Download UNIX Discretionary Access Control and Linux Mandatory Access Control: A Comparative Study and more Study notes Computer Science in PDF only on Docsity!
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger
Lecture 26 - Linux MAC Security
December 12, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
CSE 543 - Computer Security
(Fall 2006)
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page UNIX Discretionary Access Control
- Subjects
- Processes
- Runs with a UID
- Objects
- Files
- Mode bits describe file ACL
- Operations
- Mode bits
- Administration
- Owner (UID) manages file mode bits
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page UNIX Discretionary Access Control
- Q: What are the problems with UNIX DAC?
- Some answers (incomplete list)
- Fully privileged UID: root
- Lots of programs run as root
- Imagine a vulnerability in one program (game over)
- Mode bits are not very expressive
- Try to run a program with only some of your access rights
- No network controls
- Any program can send a packet anywhere (delegate to firewall)
- Owner administration does not even mean user administration - Any program running as you can give away rights to your files
- Also, consider “transition”
- Setuid: enable execution of code with more privilege
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Key Issues
- Control access
- Limit subjects’ access to objects for operations
- Can we specify assign a process any set of rights?
- Do we mediate all objects and operations?
- Administration
- Manage the distribution of rights among subjects
- Should all programs be able to do this?
- Should any program be able to do this?
- Transition
- Change from one subject to another
- Should you be able to increase your access?
- If so, under what conditions?
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Try to Solve UNIX DAC Limitations
- Control Access
- Assign rights to programs
- Lots of Research: ATOMICMAIL, TRON, Janus, UARC, ...
- Administration
- Mandatory Access Control
- Intersection of rights (more or less)
- Transitions
- Limit rights in any transition
- Limit ways to escalation
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Access Control Systems
- Patches to the Linux kernel
- Enforce different access control policy
- Some hardening
- Argus PitBull
- Limited permissions for root services
- RSBAC
- MAC enforcement and virus scanning
- grsecurity
- RBAC MAC system
- Auditing, buffer overflow prevention, /tmp race protection, etc
- LIDS
- MAC system for root confinement
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules Framework
- Traditional Reference Monitor in Linux System Interface Entry Points Monitor Policy Access Hook Access Hook Access Hook Security-sensitive Operation Security-sensitive Operation Security-sensitive Operation Authorize Request? Yes/No
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules
- Difference from discretionary controls
- Control Access
- More object types
- 29 different object types
- Per packet, superblock, shared memory, ...
- Finer-grained operations
- File: ioctl, create, getattr, setattr, lock, append, ...
- Administration
- Transitions
- Already has authorizations using discretionary rights
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules
- Usage
- Others:
- POSIX Capabilities Module
- Stacking and Auditing Linux Kernel (^) LSM Register/ Unregister SysFS Load Policy Object Label Syscall Hook Define
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules Status
- Available in Linux 2.
- Packet-level controls upstreamed in 2.6.
- Modules
- POSIX Capabilities module
- SELinux module
- Domain and Type Enforcement
- Openwall, includes grsecurity function
- LIDS
- AppArmor
- Not everyone is in favor
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Installed
- Available by default in Fedora Core 3-
- SELinux-enabled kernel and userland packages
- Configuration/bootstrap: /etc/selinux/
- E.g., Policy
- Users: specify roles and labels (security context)
- Files: Labels stored in xattrs of ext3 filesystem
- Need to ‘relabel’ any mounted filesystem
- Communicate: /selinux/ files
- Modes: disabled, permissive, enforcing
- Running SELinux
- id -Z: provides SELinux security context
- ls -Z: provides security context of files
- Turn enforcing on ‘echo 1 > /selinux/enforce’
- Audit2allow: Turn logged denials into permissions
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Policy
- ‘Extended’ Type Enforcement
- Subjects are labeled with types
- Objects are labeled with types
- Objects also have classes (datatypes)
- E.g., files, socket files, directories, IPCs, superblocks, etc.
- Permission
- allow subject_type object_type:class operation_set
- Subject type can change (domain transition)
- Based on code executed
- Other systems that can do this?
- Subject types are limited by roles
- Your role determines possible subject transitions
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Advantages
- Control Access
- Comprehensive authorization of each LSM mediation
- Policy enforcement for each LSM hook
- Services updated to use policy
- Administration
- Services for building and managing policy
- Community has developed policies
- Strict: Least privilege
- Targeted: Sandbox network services
- Transition Limits
- Also
- Adopted by major Linux vendors (RedHat anyway)
- Companies doing training and deployment
- Community is integrated in Linux development process
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Challenges
- Policy complexity
- 30,000+ policy statements in strict policy
- Hide them
- Application complexity
- Policies for application use
- RedHat will do it
- Deployment complexity
- Build/config/label/etc.
- RedHat will do it
- What if an application doesn’t work?
- Integration with other security features
- Hardening and integrity measurement