1 Department of Computer Science & Engineering SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006
1Department of Computer Science & Engineering
SELinux Protected Paths Revisited
Trent JaegerDepartment of Computer Science and Engineering
Pennsylvania State University
March 1, 2006
2Department of Computer Science & Engineering
Talk Topics
Mechanism for MAC enforcement between 2 machines Labeled IPsec
Protected Paths Are we ready?
Distributed System MAC What else do we need?
Claims Distributed enforcement: distributed, shared monitor Trust in that enforcement: trust representation Simplicity and scalability: can virtual machines help?
3Department of Computer Science & Engineering
Mandatory Access Control
Linux Kernel SELinuxModule
MACPolicy
Appl Appl Appl
4Department of Computer Science & Engineering
Mandatory Access Control
Linux Kernel
SELinuxModule
MACPolicy
Appl Appl Appl
File X
5Department of Computer Science & Engineering
Network MAC
Linux Kernel SELinuxModule
MACPolicy
Appl ApplAppl
System
Linux Kernel SELinuxModule
MACPolicy
Appl Appl Appl
System
X
6Department of Computer Science & Engineering
Client-Server MAC
Linux Kernel SELinuxModule
MACPolicy
Appl Appl
Client
Linux Kernel SELinuxModule
MACPolicy
Appl Appl Server
Server
Appl
Worker
7Department of Computer Science & Engineering
Location-independent MAC
Linux Kernel SELinuxModule
MACPolicy
Appl ApplNew
Remote System
Linux Kernel SELinuxModule
MACPolicy
Appl Appl Master
Base System
Create
8Department of Computer Science & Engineering
Labeled IPsec
Leverage IPsec Advantages Secure communication Easy to integrate to kernel MAC
Add MAC Labeling to IPsec Control application access to IPsec “channels” Can only send/receive with MAC permission
Results Application to application control is possible BLP controls between applications on different machines Applications can use labeling information
Label child processes Part of Linux 2.6.16-rc* kernel
Will be in 2.6.16 kernel
9Department of Computer Science & Engineering
Client-Server Usage
OS KernelAccessControlModule
MACPolicy
Appl Appl
System
OS KernelAccessControlModule
MACPolicy
Appl Appl Appl
System
Appl
Worker
(1) Black must be able to access green policy (among others)(2) Black can extract label of SA for socket (3) Prototyped using getsockopt(…, SO_PEERSEC)
10Department of Computer Science & Engineering
Get Peer Label
TCP Is a socket connected? (TCP_ESTABLISHED) getsockopt(.. SO_PEERSEC ..) dst_entry cache of socket (labeled SA)
UDP Connectionless Set IP_PASSSEC socket option recvmsg now returns context as well
For UNIX stream, dgram (soon) and INET stream, dgram Work by Catherine Zhang at IBM Research
11Department of Computer Science & Engineering
Use Labels in Client Control
Network Services vsftpd, xinetd
Get label using TCP method Configuration
Get xinetd to use labels based on configuration Storage Security
Proxy-based Server proxy limits access based on client label
Server is trusted Client proxy connects based on client label
Client proxy processes need not be trusted
12Department of Computer Science & Engineering
Distributed MAC Goal
Protected Paths From “Inevitability of Failure”
Direct, Authenticated Communication Integrity-preserved from input to output Get peer’s label reliably
Comparable to Authenticated IPC UNIX domain sockets
Where are we relative to achieving protected paths for real? Are protected paths enough?
13Department of Computer Science & Engineering
Protected PathsX
serv
er
Win
dow
Man
ager
App
licat
ion
Ope
ratin
g Sy
stem
sNetwork
Operating System
s
Application
Window
Manager
Xserver
14Department of Computer Science & Engineering
Protected PathsX
serv
er
Win
dow
Man
ager
App
licat
ion
Ope
ratin
g Sy
stem
sNetwork
Operating System
s
Application
Window
Manager
Xserver
MAC Label
15Department of Computer Science & Engineering
Protected PathsX
serv
er
Win
dow
Man
ager
App
licat
ion
Ope
ratin
g Sy
stem
sNetwork
Operating System
s
Application
Window
Manager
Xserver
AttestMAC Label
User
16Department of Computer Science & Engineering
Protected Path Challenges
User-to-Application Xserver Control Window Manager Control
Application-to-OS Labeled IPsec Application Control Using Label
OS-to-OS Reference Monitoring MAC Policy, Labeling Remote Attestation, Building Trust from Secure Hardware
17Department of Computer Science & Engineering
Existing Solutions
Distributed Policy Management E.g., Tivoli Access Manager, Microsoft Windows Domains
Virtual Machine Systems NetTop Terra
Logic of Authentication Taos and Secure Boot
Trust Management Systems E.g., PolicyMaker, KeyNote, etc.
Trust Negotiation
18Department of Computer Science & Engineering
Secure Coalition System
Recent IBM Technical Report -- RC23865 Work with J. McCune at CMU; S. Berger, R. Caceres, R.
Sailer at IBM Research
19Department of Computer Science & Engineering
Distributed, Shared Monitor
Distributed, Shared Reference Monitor TPM attestation of each physical machine’s reference monitor Common enforcement properties: monitoring, MAC policy
20Department of Computer Science & Engineering
Virtual Machines
Advantages Coarser-grained protections
Coarser-grained policy Simpler reference monitor
VM per application (simplify policy within VM) Challenges
Dynamic policy (Yin and Wang, USENIX 2005) Doesn’t fix user-to-user (Nitpicker’s, ACSAC 2005) Translate into client-specific rights (finer-grained) Scalable construction, maintenance of trust
21Department of Computer Science & Engineering
Building Trust
Build Trust in Other System’s Reference Monitoring And MAC Policy And Labeling of Subjects and Objects
Why is this necessary? Internet-scale
Register TPM and physical protection, but a different admin Administration errors
Misconfiguration of a machine Malice
Compromised platform Build trust from secure hardware up
22Department of Computer Science & Engineering
Internet-Scale Distributed Systems
Simple Langauge of Trust Limited by Reference Monitoring Properties Monotonic Reasoning
Multiple Layers of Reasoning Machine Virtual Machine Coalition
Building Systems to Test Soundness/Completeness Web Hosting Internet Suspend/Resume Distributed Computations -- Student Testing
23Department of Computer Science & Engineering
Summary
Aim: Network MAC to Distributed System MAC
Have IPsec MAC controls What is an appropriate goal for distributed system MAC
Protected Paths plus Remote Attestation plus Virtual Machines? Distributed, Shared Reference Monitor
Several Challenges Remain Trust across systems Compatibility (policy, labeling) across systems Service awareness Building all the way to the user
24Department of Computer Science & Engineering
Questions?
Contact Trent Jaeger, [email protected] Penn State SIIS Lab, siis.cse.psu.edu www.cse.psu.edu/~tjaeger
DSRM prototype report IBM Tech Report RC23865 -- With McCune, Berger, Caceres, Sailer
Linux kernel www.kernel.org
SELinux www.nsa.gov/selinux