Leveraging IPsec for Mandatory Access Control of Linux ... · Leveraging IPsec for Mandatory Access Control of Linux Network Communications ... Racoon negotiates and builds SAs for
Post on 09-May-2018
223 Views
Preview:
Transcript
1Department of Computer Science & Engineering
Leveraging IPsec for Mandatory Access
Control of Linux Network Communications
Trent Jaeger
Department of Computer Science and Engineering
Pennsylvania State University
December 6, 2005
2Department of Computer Science & Engineering
Mandatory Access Control
OS KernelAccessControlModule
MACPolicy
Appl Appl Appl
3Department of Computer Science & Engineering
Mandatory Access Control
OS Kernel
AccessControlModule
MACPolicy
Appl Appl Appl
File X
4Department of Computer Science & Engineering
Network MAC
OS KernelAccessControlModule
MACPolicy
Appl ApplAppl
System
OS KernelAccessControlModule
MACPolicy
Appl Appl Appl
System
X
5Department of Computer Science & Engineering
Client-Server MAC
OS KernelAccessControlModule
MACPolicy
Appl Appl
System
OS KernelAccessControlModule
MACPolicy
Appl Appl Server
System
Appl
Worker
6Department of Computer Science & Engineering
Location-independent MAC
OS KernelAccessControlModule
MACPolicy
Appl ApplNew
Remote System
OS KernelAccessControlModule
MACPolicy
Appl Appl Master
Base System
Create
7Department of Computer Science & Engineering
Assumptions
� Mutual Trust in Labeling and Enforcement� Within administrative domain
� Cross-domain trust is more challenging
� Must authenticate, verify enforcement abilities, etc.
� Compatible Policies� Labels need to have consistent meaning
� Negotiation of labels is possible
� Integrity-Preserving Communication� Strong crypto
� Here, we discuss the basic mechanism
8Department of Computer Science & Engineering
Alternatives
� SSL/TLS� Secure communication between applications� PKI identification (know user); no labels (don’t know access)� Difficult to integrate into a kernel-enforced MAC framework
� IPsec� Secure communication between hosts/ports� Coarse granularity of identification, typically hosts� Need labels at application granularity
� IP Security Options� IP header labels� Parser IP headers on each packet -- performance/complexity death
� OpenBSD KeyNote� Authorization statements with keys� Integrated with IPsec -- But, discretionary in nature
9Department of Computer Science & Engineering
Labeled IPsec
� Leverage IPsec Advantages� Secure communication� Easy to integrate to kernel MAC
� Add MAC Labeling to IPsec� Control application access to IPsec “channels”� Can only send/receive with MAC permission
� Results� Application to application control is possible� BLP controls between applications on different machines� Applications can use labeling information
� Label child processes
� Part of Linux 2.6.15-rc3-mm1 kernel patch� Will be in 2.6.16 kernel
10Department of Computer Science & Engineering
Current MAC Network Controls
Appl
Appl
sk
AuthorizeSocketAccess toIP Address
User SELinux Kernel
AuthorizeApplicationAccess toSocket
AuthorizeSocketAccess toInterface
Netfilter
sendmsg
Network
AuthorizeApplicationAccess toSocket
AuthorizeSocketAccess toIP Address
AuthorizeSocketAccess toInterface
rcv_skb
recvmsg
SELinux Kernel
Applsk
User
11Department of Computer Science & Engineering
IPsec
� Privacy and authentication services at the IP layer
� IPv4 and IPv6
� Protocols: ESP and AH
� Paths: host-host, gateway-gateway, host-gateway
� Transport or tunnel: single or multiple layers of security protocols
� Security Policy
� Defines security protocols, mode for source-destination (port)
� Input to negotiation
� Security Associations
� Simplex representation of IPsec connection
� Per protocol (AH or ESP)
� One mode (transport or tunnel)
12Department of Computer Science & Engineering
IPsec and MAC Processing
IPsecPolicy
Appl
IPAddrCheck
User SELinux Kernel
IPsecPolicy
IntfCheck
NF
sendmsg
Netw
ork
rcv_skb recvmsg
SELinux Kernel User
ApplSocketCheck
FindSAs
SANeg
ApplySAs
IPsec
IPAddrCheck
IntfCheck
ApplySAs
IPsec rcv_skb
IPAddrCheck
IntfCheck
FindSAs
MatchSPI
IPsec
SocketCheck
Appl
13Department of Computer Science & Engineering
IPsec Tools
IPsecPolicyAppl
IPAddrCheck
User SELinux Kernel
IPsecPolicy
IntfCheck
Netw
ork
SELinux Kernel User
Appl
SocketCheck Find
SAs
SANeg
ApplySAs
IPsec
IPAddrCheck
IntfCheck
IPsecExec
IPsec
IPAddrCheck
IntfCheck
FindSAs
MatchSPI
IPsec
SocketCheck
Appl
setkey
racoonracoon
setkey
SPD
SPDSAD
SAD
14Department of Computer Science & Engineering
Setkey Policy Changes
� Setkey SPD entriesspdadd 9.2.9.15 9.2.9.17 any -ctx 1 1 "system_u:object_r:zzyzx_t"
-P in ipsec esp/transport//require ;
