Chapter 9 Building a Secure Operating System for Linux Chapter Overview • • Linux Security Modules – History – Implementation SeLinux – Reference Monitor – Protection State – Labeling State – Transition State – Administration – Trusted Programs – Security Evaluation Linux Security Modules • Reference Monitor System for the Linux kernel. • Consists of two parts: – Reference Monitor Interface – Reference Monitor Module (LSM) • Several LSM's have been implemented. • Have covered AppArmor • Will try to cover SELinux LSM History • Lots of early security work on Linux: – Argus PitBull – LIDS – Subdomain (AppArmor) – RSBAC – GRSecurity – DTE for Linux – Medusa DS9 – Open Wall – HP's initiative – Flask (SELinux) LSM History (II) • Obviously, (2001) a reference monitor was necessary for Linux; everybody was reinventing the wheel! But: – Linus Torvalds was not a security expert, could not decide on an approach – There was no real agreement as to which was the “best” approach. • Result was a design basde on kernel modules with a single interface for all the necessary modules. • LSM framework LSM Requirements: • The reference monitor must be truly generic, so that switching to a different security model was simply a matter of loading a different kernel module. • The interfaces must be “conceptually simple, minimally invasive, and efficient.” • Must support the POSIX.1e capabilities mechanism as an “optional security module”. Design of the reference monitor • Formed union of all projects to date. • Restricted number of authorization queries to prevent redundant authorizations. • Manual design, source code analysis tools were used to verify completeness and consistency, finding six bugs. • Most of the interface had negligible performance impact except for the CIPSO implementation. Network security is now supported inoe of two ways: – Labeled IPSec – New implementation of CIPSO called Netlabel LSM History, final details • LSM framework was officially added to Linux kernel in version 2.6. • SELinux and POSIX capabilities were included with the release of LSM • Novell bought the company that supported AppArmor, so AppArmor is also available. LSM Implementation • LSM Framework implemetation has three parts: – Reference monitor interface definition – Reference monitor interface placement – Reference monitor implementation LSM Reference Monitor definition • Specifies the way the kernel can invoke the LSM reference monitor. • The description is in the file include/linux/security.h in the kernel sources. It defines a structure security_operations with all the LSM function pointers. They are called LSM hooks. • 150 hoks for authorizations, plus other hooks for labels, label transitions. And label maintenance. LSM Reference Monitor placement • • Where to place the hook? – At the entrance to the system call? – What about TOCTTOU attacks? – What about the “open” system call? The hooks were placed using in-line function declarations. LSM Hook Architecture LSM Reference Monitor Implementation • Each LSM reference monitor is different. • However, most security enhanced versions of Linux use the same hooks. • Exception is RSBAC Security-Enhanced Linux SELinux Reference Monitor • Two distinct processing steps.: – Convert input values from the LSM hooks into one or more authorization queries. – Check against SELinux protection system. SELinux Protection State SELinux Contexts SELinux Contexts • Previous diagram gave idea of user labels;; each context has permissions assigned to it. • There is also an MLS policy, but, though it allows read down, it only allows write level. • Both type labels and MLS labels are checked. • 20 different object data types, and many operations, including read, write, execute, create, ioctl, fcntl, extended attributes, .. • Over 1000 state labels. • Very complex administration! SELinux Labeling State • Files/objects are labeled (by default) based on their location in the file system, but file contexts can be used to override the defaults. • Labels are inherited. For files, the label of a file is inherited from the label of its parent directed, some processes may have permission to relabel them. SELinux Transition State • Rather than SUID programs, a label transition is only allowed at execution; the transition only gives limited privileges; also, not all programs can run a transitioning prtogram. • Instead of gatekeepers, SELinux relies onprogrammers to keep program safe. SELinux Administration • • Different kinds of policies: – Monolithic – Modular Policy development: – Strict policy – Targeted (like AppArmor) – Reference Policy SELinux Trusted Programs SELinux Security Evaluation