Multilevel Security CySecLab Graduate School of Information Security Multi-level Security (MLS) • The capability of a computer system to carry information with different sensitivities (i.e. classified information at different security levels), permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. • Typically use Mandatory Access Control • Primary Security Goal: Confidentiality Security Goal of MLS • There are security classifications or security levels • Users/principals/subjects have security clearances • Objects have security classifications • Example of security levels • • • • Top Secret Secret Confidential Unclassified • In this case Top Secret > Secret > Confidential > Unclassified • Security goal (confidentiality): ensures that information do not flow to those not cleared for that level Access Control Models • Access Control Models: • Three Main Types • Discretionary • Mandatory • Non-Discretionary (Role Based) Access Control Models • Discretionary Access Control (DAC) • A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. • Access control is at the discretion of the owner. Access Control Models • Mandatory Access Control (MAC) • Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications. • This model is used in environments where information classification and confidentiality is very important (e.g., the military). Access Control Models • Non-Discretionary (Role Based) Access Control Models • Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact. • Is the best system for an organization that has high turnover. Access Control Models • MAC: Mandatory Access Control • Cannot be worked around • I(OS) own it, not you. • Ex: Directory “Secret” is owned by “Agent”. “Agent” does not have authority to grant access to others. Only the “Owner” does. • DAC: Discretionary Access Control • It’s yours, do what you will. • Same example: “Agent” can grant access to whomever she cares. • RBAC: Role Based Access Control • Depending on what your role is, maybe. • If “Agent” has the correct Role, she can, otherwise she can’t. Bell-LaPadula Model: A MAC Model for Achieving Multi-level Security • Introduce in 1973 • Air Force was concerned with security in timesharing systems • Many OS bugs • Accidental misuse • Main Objective: • Enable one to formally show that a computer system can securely process classified information Approach of BLP • Use state-transition systems to describe computer systems • Define a system as secure iff. every reachable state satisfies 3 properties • simple-security property, *-property, discretionarysecurity property • Prove a Basic Security Theorem (BST) • so that give the description of a system, one can prove that the system is secure The BLP Security Model • A computer system is modeled as a state-transition system • There is a set of subjects; some are designated as trusted. • Each state has objects, an access matrix, and the current access information. • There are state transition rules describing how a system can go from one state to another • Each subject s has a maximal sec level Lm(s), and a current sec level Lc(s) • Each object has a classification level Elements of the BLP Model Security levels, e.g.: {TS, S, C, U} Lm: Max Sec. Level Lc: Current Sec. Level Objects Subjects Trusted Subjects L: Class. Level Current Accesses Access Matrix The BLP Security Policy • A state is secure if it satisfies • Simple Security Condition (no read up): • S can read O iff Lm(S) ≥ L(O) • The Star Property (no write down): for any S that is not trusted • S can read O iff Lc(S) ≥ L(O) • S can write O iff Lc(S) ≤ L(O) (no read up) (no write down) • Discretionary-security property • every access is allowed by the access matrix • A system is secure if and only if every reachable state is secure. Implication of the BLP Policy Objects Highest Can Write Subject Max Level Can Read & Write Lowest Can Read Current Level STAR-PROPERTY • Applies to subjects (principals) not to users • Users are trusted (must be trusted) not to disclose secret information outside of the computer system • Subjects are not trusted because they may have Trojan Horses embedded in the code they execute • Star-property prevents overt leakage of information and does not address the covert channel problem Limitations with BLP • Deal only with confidentiality, does not deal with integrity at all • Confidentiality is often not as important as integrity in most situations • Addressed by integrity models (such as Biba, Clark-Wilson, which we will cover later) • Does not deal with information flow through covert channels The Biba Model • This model only deals with integrity alone and ignores confidentiality • Integrity is a constraint on who can write or alter it -> No Read Down & No Write Up • In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level (a monk may read a book written by the high priest, but may not read a pamphlet written by a lowly commoner Historical Examples of MLS Systems • SCOMP: Handling messaging at multiple levels of classification with minimal kernel and four rings of protection. (Military mail guards- allow mail to pass from Low to High but not vice versa) • Comparted Mode Workstations (CMWs): An example of MLS clients. They allow data at different levels to be viewed and modified at the same time, and ensure that labels attached to the information are updated appropriately. Historical Examples of MLS Systems • The NRL Pump: A one-way data transfer device to allow secure one-way information flow. • Low to High is easy, but ack must be sent back from High to Low. • Pump limits the bandwidth of possible backward leakage Future MLS Systems • Vista: Vista essentially uses the Biba model. All processes do, and all securable objects (directories, files and registry keys) may, have an integrity label. • SELinux: based on the Flask security architecture, which separates the policy from the enforcement mechanism. It has security server where policy decisions are made. • AppArmor: Suse take a different path to the same goal with SELinux. It