spdadd 9.2.9.17 9.2.9.15 any -ctx 1 1 "system_u:object_r:zzyzx_t"
-P out ipsec esp/transport//require ;
� Setkey SAD entries (optional as racoon can negotiate)add 9.2.9.15 9.2.9.17 esp 0x123456
-ctx 1 1 "system_u:object_r:zzyzx_t"-E des-cbc 0x0000000000000000;
add 9.2.9.17 9.2.9.15 esp 0x123457 -ctx 1 1 "system_u:object_r:zzyzx_t" -E des-cbc 0x0000000000000000;
15Department of Computer Science & Engineering
New LSM Hooks
IPsecPolicyAppl
IPAddrCheck
User SELinux Kernel
IPsecPolicy
IntfCheck
Netw
ork
SELinux Kernel User
Appl
SocketCheck Find
SAs
SANeg
ApplySAs
IPsec
IPAddrCheck
IntfCheck
IPsecExec
IPsec
IPAddrCheck
IntfCheck
FindSAs
MatchSPI
IPsec
SocketCheck
Appl
setkey
racoonracoon
setkey
SPD
SPDSAD
SAD
16Department of Computer Science & Engineering
New LSM Hooks and SELinux
Implementations� xfrm_policy_alloc
� Done when policy is added to the SPD (under xfrm_selector)� Authorize subject that is updating SPD� Allocate security data structure in new xfrm_policy� xfrm_sec_ctx
� Domain of interpretation� Algorithm� Context length (string length)� Security ID � Context String
� xfrm_policy_lookup� Authorize socket’s use of policy with security context� Only retrieve/build SA’s with the security context of the policy
� xfrm_state_alloc� Done when SA is added to SAD� Authorize subject that is updating SPD� Allocate security data structure in new xfrm_state
17Department of Computer Science & Engineering
Overall MAC Control
� (1) When labeled IPsec packet
� Authorization of policy enforces access� Output: SAs must match policy selected
� Input: SAs must have SPI for corresponding policy
� (2) When IPsec packet with no label
� Must have access to unlabeled associations
� (3) When not IPsec packet
� Must have access to unlabeled associations
� Extend existing input (rcv_skb) and output (Netfilter) hooks� Output: if no labeled SA, then authorize for ‘unlabeled’
� Input: if no labeled SA, then authorize for ‘unlabeled’
18Department of Computer Science & Engineering
IPsec-MAC Usage
OS KernelAccessControlModule
MACPolicy
Appl ApplAppl
System
OS KernelAccessControlModule
MACPolicy
Appl Appl Appl
System
X
(1) Greenapplication can only use greenIPsec policy(2) Resultant negotiated SA is labeled green(3) Red cannot send to greenbecauseredis limited to red policy
19Department of Computer Science & Engineering
Client-Server Usage
OS KernelAccessControlModule
MACPolicy
Appl Appl
System
OS KernelAccessControlModule
MACPolicy
Appl Appl Appl
System
Appl
Worker
(1) Black must be able to accessgreen policy (among others)(2) Black can extract label of SA for socket(3) Prototyped using getsockopt(…, SO_PEERSEC)
20Department of Computer Science & Engineering
Location-independent Usage
OS KernelAccessControlModule
MACPolicy
Appl ApplNew
Remote System
OS KernelAccessControlModule
MACPolicy
Appl Appl Master
Base System
Create
(1) Master downloads code to remote system(2) Remote enforces new green access to green SA only(3) Enforcement -- Xen Prototype
21Department of Computer Science & Engineering
� Joint work with IBM Research -- IBM Tech Report RC23778� Location-independent computing
� Distributed computation -- e.g., SETI@HOME� Mobile identity -- e.g., ATM� Geographically-distributed services -- e.g., search engine
� Solution: Distributed Reference Monitor� Tamperproof: Attestation; Virtual Machine; Secure Communication; Integrity
Protection� Mediation: MAC enforced by VM system; MAC policy distribution� Simplicity: “Smaller code base”; Simpler policy
Secure Distributed Platforms
22Department of Computer Science & Engineering
Issues
� Caching� Mapping of flows to IPsec policy (authorized)
� May be multiple authorized policies per flow -- finer-grained
� Another hook
� Get socket sid from moduleto check cache
� Label Extraction
� More general solution needed for UDP
� setsockopt(…, SO_PASSSEC) -- tell kernel to provide label in control message
� Supports transport
� Tunnel -- keep interface updated throughout forward
23Department of Computer Science & Engineering
Summary
� Aim: Network MAC based on strong authentication on each packet
� IPsec is the kernel service that supports network control� XFRM IPsec implementation in Linux 2.6
� Integrate IPsec with LSM and SELinux� Control selection of policy for a socket
� Propagated throughout SA retrieval/construction
� IPsec-Tools modified to support the policy and SA contexts� Manual (setkey) and dynamic (racoon)
� Intrusiveness to critical path is minimal� 2 new LSM hooks on IPsec per packet processing – 2 offline� 1 more SELinux authorization for SA in rcv_skb and Netfilter� Accepted in Linux mainline kernel
24Department of Computer Science & Engineering
Questions?
