Mandatory Access Control Systems

Transcription

1 CSE497b Introduction to Computer and Network Security - Spring Professor Jaeger Mandatory Access Control Systems CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger

2 Mandatory Access Control System-Defined Policy Fixed Set of Subject and Object Labels Fixed Permission Assignments Fixed Label Assignments: (e.g., file to object label) O 1 O 2 O 3 J R R W R W S 2 N R R W S 3 N R R W 2

3 MAC and Systems What is necessary to be a system that enforces MAC policies? Specify: MAC Policy Model Enforce: Reference Monitor Transitions: Changes of privilege must be controlled Plus, others Management: Policy development tools Services: MAC-aware services Applications: Work with MAC limitations What do these systems look like? We ll examine Multics and SELinux 3

4 Multics 4 Multiplexed Information and Computing Service Project started as a timesharing system in Used until 2000 Research project that led to a commercial product Invented a number of important OS features Segmented and Virtual Memory Shared Memory Multiprocessor Online Reconfiguration Hierarchical File Systems

5 Multics Security Features Also, a number of security features were pioneered First Multilevel Secure (MLS) system Isolation based on segments and rings Ring crossing mechanisms to protect integrity Guard-like functions for integrity protection (Gatekeepers) One-way encrypted passwords Covert channel defenses And software assurance techniques... But, function over security Multics Security Evaluation,

6 Protection Rings 6 Successively less-privileged domains Example: Multics (64 rings in theory, 8 in practice)

7 What do rings mean? What s in a ring? Processes, with the code that they can access Data they can access directly Execute in ring i Process runs with rights of ring i Data in rings >= i can be accessed Any procedure may be accessible Ring-crossings (generalized) If process calls procedure in a different ring Traps to kernel to authorize transition If authorized, process runs the new procedure in the new ring 7

8 Multics Ring Interpretation Kernel resides in ring 0 Process runs in a ring r Access based on current ring Process accesses data segments Each data segment has an access bracket: (a1, a2) a1 <= a2 Describes read and write access r is the current ring r <= a1: access permitted a1 < r <= a2: r permitted; w denied a2 < r: all access denied 8

9 Multics Ring Interpretation (con t) Also different procedure segments with call brackets: (c1, c2) c1 <= c2 and access brackets (a1, a2) Rights to execute code in a new procedure segment (1) r < a1: access permitted with ring-crossing fault (2) a1 <= r <= a2 = c1: access permitted and no fault (3) a2 < r <= c2: access permitted through a valid gate (4) c2 < r: access denied What s it mean? case 1: ring-crossing fault changes procedure s ring increases from r to a1 case 2: keep same ring number case 3: gate checks args, decreases ring number (to a2) 9

10 Examples Process in ring 3 accesses data segment access bracket: (2, 4) What operations can be performed? Process in ring 5 accesses same data segment What operations can be performed? Process in ring 5 accesses procedure segment access bracket (2,4) call bracket (4, 6) Can call be made? Can new procedure segment access the data segment above? 10

11 Multics Community 11 Multicians

12 Secure Operating Systems Provably Secure OS (PSOS) GEMSOS KeyKOS and EROS (capability systems) IX (Secure UNIX variant) Trusted Solaris Trusted IRIX (SGI) Trusted Mach Distributed Trusted Mach XTS-400 and STOP (BAE Systems) Flask (Microkernel based system) 12

13 MAC in Linux In 2000, Linus authorized the development of a reference monitor for Linux So, he didn t have to choose a single security approach Linux Security Modules framework was born LSM defines an interface for reference monitoring modules Anybody could build an LSM! Introduced in Linux 2.6 Version built for BSD Underway for MAC OS X 13

14 Linux Security Modules Approach 14 Linux Security Modules framework What security function and how does implementation satisfy it? Entry Points Access Hook System Interface Authorize Request? Access Hook Security-sensitive Operation Access Hook Monitor Policy Security-sensitive Operation Security-sensitive Operation Yes/No

