1 / 23

Approaches for Designing Flexible Mandatory System Security Policies

Approaches for Designing Flexible Mandatory System Security Policies. Trent Jaeger IBM Research July 8, 2004. Linux 2.6 Has LSM and SELinux. Linux Security Modules Framework Reference monitor interface w/i kernel No problems with redundant parsing or races

alban
Download Presentation

Approaches for Designing Flexible Mandatory System Security Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaches for Designing Flexible Mandatory System Security Policies Trent Jaeger IBM Research July 8, 2004

  2. Linux 2.6 Has LSM and SELinux • Linux Security Modules Framework • Reference monitor interface w/i kernel • No problems with redundant parsing or races • Enforce mandatory access control (MAC) • Restricts discretionary permissions • Noteworthy LSM Features • Comprehensive MAC enforcement • 200+ hooks • Control access to 29 kernel data types • SELinux module • Supports comprehensive MAC • Enhanced Type Enforcement policy: roles, subject types, transitions, etc. • Large “example” policy (25,000+ permission assignments) • Requires customization to security target

  3. Integrity High Subject Object Read Subject Perm Low Subject Can Modify Input To High Perm Subject Object Write Low Subject

  4. sysadm_t userdomain ttyfile rw user_tty_device_t rw Users can modify input to sysadm_t!! user_tty_device_t rw ttyfile rw userdomain user_t SELinux & Integrity Subject Type Subject Attr Attr Perm Perm Perm Attr Perm Subject Attr Subject Type

  5. SELinux Integrity Problem setfiles Conflict file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm

  6. Integrity Models • Biba Integrity • No high integrity subject may depend on low integrity data/code • Implication: No information flow from low integrity to high • LOMAC • The integrity level of a subject is equal to lowest integrity input • Implication: same as Biba • Caernarvon • The integrity level of a subject or object is specified by a range • Implication: Subjects may depend on/modify a range of integrity levels • Clark-Wilson • Only high integrity Transformation Procedures modify high integrity data • Implication: Can read low integrity data if they can upgrade or discard only

  7. Our Integrity Goal • Use flexible policy expression • SELinux’s extended Type Enforcement policy • Defines all relevant policy decisions • Find integrity problems • Information flows that satisfy Biba are permitted • “Resolve” others – remove or manage (Clark-Wilson) • Compute information to assist in resolution • Find problems: Minimal cover set • Identify solutions: Resolutions • Determine solutions: Impact

  8. sysadm_t userdomain ttyfile rw user_tty_device_t rw Minimal Cover Set for Integrity Violations Perm Subject Type Subject Attr Attr Perm Perm Subject Type Subject-Permission Assignment

  9. Minimal Cover Set setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm

  10. Integrity Resolutions • Remove Subject Type or Object Type • Reclassify Subject Type of Object Type • Change Subject Type-Permission assignment • Clark-Wilson reads • Allow reading of low integrity data that meet Clark-Wilson • No dependency read (move file) • Deny Object Access • Track low integrity writes per object • LOMAC Subject Type (sysadm) • Reduce integrity level of subject when reading low integrity data

  11. X X X No Dep Read Exclude Object Type Deny Access Exclude Subject Type Example Resolutions setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm

  12. Resolution Independence setfiles S-P Assign Conflict S-P Assign file_type read user_ssh rw user user_ssh rw sysadm httpd admin sshd_tmp read sshd_tmp rw sshd X logfile read logrotate lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm

  13. Resolution Impact • Basic resolution impact • Number of conflicts that result from a flow assignment or node • Real resolution impact • Number of conflicts that are eliminated by removal of an assignment or node • Changes on Extremes Have Bigger Impact • Subject Type, Object Type changes • Permission assignment is generally low impact

  14. Policy Design Tool: Gokyo • Load entire SELinux example policy • Find Biba conflicts in SELinux policy • Display conflicts in terms of minimal cover set • Compute basic impacts for nodes and assignments • Enable expression of resolutions and re-evaluation • Resulting policies provide Clark-Wilson integrity • Assuming high integrity applications meet assurance requirements • Assuming sanitization either discards or upgrades low integrity data • Does not fix SELinux module to enforce resolutions

  15. Gokyo Resolution setfiles S-P Assign X Conflict S-P Assign file_type read user_ssh rw user user_ssh rw X sysadm X httpd admin sshd_tmp read sshd_tmp rw sshd X logfile read logrotate X lastlog read lastlog write xdm Attr Perm High Subject Type Low Subject Type Perm Perm

  16. Policy Design Results • 1 Biba constraint (no flow from low to high) • 36 TCB subject types (high integrity subjects) • 83 excluded subject types (low integrity) • All other subject types are assumed low • 4 object type excludes • 1 LOMAC – sysadm • 18 denials • 83 sanitizations for 24 subject types

  17. Other SELinux Policy Analysis Tools • Tresys • Apol - analyze an SE Linux policy (GUI). • SeAudit - analyze audit messages from SELinux (GUI). • SeCmds - analyze an SELinux policy and search/replace file contexts. • SeUser - GUI and command-line "user manager" for SELinux. • SePCuT - customize an SE Linux policy (GUI). • MITRE • SLAT – Information flow policy expression • Hitachi • SELinux/Aid inspect, edit SELinux security policies and inspect log messages

  18. Summary • Comprehensive security is complex • Security requirements should be simple • Clark-Wilson integrity with assumptions is achievable • Resolution requires tools to support decision-making • Modeling concepts enable focus: • Minimal cover set • Resolution options • Resolution impact • And guide resolution process • SELinux policy model requires adjustments to achieve resolution

  19. Summary (con’t) • Research Results • ACM TISSEC journal – Access Control Spaces • USENIX Security Conference – Configure TCB policy • ACM SACMAT – Underlying graph properties for resolution • Working Tool • Gokyo analysis infrastructure • Lacks GUI • Analysis Tools for Security • www.research.ibm.com/vali • Contact for more info • jaegert@us.ibm.com

  20. Resolution Issues • Low integrity side vs. High integrity side • Which is easier to address? • Big impact vs. Ease of understanding • Small, independent cases are easy • Small, cases with some overlap are not so hard • Extensive cases with overlap are difficult • Some assignments result in extensive overlap • How to apply graph theory? • Node weights based on basic or real impact? • Minimum cut across graph • Cost of making a change is the cost of the cut

  21. Current Approach • Identify the minimal cover set for constraint conflicts • Subject-permission assignments • Compute the basic impact value of each cover assignment • Number of conflicts reachable • Compute number of subjects/objects impacted by cover assignment • Examine remove/reclassification or LOMAC semantics • Compute individual node and assignment impacts on demand • Apply permission resolutions • Sanitize or deny

  22. Access Hook Authorize Request? Security-sensitive Operation Access Hook Access Hook Security-sensitive Operation Security-sensitive Operation Yes/No LSM Entry Points System Interface Module

  23. Achieving Security Goals • Large Number of Security Decisions • Comprehensive vs limited security • 150+ decisions points defined by LSM • Defining the Security Goal • Least Privilege • Confidentiality • Integrity • Security Goal Specification • Simply-stated goals are often too restrictive (e.g., no low integrity data dependencies) • Flexible languages enable complex goals, but too complex (e.g., access matrix) • Our Solution Aims: • Comprehensive • Integrity • Use simple model as target, but enable flexible fine tuning

More Related