� Contact� Trent Jaeger, tjaeger@cse.psu.edu
� www.cse.psu.edu/~tjaeger
� IPsec system prototype report� IBM Tech Report
� RC23642 -- With Serge Hallyn and Joy Latten
� Linux kernel� www.kernel.org
� SELinux� www.nsa.gov/selinux
25Department of Computer Science & Engineering
IPSec protocol – IPSec
Tools/Linux XFRM (output)
Linux 2.6
Setkey Racoon (IKE)
SPD SAD
FindPolicy
FindExisting
SAs
NegotiateSAs
ApplySAs
SockIP
xmit
Output: (sk_)policy_lookup � find_bundle � tmpl_resolve � ip_queue_xmit/dst_output
26Department of Computer Science & Engineering
New LSM Hooks (output)
Linux 2.6
Setkey Racoon (IKE)
SPD SAD
FindPolicy
FindExisting
SAs
NegotiateSAs
ApplySAs
SockIP
xmit
Output: (sk_)policy_lookup � find_bundle � tmpl_resolve � ip_queue_xmit/dst_output
27Department of Computer Science & Engineering
IPSec Protocol: IPSec-
Tools/Linux XFRM (input)
Linux 2.6
Setkey Racoon (IKE)
SPD SAD
FindPolicy
FindSA
For SKB
ApplySAs
SockIPrcv
Input: ip_rcv_finish/dst_input � (sk_)policy_lookup � policy_ok � state_ok
MatchToSPI
28Department of Computer Science & Engineering
New LSM Hooks (input)
Linux 2.6
Setkey Racoon (IKE)
SPD SAD
FindPolicy
FindSA
For SKB
ApplySAs
SockIPrcv
Input: ip_rcv_finish/dst_input � (sk_)policy_lookup � policy_ok � state_ok
MatchToSPI
29Department of Computer Science & Engineering
Negotiation model
� Initiator is authorized to only one SA per source-destination-port� Granularity of selectors� Socket options might distinguish further by per socket policy
� Not currently supported
� Initiator’s racoon receives request with policy� Authorized to send unlabelled packets only
� Negotiation is a simple context match� Types should be same on both sides to indicate same semantics� Polyinstantiation
� Each side builds an SA with context� Control over sockets that can sendto/recvfrom SA context
� Same context in each direction for racoon� Racoon negotiates and builds SAs for both directions based on initiator’s
outbound� Verified for encryption algorithms� Does not apply to setkey (manual SA creation)
30Department of Computer Science & Engineering
Linux 2.6
Overall LSM Network Control
(Output)
SockIP
xmit
SPD SAD
FindPolicy
FindExisting
SAs
NegotiateSAs
ApplySAs
XFRM?NF
PostHook
31Department of Computer Science & Engineering
Linux 2.6
Overall LSM Network Control
(Input)
SPD SAD
FindPolicy
FindSA
For SKBApplySAs
MatchToSPI
SockIPrcv XFRM?
rcvSKB
32Department of Computer Science & Engineering
Overall control (rcv_skb and
postroute_last)/* if authorized xfrm, then already authorized
against xfrm label */If (authorizable_xfrm_in(skb)) {
goto accept;}
/* else, this packet is unlabelled and needs authorization */sock_sid = get_sock_sid(sk);rc = avc_has_perm(sock_sid, UNLABELLED, ASSOC,
op, NULL);if (rc)
goto drop;
accept:drop:
33Department of Computer Science & Engineering
Issues� Policy specification
� sk_policy vs. manual policy� Set by racoon for ISAKMP messages – can use unlabelled� Will get rejected unless unlabelled access is allowed
� No sock in some cases� E.g., ping and packet forwarding� Kernel is the subject in these cases
� Breadth of IPSec use tested� Transport for TCP, UDP, ICMP� Tunnel
� Patch acceptance� 15 files modified: 5 security; 5 net; 5 includes� IPSec-tools patch supports these changes
� Inter-system policy management� Single domain policy distribution to setkey (in addition to SELinux
policy)� Cross-domain limited policy use� Applications use SSL
top related