Chapter 9

advertisement
Chapter 9
Building a Secure Operating System for Linux
Chapter Overview
•
•
Linux Security Modules
–
History
–
Implementation
SeLinux
–
Reference Monitor
–
Protection State
–
Labeling State
–
Transition State
–
Administration
–
Trusted Programs
–
Security Evaluation
Linux Security Modules
•
Reference Monitor System for the Linux kernel.
•
Consists of two parts:
–
Reference Monitor Interface
–
Reference Monitor Module (LSM)
• Several LSM's have been
implemented.
• Have covered AppArmor
• Will try to cover SELinux
LSM History
•
Lots of early security work on Linux:
–
Argus PitBull
–
LIDS
–
Subdomain (AppArmor)
–
RSBAC
–
GRSecurity
–
DTE for Linux
–
Medusa DS9
–
Open Wall
–
HP's initiative
–
Flask (SELinux)
LSM History (II)
•
Obviously, (2001) a reference monitor was
necessary for Linux; everybody was reinventing
the wheel! But:
–
Linus Torvalds was not a security expert, could
not decide on an approach
–
There was no real agreement as to which was
the “best” approach.
•
Result was a design basde on kernel modules
with a single interface for all the necessary
modules.
•
LSM framework
LSM Requirements:
•
The reference monitor must be truly
generic, so that switching to a different
security model was simply a matter of
loading a different kernel module.
•
The interfaces must be “conceptually
simple, minimally invasive, and efficient.”
•
Must support the POSIX.1e capabilities
mechanism as an “optional security
module”.
Design of the reference monitor
•
Formed union of all projects to date.
•
Restricted number of authorization queries to prevent
redundant authorizations.
•
Manual design, source code analysis tools were used to
verify completeness and consistency, finding six bugs.
•
Most of the interface had negligible performance impact
except for the CIPSO implementation. Network security is
now supported inoe of two ways:
–
Labeled IPSec
–
New implementation of CIPSO called Netlabel
LSM History, final details
•
LSM framework was officially added to
Linux kernel in version 2.6.
•
SELinux and POSIX capabilities were
included with the release of LSM
•
Novell bought the company that supported
AppArmor, so AppArmor is also available.
LSM Implementation
•
LSM Framework implemetation has three
parts:
–
Reference monitor interface definition
–
Reference monitor interface placement
–
Reference monitor implementation
LSM Reference Monitor definition
•
Specifies the way the kernel can invoke the LSM
reference monitor.
•
The description is in the file
include/linux/security.h in the kernel sources. It
defines a structure security_operations with all
the LSM function pointers. They are called LSM
hooks.
•
150 hoks for authorizations, plus other hooks for
labels, label transitions. And label maintenance.
LSM Reference Monitor placement
•
•
Where to place the hook?
–
At the entrance to the system call?
–
What about TOCTTOU attacks?
–
What about the “open” system call?
The hooks were placed using in-line
function declarations.
LSM Hook Architecture
LSM Reference Monitor Implementation
•
Each LSM reference monitor is different.
•
However, most security enhanced versions
of Linux use the same hooks.
•
Exception is RSBAC
Security-Enhanced Linux
SELinux Reference Monitor
•
Two distinct processing steps.:
–
Convert input values from the LSM hooks
into one or more authorization queries.
–
Check against SELinux protection system.
SELinux Protection State
SELinux Contexts
SELinux Contexts
•
Previous diagram gave idea of user labels;; each
context has permissions assigned to it.
•
There is also an MLS policy, but, though it allows
read down, it only allows write level.
•
Both type labels and MLS labels are checked.
•
20 different object data types, and many operations,
including read, write, execute, create, ioctl, fcntl,
extended attributes, ..
•
Over 1000 state labels.
•
Very complex administration!
SELinux Labeling State
•
Files/objects are labeled (by default) based
on their location in the file system, but file
contexts can be used to override the
defaults.
•
Labels are inherited. For files, the label of
a file is inherited from the label of its parent
directed, some processes may have
permission to relabel them.
SELinux Transition State
•
Rather than SUID programs, a label
transition is only allowed at execution; the
transition only gives limited privileges; also,
not all programs can run a transitioning
prtogram.
•
Instead of gatekeepers, SELinux relies
onprogrammers to keep program safe.
SELinux Administration
•
•
Different kinds of policies:
–
Monolithic
–
Modular
Policy development:
–
Strict policy
–
Targeted (like AppArmor)
–
Reference Policy
SELinux Trusted Programs
SELinux Security Evaluation
Download