Approaches for Designing Flexible Mandatory System Security Policies
advertisement
Approaches for Designing Flexible Mandatory System Security Policies Trent Jaeger IBM Research July 8, 2004 Linux 2.6 Has LSM and SELinux Linux Security Modules Framework – Reference monitor interface w/i kernel – – Enforce mandatory access control (MAC) Restricts discretionary permissions Noteworthy LSM Features – – – No problems with redundant parsing or races Comprehensive MAC enforcement 200+ hooks Control access to 29 kernel data types SELinux module – – – – Supports comprehensive MAC Enhanced Type Enforcement policy: roles, subject types, transitions, etc. Large “example” policy (25,000+ permission assignments) Requires customization to security target Integrity High Subject Subject Object Read Perm Low Subject Can Modify Input To High Perm Subject Low Subject Object Write SELinux & Integrity sysadm_t Subject Type userdomain Subject Attr ttyfile rw Attr Perm user_tty_device_t rw Perm Users can modify input to sysadm_t!! Subject Type user_t Subject Attr userdomain Attr Perm ttyfile rw Perm user_tty_device_t rw SELinux Integrity Problem Conflict setfiles sysadm file_type read sshd logrotate High Subject Type logfile read Attr Perm user_ssh rw user_ssh rw user sshd_tmp read sshd_tmp rw httpd admin lastlog read lastlog write xdm Perm Perm Low Subject Type Integrity Models Biba Integrity – – LOMAC – – The integrity level of a subject is equal to lowest integrity input Implication: same as Biba Caernarvon – – No high integrity subject may depend on low integrity data/code Implication: No information flow from low integrity to high The integrity level of a subject or object is specified by a range Implication: Subjects may depend on/modify a range of integrity levels Clark-Wilson – – Only high integrity Transformation Procedures modify high integrity data Implication: Can read low integrity data if they can upgrade or discard only Our Integrity Goal Use flexible policy expression – – Find integrity problems – – SELinux’s extended Type Enforcement policy Defines all relevant policy decisions Information flows that satisfy Biba are permitted “Resolve” others – remove or manage (Clark-Wilson) Compute information to assist in resolution – – – Find problems: Minimal cover set Identify solutions: Resolutions Determine solutions: Impact Minimal Cover Set for Integrity Violations Perm sysadm_t Subject Type Subject Type userdomain Subject Attr ttyfile rw Attr Perm Subject-Permission Assignment user_tty_device_t rw Perm Minimal Cover Set setfiles sysadm S-P Assign file_type read sshd logrotate High Subject Type logfile read Attr Perm Conflict S-P Assign user_ssh rw user_ssh rw user sshd_tmp read sshd_tmp rw httpd admin lastlog read lastlog write xdm Perm Perm Low Subject Type Integrity Resolutions Remove Subject Type or Object Type Reclassify Subject Type of Object Type Change Subject Type-Permission assignment Clark-Wilson reads – No dependency read (move file) Deny Object Access – Allow reading of low integrity data that meet Clark-Wilson Track low integrity writes per object LOMAC Subject Type (sysadm) – Reduce integrity level of subject when reading low integrity data Example Resolutions setfiles sysadm sshd logrotate High Subject Type S-P Assign file_type read X logfile read Conflict S-P Assign user_ssh rw user_ssh rw user sshd_tmp read X sshd_tmp rw httpd admin lastlog read lastlog write xdm No Dep AttrRead ExcludePerm Object Type Perm Deny Access Perm X Low Type Exclude Subject Subject Type Resolution Independence setfiles sysadm S-P Assign file_type read sshd logrotate High Subject Type X logfile read Attr Perm Conflict S-P Assign user_ssh rw user_ssh rw user sshd_tmp read sshd_tmp rw httpd admin lastlog read lastlog write xdm Perm Perm Low Subject Type Resolution Impact Basic resolution impact – Real resolution impact – Number of conflicts that result from a flow assignment or node Number of conflicts that are eliminated by removal of an assignment or node Changes on Extremes Have Bigger Impact – – Subject Type, Object Type changes Permission assignment is generally low impact Policy Design Tool: Gokyo Load entire SELinux example policy Find Biba conflicts in SELinux policy Display conflicts in terms of minimal cover set Compute basic impacts for nodes and assignments Enable expression of resolutions and re-evaluation Resulting policies provide Clark-Wilson integrity – – Assuming high integrity applications meet assurance requirements Assuming sanitization either discards or upgrades low integrity data Does not fix SELinux module to enforce resolutions Gokyo Resolution X X setfiles sysadm S-P Assign file_type read sshd logrotate High Subject Type X logfile read Attr Perm Conflict S-P Assign user_ssh rw user_ssh rw user sshd_tmp read X sshd_tmp rw httpd admin lastlog read lastlog write xdm Perm Perm X Low Subject Type Policy Design Results 1 Biba constraint (no flow from low to high) 36 TCB subject types (high integrity subjects) 83 excluded subject types (low integrity) – All other subject types are assumed low 4 object type excludes 1 LOMAC – sysadm 18 denials 83 sanitizations for 24 subject types Other SELinux Policy Analysis Tools Tresys – – – – – MITRE – Apol - analyze an SE Linux policy (GUI). SeAudit - analyze audit messages from SELinux (GUI). SeCmds - analyze an SELinux policy and search/replace file contexts. SeUser - GUI and command-line "user manager" for SELinux. SePCuT - customize an SE Linux policy (GUI). SLAT – Information flow policy expression Hitachi – SELinux/Aid inspect, edit SELinux security policies and inspect log messages Summary Comprehensive security is complex – – Resolution requires tools to support decision-making Modeling concepts enable focus: – – – Security requirements should be simple Clark-Wilson integrity with assumptions is achievable Minimal cover set Resolution options Resolution impact And guide resolution process SELinux policy model requires adjustments to achieve resolution Summary (con’t) Research Results – – – Working Tool – – Gokyo analysis infrastructure Lacks GUI Analysis Tools for Security – ACM TISSEC journal – Access Control Spaces USENIX Security Conference – Configure TCB policy ACM SACMAT – Underlying graph properties for resolution www.research.ibm.com/vali Contact for more info – jaegert@us.ibm.com Resolution Issues Low integrity side vs. High integrity side – Big impact vs. Ease of understanding – – – – Which is easier to address? Small, independent cases are easy Small, cases with some overlap are not so hard Extensive cases with overlap are difficult Some assignments result in extensive overlap How to apply graph theory? – – Node weights based on basic or real impact? Minimum cut across graph Cost of making a change is the cost of the cut Current Approach Identify the minimal cover set for constraint conflicts – Compute the basic impact value of each cover assignment – Subject-permission assignments Number of conflicts reachable Compute number of subjects/objects impacted by cover assignment – Examine remove/reclassification or LOMAC semantics Compute individual node and assignment impacts on demand Apply permission resolutions – Sanitize or deny LSM Entry Points System Interface Access Hook Access Hook Authorize Request? Security-sensitive Operation Security-sensitive Operation Access Hook Security-sensitive Operation Module Yes/No Achieving Security Goals Large Number of Security Decisions – – Defining the Security Goal – – – Least Privilege Confidentiality Integrity Security Goal Specification – – Comprehensive vs limited security 150+ decisions points defined by LSM Simply-stated goals are often too restrictive (e.g., no low integrity data dependencies) Flexible languages enable complex goals, but too complex (e.g., access matrix) Our Solution Aims: – – – Comprehensive Integrity Use simple model as target, but enable flexible fine tuning