15 SELinux 15 LSM + much more SELinux Bootstrap SELinux-aware Services System Processes (1) Load Policy (2) Authenticate SELinuxfs (3) Syscalls Linux Kernel SELinux LSM

16 SELinux uses Type Enforcement MAC Policy Subjects and Objects Labeled Access Matrix Policy Processes with subject label Can access object of object label If operations in matrix cell allow Focus: Least Privilege Integrity bias O 1 O 2 O 3 S 1 Y Y N S 2 N Y N S 3 N Y Y 16

17 SELinux Execute Transitions 17 Run the privileged passwd program Simplified view -- takes 4 policy rules to do this User Proc user_t Fork User Proc user_t Exec passwd_t Root Proc passwd_t

18 MAC Systems Policy Define a fixed access policy (mandatory access control) Multics MLS and ring policies; SELinux TE Enforcement Use a reference monitor (remember the guarantees required) Multics kernel; Linux LSM (SELinux) Transitions Enable controlled transition between privilege levels Complexity most due to limiting transitions Multics ring transitions; SELinux execute transitions Challenge Getting programs to run with limited information flows 18

19 Assurance We want to know Security model we are enforcing (Security Function) That it enforces this model correctly (Assurance) Suppose We have a system that enforces Bell-LaPadula What should a system do that enforces BLP? How do we know that the implementation is correct? Assurance aims to answer these questions 19

20 Rainbow Series Trusted Computer Systems Evaluation Criteria From A variety of documents to help build secure systems Password Management Audit Configuration Management Orange Book (1985) Defined 6 classes of security systems Function that the class provides Requirements for verifying that implementation met the class Requirements fall into a number of categories Access control mechanism/policy Authentication Audit 20

21 Orange Book Classes C1 and C2 Discretionary protection Authentication, audit for discretionary access Testing and documentation C2 is the most common class for commercial products B1, B2, and B3 Labeled security protection: Multi-level security (Bell-LaPadula) More testing and more documentation B1: MLS on some objects; B2: MLS on all B2 also introduces covert channel protections and config mgmt B3 more software engineering documentation A1: Verified protection Requires correspondence between code and formal model 21

22 Common Criteria Started 1993 by US, Canada, and European Countries Attempt to identify a set of common criteria to evaluate information security V , V , ISO Standard A set of evaluation techniques used to vet technologies and tell which ones were good and bad (more or less). This allows consumers of goods and services to know if the security advertised is as good as is claimed Based on some specified evaluation criteria 22

23 Common Criteria Separate Protection Profile Assurance Level Protection Profile Security Target This is really just the set of requirements for the class of products of this type (e.g., firewalls) This is the definition of what and how the TOE (target of evaluation) meets a set of security requirements EAL1 EAL7 23

24 EAL Levels EAL1: Functionally Tested Breathing EAL2: Structurally Tested High-level design EAL3: Methodically Tested and Checked High-level design motivates testing EAL4: Methodically Designed, Tested, and Reviewed Low-level design and vulnerability analysis EAL5: Semi-formally Designed and Tested Rigorous development using (semi-)formal models EAL6: Semi-formally Verified Design and Tested Low-level design EAL7: Formally Verified Design and Tested 24

25 Common Criteria and Linux Linux is assured to: EAL4 for Controlled Access Protection Profile Discretionary access control with a low-level system design With LSM and SELinux (MLS) EAL4 for Labeled Security Protection Profile Done September 6, 2006 Challenges Upstream all code Assure a mainline Linux kernel Enable applications E.g., Polymorphic file system Package into distribution That RedHat can deliver 25

26 Take Away Assurance of security enforcement requires Security Function So we know what is being enforced Justification for Function So we know that it is being enforced Assurance really aims for MAC policies Fixed policies So we know what accesses are enforced Reference monitor So we know the enforcement is comprehensive Transitions So we can limit access after a privilege change 26