Chapter 9 Building a Secure Operating System for Linux.

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Chapter 6 Security Kernels.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

Linux Security.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Introduction to Computer Technology

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Exam examples Tor Stålhane. The A scenario – 1 We are working in a small software development company – 10 developers plus two persons in administrative.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus

Central Online Grading System COGS Dec15-21 dec1521.sd.ece.iastate.edu.

Secure Operating Systems

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Taken from slides of Starting Out with C++ Early Objects Seventh Edition.

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

Chapter 16 Methodology – Physical Database Design for Relational Databases.

FPGA-Based System Design: Chapter 6 Copyright  2004 Prentice Hall PTR Topics n Design methodologies.

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.

Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Methodology – Physical Database Design for Relational Databases.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.

Trusted Operating Systems

The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 1.

What is a Process ? A program in execution.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

1 Chapter 12: Design Principles Overview –There are principles for many kinds of design Generally, a design should consider: Balance, Rhythm, Proportion,

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

Safety measures in Linux Krzysztof Lichota

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Secure Operating System

SE-1021 Software Engineering II

The Development Process of Web Applications

Secure Operating System Example: SELinux

Netconf 2006 Tokyo Paul Moore

Security mechanisms and vulnerabilities in .NET

Making the LSM available to containers FOSDEM18

Chapter 2: System Structures

Chapter 2: The Linux System Part 1

An Overview Rick Anderson Pat Demko

NSA Security-Enhanced Linux (SELinux)

Overview Activities from additional UP disciplines are needed to bring a system into being Implementation Testing Deployment Configuration and change management.

Presentation transcript:

Chapter 9 Building a Secure Operating System for Linux

Chapter Overview Linux Security Modules – History – Implementation SeLinux – Reference Monitor – Protection State – Labeling State – Transition State – Administration – Trusted Programs – Security Evaluation

Linux Security Modules Reference Monitor System for the Linux kernel. Consists of two parts: – Reference Monitor Interface – Reference Monitor Module (LSM) Several LSM's have been implemented. Have covered AppArmor Will try to cover SELinux

LSM History Lots of early security work on Linux: – Argus PitBull – LIDS – Subdomain (AppArmor) – RSBAC – GRSecurity – DTE for Linux – Medusa DS9 – Open Wall – HP's initiative – Flask (SELinux)

LSM History (II) Obviously, (2001) a reference monitor was necessary for Linux; everybody was reinventing the wheel! But: – Linus Torvalds was not a security expert, could not decide on an approach – There was no real agreement as to which was the “best” approach. Result was a design basde on kernel modules with a single interface for all the necessary modules. LSM framework

LSM Requirements: The reference monitor must be truly generic, so that switching to a different security model was simply a matter of loading a different kernel module. The interfaces must be “conceptually simple, minimally invasive, and efficient.” Must support the POSIX.1e capabilities mechanism as an “optional security module”.

Design of the reference monitor Formed union of all projects to date. Restricted number of authorization queries to prevent redundant authorizations. Manual design, source code analysis tools were used to verify completeness and consistency, finding six bugs. Most of the interface had negligible performance impact except for the CIPSO implementation. Network security is now supported inoe of two ways: – Labeled IPSec – New implementation of CIPSO called Netlabel

LSM History, final details LSM framework was officially added to Linux kernel in version 2.6. SELinux and POSIX capabilities were included with the release of LSM Novell bought the company that supported AppArmor, so AppArmor is also available.

LSM Implementation LSM Framework implemetation has three parts: – Reference monitor interface definition – Reference monitor interface placement – Reference monitor implementation

LSM Reference Monitor definition Specifies the way the kernel can invoke the LSM reference monitor. The description is in the file include/linux/security.h in the kernel sources. It defines a structure security_operations with all the LSM function pointers. They are called LSM hooks. 150 hoks for authorizations, plus other hooks for labels, label transitions. And label maintenance.

LSM Reference Monitor placement Where to place the hook? – At the entrance to the system call? – What about TOCTTOU attacks? – What about the “open” system call? The hooks were placed using in-line function declarations.

LSM Hook Architecture

LSM Reference Monitor Implementation Each LSM reference monitor is different. However, most security enhanced versions of Linux use the same hooks. Exception is RSBAC

Security-Enhanced Linux

SELinux Reference Monitor Two distinct processing steps.: – Convert input values from the LSM hooks into one or more authorization queries. – Check against SELinux protection system.

SELinux Protection State

SELinux Contexts

Previous diagram gave idea of user labels;; each context has permissions assigned to it. There is also an MLS policy, but, though it allows read down, it only allows write level. Both type labels and MLS labels are checked. 20 different object data types, and many operations, including read, write, execute, create, ioctl, fcntl, extended attributes,.. Over 1000 state labels. Very complex administration!

SELinux Labeling State Files/objects are labeled (by default) based on their location in the file system, but file contexts can be used to override the defaults. Labels are inherited. For files, the label of a file is inherited from the label of its parent directed, some processes may have permission to relabel them.

SELinux Transition State Rather than SUID programs, a label transition is only allowed at execution; the transition only gives limited privileges; also, not all programs can run a transitioning prtogram. Instead of gatekeepers, SELinux relies onprogrammers to keep program safe.

SELinux Administration Different kinds of policies: – Monolithic – Modular Policy development: – Strict policy – Targeted (like AppArmor) – Reference Policy

SELinux Trusted Programs

SELinux Security Evaluation