AVC

Caches decisions

Security Server

Processes policy

TE (RBAC) (MLS)

slide-13
SLIDE 13

Vance_20060301_013

LSM LSM

  • v. MAC Framework
  • v. MAC Framework
  • Linux, FreeBSD, Darwin similar in operation, very different

implementations

  • Parallel in construction

– modular policies, registration based callbacks

  • Linux

– Widespread use – Requirements for vendor (Linus) adoption was critical – Lightweight Framework, less invasive

  • FreeBSD

– MAC Framework provides more label manipulation and management calls – Module composition from the start – Vendor buy-in allowed more significant changes

  • When SELinux moved from invasive kernel patches to an

LSM module, we benefited

  • Future focus is to avoid divergence
slide-14
SLIDE 14

Vance_20060301_014

Unique to Darwin Unique to Darwin

  • Rich (GUI) applications, desktop integration

– Provides motivation to use the system – Provides more challenges due to complexity – Inter-application messaging is ubiquitous

  • IOKit (another discussion entirely)
  • Mach IPC

– Critical to secure – Performance/efficiency concerns – Didn’t have to start from scratch – Explore DTOS protections for Mach IPC

slide-15
SLIDE 15

Vance_20060301_015

Darwin Complexity Darwin Complexity

  • Three separate system boundaries (IOKit, Mach, BSD)

and each one must be adequately secured!

  • Mach isn’t implemented as a microkernel, there is a

blending of the lines between BSD and Mach services – BSD is in the kernel address space, not user – Threads and the scheduler are Mach constructs while processes are a BSD construct – Even worse, virtual memory is shared amongst all three kernel subsystems

  • History showed that the complexity of the Mach

microkernel led from DTOS to FLASK – Yet here were are trying to secure Mach IPC again… – It’s no less complex than it was

slide-16
SLIDE 16

Vance_20060301_016

FLASK FLASK Extensions to Support Extensions to Support Mach Messaging Mach Messaging

  • Add Support for Mach IPC

– send, make_send, copy_send, move_recv, hold_send, hold_recv, etc.

  • Binary policy format is unchanged
  • Add name based checks / generic access checks

– Fine grained control for user space services – For security aware applications / servers – Mach messages are opaque in kernel – User space must do some mediation

slide-17
SLIDE 17

Vance_20060301_017

Project Status Project Status

  • SEBSD module for FreeBSD 5.1 and up
  • SEDarwin module for Mac OS X “Panther” (10.3.8)
  • Simple sample policy for Mac OS X
  • BSD coverage is fairly complete for both
  • Support for Network protections undeveloped
  • Mach subsystem coverage is still experimental
slide-18
SLIDE 18

Vance_20060301_018

Future Directions Future Directions

  • MAC Framework is supported on Mac OS X “Tiger”

(10.4.5) but SEDarwin isn’t yet

  • More complete support for Mach IPC
  • Update FLASK components to current version
  • Implement network access controls (Framework

already does)

  • Develop new policy/rules
  • OpenDarwin integration
slide-19
SLIDE 19

Vance_20060301_019

Login Login

slide-20
SLIDE 20

Vance_20060301_020

SEDarwin SEDarwin: For More Information : For More Information

  • Email:

– <Christopher.Vance at SPARTA.com> – TrustedBSD Mailing lists http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss

  • Web:

– http://sedarwin.org/ – http://trustedbsd.org/

slide-21
SLIDE 21

Vance_20060301_021

End. End.

slide-22
SLIDE 22

Vance_20060301_022

Learning From History Learning From History

  • You learn each step of the way

– Domain and Type Enforcement (DTE) on BSD/OS – Wrappers (System call interception) – Linux Security Modules – Security Enhanced Linux – TrustedBSD MAC Framework on FreeBSD – Security-Enhanced BSD – BSM-based Audit on Mac OS X (CAPP/EAL3) – TrustedBSD MAC Framework on Darwin – Mac OS X DCID 6/3 system – Security Enhanced Darwin

  • What’s Next?