UNIX Discretionary Access Control and Linux Mandatory Access Control: A Comparative Study, Study notes of Computer Science

A lecture note from a computer and network security course at penn state university, fall 2006. It discusses the problems with unix discretionary access control (dac) and introduces linux mandatory access control (mac) systems as solutions. Topics such as access control, administration, and transitions, and mentions specific linux access control systems like argus pitbull, rsbac, grsecurity, and lids.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-nda
koofers-user-nda 🇺🇸

10 documents

1 / 21

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger
Lecture 26 - Linux MAC Security
December 12, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/
CSE 543 - Computer Security
(Fall 2006)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15

Partial preview of the text

Download UNIX Discretionary Access Control and Linux Mandatory Access Control: A Comparative Study and more Study notes Computer Science in PDF only on Docsity!

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger

Lecture 26 - Linux MAC Security

December 12, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/

CSE 543 - Computer Security

(Fall 2006)

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page UNIX Discretionary Access Control

  • Subjects
    • Processes
    • Runs with a UID
  • Objects
    • Files
    • Mode bits describe file ACL
  • Operations
    • Read, Write, Execute
  • Mode bits
    • User, group, and others
  • Administration
    • Owner (UID) manages file mode bits

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page UNIX Discretionary Access Control

  • Q: What are the problems with UNIX DAC?
  • Some answers (incomplete list)
    • Fully privileged UID: root
      • Lots of programs run as root
      • Imagine a vulnerability in one program (game over)
    • Mode bits are not very expressive
      • Try to run a program with only some of your access rights
    • No network controls
      • Any program can send a packet anywhere (delegate to firewall)
    • Owner administration does not even mean user administration - Any program running as you can give away rights to your files
  • Also, consider “transition”
    • Setuid: enable execution of code with more privilege

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Key Issues

  • Control access
    • Limit subjects’ access to objects for operations
      • Can we specify assign a process any set of rights?
      • Do we mediate all objects and operations?
  • Administration
    • Manage the distribution of rights among subjects
      • Should all programs be able to do this?
      • Should any program be able to do this?
  • Transition
    • Change from one subject to another
      • Should you be able to increase your access?
      • If so, under what conditions?

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Try to Solve UNIX DAC Limitations

  • Control Access
    • Assign rights to programs
    • Lots of Research: ATOMICMAIL, TRON, Janus, UARC, ...
  • Administration
    • Mandatory Access Control
    • Intersection of rights (more or less)
  • Transitions
    • Limit rights in any transition
    • Limit ways to escalation

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Access Control Systems

  • Patches to the Linux kernel
    • Enforce different access control policy
      • Restrict root processes
    • Some hardening
  • Argus PitBull
    • Limited permissions for root services
  • RSBAC
    • MAC enforcement and virus scanning
  • grsecurity
    • RBAC MAC system
    • Auditing, buffer overflow prevention, /tmp race protection, etc
  • LIDS
    • MAC system for root confinement

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules Framework

  • Traditional Reference Monitor in Linux System Interface Entry Points Monitor Policy Access Hook Access Hook Access Hook Security-sensitive Operation Security-sensitive Operation Security-sensitive Operation Authorize Request? Yes/No

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules

  • Difference from discretionary controls
    • Control Access
      • More object types
        • 29 different object types
        • Per packet, superblock, shared memory, ...
      • Finer-grained operations
        • File: ioctl, create, getattr, setattr, lock, append, ...
    • Administration
      • Not dependent on user
    • Transitions
      • Left to module
  • Already has authorizations using discretionary rights
    • What happened to those?

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules

  • Usage
  • Others:
    • POSIX Capabilities Module
    • Stacking and Auditing Linux Kernel (^) LSM Register/ Unregister SysFS Load Policy Object Label Syscall Hook Define

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page Linux Security Modules Status

  • Available in Linux 2.
    • Packet-level controls upstreamed in 2.6.
  • Modules
    • POSIX Capabilities module
    • SELinux module
    • Domain and Type Enforcement
    • Openwall, includes grsecurity function
    • LIDS
    • AppArmor
  • Not everyone is in favor

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Installed

  • Available by default in Fedora Core 3-
    • SELinux-enabled kernel and userland packages
    • Configuration/bootstrap: /etc/selinux/
      • E.g., Policy
      • Users: specify roles and labels (security context)
    • Files: Labels stored in xattrs of ext3 filesystem
      • Need to ‘relabel’ any mounted filesystem
    • Communicate: /selinux/ files
    • Modes: disabled, permissive, enforcing
  • Running SELinux
    • id -Z: provides SELinux security context
    • ls -Z: provides security context of files
    • Turn enforcing on ‘echo 1 > /selinux/enforce’
    • Audit2allow: Turn logged denials into permissions

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Policy

  • ‘Extended’ Type Enforcement
  • Subjects are labeled with types
  • Objects are labeled with types
    • Objects also have classes (datatypes)
      • E.g., files, socket files, directories, IPCs, superblocks, etc.
  • Permission
    • allow subject_type object_type:class operation_set
  • Subject type can change (domain transition)
    • Based on code executed
    • Other systems that can do this?
  • Subject types are limited by roles
    • Your role determines possible subject transitions

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Advantages

  • Control Access
    • Comprehensive authorization of each LSM mediation
      • Policy enforcement for each LSM hook
    • Services updated to use policy
  • Administration
    • Services for building and managing policy
    • Community has developed policies
      • Strict: Least privilege
      • Targeted: Sandbox network services
  • Transition Limits
  • Also
    • Adopted by major Linux vendors (RedHat anyway)
    • Companies doing training and deployment
    • Community is integrated in Linux development process

CSE543 Computer and Network Security - Fall 2006 - Professor Jaeger Page SELinux Challenges

  • Policy complexity
    • 30,000+ policy statements in strict policy
    • Hide them
  • Application complexity
    • Policies for application use
    • RedHat will do it
  • Deployment complexity
    • Build/config/label/etc.
    • RedHat will do it
  • What if an application doesn’t work?
  • Integration with other security features
    • Hardening and integrity measurement