Protection of Components based on a Smart Card Enhanced Security Module

Size: px

Start display at page:

Download "Protection of Components based on a Smart Card Enhanced Security Module"

Roland Watson
8 years ago
Views:

1 Protection of Components based on a Smart Card Enhanced Security Module J. García-Alfaro 1,2, S. Castillo 1, J. Castellà-Roca, 3 G. Navarro 1, and J. Borrell 1 1 Autonomous University of Barcelona, Department of Information and Communications Engineering, Bellaterra - Spain 2 Ecole Nationale Supérieure des Télécommunications de Bretagne, Multimedia Networks and Services Department, Cesson Sévigné - France 3 Rovira i Virgili University Department of Computer Engineering and Maths, Tarragona - Spain García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

2 Introduction: Starting Point Protection of Network Security Components: - J. García, S. Castillo, G. Navarro, and J. Borrell Mechanisms for Attack Protection on a Prevention Framework 39th Annual IEEE International Carnahan Conference on Security Technology Protection based on an AC integrated in the operating system s kernel Implemented as a Linux Security Module through the LSM framework Open architecture for the inclusion of security enhancements at operating system s kernel level García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

3 Introduction: Protection strategy García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

4 Introduction: Protection strategy García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

5 Intra-kernel Access Control Coexistence of the protection AC (more restrictive) with the native operating system AC (less restrictive) The protected system calls are intercepted and, according to a set of security rules, will be accepted or denied: [ P ID ] [ UID] [Device] [inode] [Syscall] [P arameters] {accept, deny} García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

6 Example: protection of processes KERNEL Space KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR 1000 USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

7 Example: protection of processes KERNEL Space PID = 1234 UID= admin Syscall = kill_process Parameter = KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

8 Example: protection of processes KERNEL Space KERNEL AC PROTECTION AC kill_process(1000) PROCESS PROCESS SENSOR USER Space Administrator - Configuration Files - Binary File -... García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

9 Native operating system s AC García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

10 Intra-kernel Access Control García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

11 Constraints of our approach It introduces some administration constraints Officers are not longer allowed to throw system calls which may suppose a threat to the protected component To solve these constraints, we propose the use of a two-factor authentication mechanism Based on a cryptographic protocol and a smart card token Holds to the officer the indispensable privileges to carry out management activities after ensuring the administrator s identity García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

12 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

13 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

14 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

15 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

16 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

17 Authentication Mechanism SMARTCOP NODE 1234 SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

18 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

19 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

20 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

21 Authentication Mechanism SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

22 Public key protocol SMARTCOP SERVER SMARTCOP NODE SMARTCOP NODE SMARTCOP CARD García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

23 Authentication Mechanism: security considerations The console s executable is compiled in a static manner The LSM module, moreover, protects: the AC itself the binary file of the console the normal execution flow of the console s process the communication channel between the LSM module, the smart-card, and the console process García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

24 Related Works - SELINUX: P. Loscocco and S. Smalley. Integrating Flexible Support for Security Policies into the Linux Operating System. 11th FREENIX Track: 2001 USENIX Annual Technical Conference, USA, RSBAC: A. Ott. The Role Compatibility Security Model. 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), Karlstad University, Sweden, Reinforce traditional operating system security features Control of the outcoming system calls García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

25 Benefits of our intra-kernel AC approach Unified methodology Integrated in the system as a LSM module, without having to modifile and recompile the kernel Two-factor authentication mechanism Solves the administration and configuration constraints of such an enhanced reinforcement García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

26 Deployment and Evaluation (1) Written in C as a set of modules through the LSM (Linux Security Modules) framework Smart card authentication: LSM and smart card communication and cryptographic operations based on etoken PRO (Aladdin) cards Deployed over the components of our platform, implemented for GNU/Linux 2.6 systems García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

27 Deployment and Evaluation (2) Access control subsytem Authentication subsytem Application Admin. console Enhanced Access Control (LSM) USB etoken driver Auth. core RSA sign. verif. module Security componet OS Access Control Syscall Interface García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

28 Evaluation: processes tests stop process resume process finish process fork process fork + execve fork + /bin/sh Overhead (%) Number of rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

29 Evaluation: filesystem and communications chmod i-node rename i-node unlink i-node mmap read 10K file create 10K file delete Overhead (%) Number of rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

30 Conclusions and Future Work Conclusions: Protection of critical processes and resources based on an AC integrated into the operating system s kernel Smart card based authentication protocol for management and configuration activities Good degree of transparency and reasonable performance penalty Future Work: Improving the customizing of policies Possibility of reload of policies at runtime Improving the matching algorithm of security rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

31 Conclusions and Future Work Conclusions: Protection of critical processes and resources based on an AC integrated into the operating system s kernel Smart card based authentication protocol for management and configuration activities Good degree of transparency and reasonable performance penalty Future Work: Improving the customizing of policies Possibility of reload of policies at runtime Improving the matching algorithm of security rules García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

32 Thank you for your attention! Questions? García, Castillo, Castella, Navarro, Borrell () Protection of Components CRITIS / 22

ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System

ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System Joaquín García, Sergio Castillo, Guillermo Navarro, Joan Borrell {jgarcia,scastillo,gnavarro,jborrell}@deic.uab.es