230 likes | 366 Views
Approaches for Designing Flexible Mandatory System Security Policies. Trent Jaeger IBM Research July 8, 2004. Linux 2.6 Has LSM and SELinux. Linux Security Modules Framework Reference monitor interface w/i kernel No problems with redundant parsing or races
E N D
Approaches for Designing Flexible Mandatory System Security Policies Trent Jaeger IBM Research July 8, 2004
Linux 2.6 Has LSM and SELinux • Linux Security Modules Framework • Reference monitor interface w/i kernel • No problems with redundant parsing or races • Enforce mandatory access control (MAC) • Restricts discretionary permissions • Noteworthy LSM Features • Comprehensive MAC enforcement • 200+ hooks • Control access to 29 kernel data types • SELinux module • Supports comprehensive MAC • Enhanced Type Enforcement policy: roles, subject types, transitions, etc. • Large “example” policy (25,000+ permission assignments) • Requires customization to security target
Integrity High Subject Object Read Subject Perm Low Subject Can Modify Input To High Perm Subject Object Write Low Subject
sysadm_t userdomain ttyfile rw user_tty_device_t rw Users can modify input to sysadm_t!! user_tty_device_t rw ttyfile rw userdomain user_t SELinux & Integrity Subject Type Subject Attr Attr Perm Perm Perm Attr Perm Subject Attr Subject Type
SELinux Integrity Problem setfiles Conflict file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm
Integrity Models • Biba Integrity • No high integrity subject may depend on low integrity data/code • Implication: No information flow from low integrity to high • LOMAC • The integrity level of a subject is equal to lowest integrity input • Implication: same as Biba • Caernarvon • The integrity level of a subject or object is specified by a range • Implication: Subjects may depend on/modify a range of integrity levels • Clark-Wilson • Only high integrity Transformation Procedures modify high integrity data • Implication: Can read low integrity data if they can upgrade or discard only
Our Integrity Goal • Use flexible policy expression • SELinux’s extended Type Enforcement policy • Defines all relevant policy decisions • Find integrity problems • Information flows that satisfy Biba are permitted • “Resolve” others – remove or manage (Clark-Wilson) • Compute information to assist in resolution • Find problems: Minimal cover set • Identify solutions: Resolutions • Determine solutions: Impact
sysadm_t userdomain ttyfile rw user_tty_device_t rw Minimal Cover Set for Integrity Violations Perm Subject Type Subject Attr Attr Perm Perm Subject Type Subject-Permission Assignment
Minimal Cover Set setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm
Integrity Resolutions • Remove Subject Type or Object Type • Reclassify Subject Type of Object Type • Change Subject Type-Permission assignment • Clark-Wilson reads • Allow reading of low integrity data that meet Clark-Wilson • No dependency read (move file) • Deny Object Access • Track low integrity writes per object • LOMAC Subject Type (sysadm) • Reduce integrity level of subject when reading low integrity data
X X X No Dep Read Exclude Object Type Deny Access Exclude Subject Type Example Resolutions setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm
Resolution Independence setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd X logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm
Resolution Impact • Basic resolution impact • Number of conflicts that result from a flow assignment or node • Real resolution impact • Number of conflicts that are eliminated by removal of an assignment or node • Changes on Extremes Have Bigger Impact • Subject Type, Object Type changes • Permission assignment is generally low impact
Policy Design Tool: Gokyo • Load entire SELinux example policy • Find Biba conflicts in SELinux policy • Display conflicts in terms of minimal cover set • Compute basic impacts for nodes and assignments • Enable expression of resolutions and re-evaluation • Resulting policies provide Clark-Wilson integrity • Assuming high integrity applications meet assurance requirements • Assuming sanitization either discards or upgrades low integrity data • Does not fix SELinux module to enforce resolutions
Gokyo Resolution setfiles S-P Assign X Conflict S-P Assign file_type read user_ssh rw user user_ssh rw X sysadm X httpd admin sshd_tmp read sshd_tmp rw sshd X logfile read logrotate X lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm
Policy Design Results • 1 Biba constraint (no flow from low to high) • 36 TCB subject types (high integrity subjects) • 83 excluded subject types (low integrity) • All other subject types are assumed low • 4 object type excludes • 1 LOMAC – sysadm • 18 denials • 83 sanitizations for 24 subject types
Other SELinux Policy Analysis Tools • Tresys • Apol - analyze an SE Linux policy (GUI). • SeAudit - analyze audit messages from SELinux (GUI). • SeCmds - analyze an SELinux policy and search/replace file contexts. • SeUser - GUI and command-line "user manager" for SELinux. • SePCuT - customize an SE Linux policy (GUI). • MITRE • SLAT – Information flow policy expression • Hitachi • SELinux/Aid inspect, edit SELinux security policies and inspect log messages
Summary • Comprehensive security is complex • Security requirements should be simple • Clark-Wilson integrity with assumptions is achievable • Resolution requires tools to support decision-making • Modeling concepts enable focus: • Minimal cover set • Resolution options • Resolution impact • And guide resolution process • SELinux policy model requires adjustments to achieve resolution
Summary (con’t) • Research Results • ACM TISSEC journal – Access Control Spaces • USENIX Security Conference – Configure TCB policy • ACM SACMAT – Underlying graph properties for resolution • Working Tool • Gokyo analysis infrastructure • Lacks GUI • Analysis Tools for Security • www.research.ibm.com/vali • Contact for more info • jaegert@us.ibm.com
Resolution Issues • Low integrity side vs. High integrity side • Which is easier to address? • Big impact vs. Ease of understanding • Small, independent cases are easy • Small, cases with some overlap are not so hard • Extensive cases with overlap are difficult • Some assignments result in extensive overlap • How to apply graph theory? • Node weights based on basic or real impact? • Minimum cut across graph • Cost of making a change is the cost of the cut
Current Approach • Identify the minimal cover set for constraint conflicts • Subject-permission assignments • Compute the basic impact value of each cover assignment • Number of conflicts reachable • Compute number of subjects/objects impacted by cover assignment • Examine remove/reclassification or LOMAC semantics • Compute individual node and assignment impacts on demand • Apply permission resolutions • Sanitize or deny
Access Hook Authorize Request? Security-sensitive Operation Access Hook Access Hook Security-sensitive Operation Security-sensitive Operation Yes/No LSM Entry Points System Interface Module
Achieving Security Goals • Large Number of Security Decisions • Comprehensive vs limited security • 150+ decisions points defined by LSM • Defining the Security Goal • Least Privilege • Confidentiality • Integrity • Security Goal Specification • Simply-stated goals are often too restrictive (e.g., no low integrity data dependencies) • Flexible languages enable complex goals, but too complex (e.g., access matrix) • Our Solution Aims: • Comprehensive • Integrity • Use simple model as target, but enable flexible fine tuning