Secure Operating System Example: SELinux

Slides:



Advertisements
Similar presentations
Trusted System Elements and Examples CS461/ECE422 Fall 2011.
Advertisements

Operating System Security
JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg
Chapter 4 Security in Ordinary Operating Systems
Chapter 6 Security Kernels.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Access Control Intro, DAC and MAC System Security.
Chapter 9 Building a Secure Operating System for Linux.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
SELinux (Security Enhanced Linux) By: Corey McClurg.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Secure Operating Systems
G53SEC 1 Reference Monitors Enforcement of Access Control.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
Exploiting Data Parallelism in SELinux Using a Multicore Processor Bodhisatta Barman Roy National University of Singapore, Singapore Arun Kalyanasundaram,
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
G53SEC 1 Access Control principals, objects and their operations.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Secure Operating System. Mandatory Protection Systems Problem of discretionary access control: untrusted processes can modify protection states Mandatory.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
G53SEC 1 Reference Monitors Enforcement of Access Control.
0 Penn State, NSRC Industry Day, Trent Jaeger – Past Projects and Results Linux Security –Aim to Build Measurable, High Integrity Linux Systems.
SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.
Multics CysecLab Graduate School of Information Security KAIST.
Operating Systems Security
Final Exam Review. Common Attack Techniques Stack overflow – Basic version – Advanced versions Mitigations – Canary – W^X page – ASLR.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
Trusted Operating Systems
The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.
Design and Implementation MAC in Security Operating System CAI Yi, ZHENG Zhi-rong, SHEN Chang-xiang Presented By, Venkateshwarlu Jangili. 1.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh
SELinux Overview DAC vs MAC Discretionary Access Control Mandatory
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
Secure Operating System
Access Control Model SAM-5.
Protection and Security
Introduction to Assurance
Computer Data Security & Privacy
SE Linux Implementation
Chapter 19: Building Systems with Assurance
CE Operating Systems Lecture 21
Building Systems That Flexibly Control Downloaded Executable Content
SELinux (Security Enhanced Linux)
An Overview Rick Anderson Pat Demko
Access Control.
Computer Security Access Control
NSA Security-Enhanced Linux (SELinux)
Presentation transcript:

Secure Operating System Example: SELinux

Mandatory Protection Systems Subjects and objects represented by labels Protection state: the operations that subject labels may perform on object labels Labeling state: mapping objects to labels Transition state: defines what relabeling is allowed

Mandatory Access Control In a mandatory protection system The set of labels are defined by trusted administrators The set of labels are immutable Protection state, labeling state, and transition state can only be modified by trusted administrators through trusted programs This is called Mandatory Access Control (MAC)

Reference Monitor An authorization system that determines whether a subject is allowed to perform an operation on an object Takes as input a request Returns a binary response indicating whether the request is authorized or not

Source: Operating system security, Jaeger’08, Morgan & Claypool

Secure Operating System A system with a reference monitor access enforcement mechanism that satisfies the requirements below when it enforces a mandatory protection system. Complete Mediation: all security-sensitive ops Tamperproof: untrusted processes cannot modify access enforcement system Verifiable: small TCB

Securing Linux Linux Security Module (LSM) introduced in early 2000’s Provides a generic reference monitor interface Allows for different security models to be used Supports POSIX.1e capability system as an optional security model Two popular LSMs: AppArmor and SELinux

How does LSM work? Predefined LSM hooks were placed in Linux kernels The hooks are interfaces to the reference monitor Hook placement is non-trivial Over 150 hooks A security model just needs to implement the hooks

Security-Enhanced Linux (SELinux) A MAC security model using LSM Provides fine-grained access control policy Policy writers define the policy – a non-trivial job Quality of protection depends largely on the policy specification

Step 1: Convert call to LSM hooks to authorization queries Parameters to an LSM call Subject: the current process that is making the call Object: inode Operations requested Convert subject and object to labels Called “context” in SELinux Stored in kernel Each object also has a “data type”

Step2: Retrieve SELinux Policy Entry for the access request Example policy statement: allow <subject_type> <object_type>:<object_class> <operation_set> allow user_t passwd_exec_t:file execute allow passwd_t shadow_t:file {read write}

SELinux Protection State All the policy statements constitute the protection state of SELinux Can be large and complicated More than 1000 labels defined in the reference policy Tens of thousands of allow statements More flexible than standard Unix access control Allows restriction of access not possible or cumbersome under Unix

SELinux Labeling State Map users/systems resources to labels Labeling state defines how newly created processes and resources are labeled File context specification: define mapping from file paths to object context e.g., <file path expr> <context> /etc/shadow.* system_u:object_r:shadow_t:s0 /etc/*.* system_u:object_r:etc_t:s0

SELinux Transition State Defines under what conditions labels of subjects/objects may change e.g., file label transition type_transition <creator_type> <default_type>:<class> <resultant_type> type_transition passwd_t etc_t:file shadow_t A process with passwd_t label creates a file that would have etc_t, but with this policy the file will have the shadow_t label

SELinux Transition State Defines under what conditions labels of subjects/objects may change e.g., user label transition type_transition <current_type> <executable_file_type>:process <resultant_type> type_transition user_t passwd_exec_t:process passwd_t A process with user_t label will change to passwd_t when executing a file with passwd_exec_t label

SELinux Transition State All the transition must be authorized i.e., there must be corresponding “allow” statements for the transition

SELinux Security Complete Mediation Tamperproof Verifiable All accesses to all objects have to go through the reference monitor Depends on LSM hook placement No errors have been found since Linux 2.6 Tamperproof Policy protects kernel from “weak accesses” Verifiable