keeps a list of all the paths each protected application uses and prevents it accessing any new ones. Future MLS Systems • Virtualization: Computes that have the look and feel of ordinary windows boxes while simultaneously giving the security folks what they want, namely high-assurance separation between material at different levels of classification. • Embedded Systems: There are more and more fielded systems which implement some variant of Biba model. For example, medical-device and electricity utility can be observed, but not influenced. Type Enforcement Model • Type enforcement first proposed by W. E. Boebert and R. Y. Kain. • A Practical Alternative to Hierarchical Integrity Policies. In In Proceedings of the 8 National Computer Security Conference, 1985. • Aim at ensuring integrity • Key Idea for Type Enforcement: • Use the binary being executed to determine access. • What do DAC and MAC use? Type Enforcement Model • Integrity level should be associated with programs (rather than processes) • Trust in programs is required for integrity • Examples of assured pipelines: • Labeling: All printouts of documents must have security labels corrected printed by a labeller. • Encrypting: Before sending certain data to an output channel, it must be encrypted by an encryption module • Data must pass certain transforming system before going to certain outputs Type Enforcement Model • Each object is labeled by a type • Object semantics • Example: • /etc/shadow • /etc/rc.d/init.d/httpd etc_t httpd_script_exec_t • Objects are grouped by object security classes • Such as files, sockets, IPC channels, capabilities • The security class determines what operations can be performed on the object • Each subject (process) is associated with a domain • E.g., httpd_t, sshd_t, sendmail_t Case Study – SELinux Intro • Originally started by the Information Assurance Research Group of the NSA, working with Secure Computing Corporation. • Based on a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system Case Study – SELinux Intro • Theoretically, can be configured to provide high security. • In practice, mostly used to confine daemons like web servers • They have more clearly defined data access and activity rights. • They are often targets of attacks • A confined daemon that becomes compromised is thus limited in the harm it can do. • Ordinary user processes often run in the unconfined domain • not restricted by SELinux, but still restricted by the classic Linux access rights. Case Study – SELinux Terminology • Subject: A domain or process. • Object: A resource (file, directory, socket, etc.). • Types: A security attribute for files and other objects. • Roles: A way to define what “types” a user can use. • Identities: Like a username, but specific to SELinux. • Contexts: Using a type, role and identity is a “Context.” Context is -> Identities : role : type Case Study – SELinux vs Standard Linux Case Study – SELinux Allow Rule • Source type(s) Usually the domain type of a process attempting access • Target type(s) The type of an object being accessed by the process • Object class(es) The class of object that the specified access is permitted • Permission(s) The kind of access that the source type is allowed to the target type for the indicated object classes Case Study – SELinux Allow Rule ex1 • Rule Example allow user_t bin_t : file {read execute getattr}; ->A process with a domain type of user_t can read, execute, or get attributes for a file object with a type of bin_t Case Study – SELinux Allow Rule ex2 • Rule Example: passwd program in linux Composability Problem • The problem of how to compose two or more secure components into a secure system is hard. • Most of the low-level problems arise when some sort of feedback is introduced into the system. In real life, feedback is pervasive. • Composition of secure components or systems is very often frustrated by higher-level incompatibilities. The Cascade Problem • Connecting together two B3 systems in such a way that security policy is broken Covert Channel • Covert channels of information flow • communication channel based on the use of system resources not normally intended for communication between the subjects (processes) in the system • Storage Channel: allow the direct or indirect writing of a shared storage location by one process and the direct or indirect reading of it by another • Timing Channel: allow one process to signal information to another process by modulating its own use of system resources in such a way that the change in response time observed by the second process would provide information Examples of Covert Channels • • • • • Using file lock as a shared boolean variable By varying its ratio of computing to input/output or its paging rate, the service can transmit information to a concurrently running process Timing of packets being sent Covert channels are often noisy However, information theory and coding theory can be used to encode and decode information through noisy channels Polyinstantiation • Suppose that our High user has created a file named agents, and our Low user now tries to do the same. If the MLS operating system prohibits him, it will have leaked information Practical Problems • MLS systems are built in small volumes, and often to high standards of physical robustness, using elaborate documentation, testing and other quality control measures • A trained Unix administrator can’t just take on an MLS installation without significant further training • Many applications need to be rewritten or at least greatly modified to run under MLS operating systems • Blind write-up: when a low level application sends data to a higher level one, BLP prevents any acknowledgment being sent • There are always system components — such as memory management — that must be able to read and write at all levels • they also prevent desired things from happening too (such as efficient ways of enabling data to be downgraded from High to Low, which are essential if many systems are to be useful)