Mandatory Access Control and the Real World

Slides:

Advertisements

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

Advertisements

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

Embedded System Lab. What is an embedded systems? An embedded system is a computer system designed for specific control functions within a larger system,

Lecture 13 Page 1 CS 111 Online File Systems: Introduction CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

SELinux (Security Enhanced Linux) By: Corey McClurg.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.

Lecture 10 Page 1 CS 236 Online Prolog to Lecture 10 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

Lecture 13 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Deepnet Unified Authentication for Outlook Anywhere.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.

Lecture 15 Page 1 CS 236 Online Prolog to Lecture 15 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Windows 2000 Security Yingzi Jin. Introduction n Active Directory n Group Policy n Encrypting File System.

Lecture 2 Page 1 CS 236 Online Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Trusted Operating Systems

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

Lecture 17 Page 1 CS 236 Online Prolog to Lecture 17 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.

Lecture 3 Page 1 CS 236 Online Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 19 Page 1 CS 236 Online Prolog to Lecture 19 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 8 Page 1 CS 236 Online Prolog to Lecture 8 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Lecture 10 Page 1 CS 111 Online Memory Management CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Overview of NSA Security Enhanced Linux Russell Coker.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

CSCE 548 Student Presentation By Manasa Suthram

Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé

Operating System Structures

Android Access Control

Secure Software and the Law

Quicken Connection issues Number More info :

How to Install Quicken Software

DHCP, DNS, Client Connection, Assignment 1 1.3

Advanced System Security

Lecture 21: Introduction to Process Scheduling

SELinux (Security Enhanced Linux)

An Overview Rick Anderson Pat Demko

Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

SE Linux University Consortium

Lecture 21: Introduction to Process Scheduling

CSC 480 Software Engineering

NSA Security-Enhanced Linux (SELinux)

Android Access Control

Presentation transcript:

Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Mandatory Access Control and the Real World For a long time, things like Bell-La Padula were hard to run Real-world commercial systems did not support them That’s changing

SE Linux and Flask Security Enhanced Linux Developed by NSA researchers Open source, like all Linux Implementation of the Flask security architecture Which allows flexible use of mandatory access control

What Can You Do With Flask? Multi-level security Including Bell La Padula Domain Type Enforcement Role-based Access Control Many other types of mandatory access control policies No superuser, many other common Linux/Unix security problems avoided

Flask and Solaris Flask architecture to be added to Oracle Solaris operating system Essentially the same architecture as in SE Linux

What Does This Mean For You? You can get usable, commercial operating systems with MAC Even operating systems with strong industry support Well, so what?

Is MAC For You? MAC is only useful where it makes sense to force policy to be followed Typically not on a single user’s personal machine More common on industry installations Especially those with military connections Do you need to guarantee access control properties? Regardless of how foolish your users are?