Presentation is loading. Please wait.

Presentation is loading. Please wait.

Before SELinux.

Published byMitchell Fowler Modified over 6 years ago

Similar presentations

Presentation on theme: "Before SELinux."— Presentation transcript:

1 Before SELinux

2 Processes all have equal access to the system...
Web DNS Mail Linux Kernel Processes all have equal access to the system...

3 Processes all have equal access to the system...
Linux Kernel Web DNS Mail Processes all have equal access to the system...

4 Web DNS Mail Linux Kernel ...if one is attacked...

5 ...taken over due to vulnerability ...
Web DNS Mail Linux Kernel ...taken over due to vulnerability ...

6 ...and gets a privilege escalation...
Web DNS Mail Linux Kernel ...and gets a privilege escalation...

7 Web DNS Mail Linux Kernel ...the system is lost.

8 With SELinux

9 Each process is confined in its own sandbox, distinct from the others.
Web DNS Mail Linux Kernel Each process is confined in its own sandbox, distinct from the others.

10 If a process is attacked...
Web DNS Mail Linux Kernel If a process is attacked...

11 Web DNS Mail Linux Kernel ...and compromised, there is far less exposure. You lose the process, not the system.

12 ...now add virtualization...

13 ...before virtualization...
Linux Kernel Web DNS Mail Linux Kernel Web DNS Mail ...before virtualization... Compromised Machine attacks other machines via network

14 Virtual machine processes all have equal access to the system...
VM 1 VM 2 VM 3 Linux Kernel Image1 Image2 Image3 ImageN Virtual machine processes all have equal access to the system...

15 ...if application on virtual machine is attacked...
VM 1 VM 2 VM 3 Web Linux Kernel Image1 Image2 Image3 ImageN ...if application on virtual machine is attacked...

16 ...compromised... Web VM 2 VM 3 VM 1 Linux Kernel Image1 Image2 Image3
ImageN ...compromised...

17 ...and gets a privilege escalation...
VM 1 VM 2 VM 3 Web Linux Kernel Image1 Image2 Image3 ImageN ...and gets a privilege escalation...

18 .. and your machine has a Hypervisor Vulnerability ...
VM 1 VM 2 VM 3 Web Linux Kernel Image1 Image2 Image3 ImageN .. and your machine has a Hypervisor Vulnerability ...

19 .. But not just the running VM's and host, but all images ...
Web Linux Kernel Image1 Image2 Image3 ImageN .. But not just the running VM's and host, but all images ...

20 Popular Science April 2011

21 SELinux to the rescue

22 SELinux is all about labeling Processes get labels
Virtual machines with kvm are processes!!! Files/Devices Get Labels Virtual images are stored on files/devices!!!! Rules control how Process Labels Interact with Process/File Labels. Kernel Enforces these Rules. Over the last several years we have been building a system called Mandatory Access System called SELinux. SELinux is all about labeling. On an SELinux system every process, file, directory... has a label. Then there is a huge rules database that defines the access between different labels. So you can label guest process as A and an image file as B and write rules that say Process A can Read/Write File B. Similarly I could create a separate guest labeled C and a separate image labeled D, and a rule that says Process C can Read/Write File D. But if there is no rule that allows process A to access image D, the kernel will prevent process A from touching image D, even if the process A is running as root.

23 Virtual Machines all wrapped with unique SELinux Label ...
Unclassified TS/SCI TS/SCI VM 1 VM 2 VM 3 Linux Kernel Image1 Image2 Image3 ImageN Virtual Machines all wrapped with unique SELinux Label ...

24 ...if application on virtual machine is attacked...
Unclassified TS/SCI TS/SCI VM 1 VM 2 VM 3 Web Linux Kernel Image1 Image2 Image3 ImageN ...if application on virtual machine is attacked...

25 ...compromised... Web VM 2 VM 3 VM 1 Unclassified TS/SCI TS/SCI
Linux Kernel Image1 Image2 Image3 ImageN ...compromised...

26 ...and gets a privilege escalation...
Unclassified TS/SCI TS/SCI VM 1 VM 2 VM 3 Web Linux Kernel Image1 Image2 Image3 ImageN ...and gets a privilege escalation...

27 And of course the guest operating system can also run SELinux
Linux Kernel Web DNS Mail Guard 2 Linux Kernel Web Secret 1 VM Unclass TS/SCI KVM And of course the guest operating system can also run SELinux

28 Something everyone wants
Something everyone wants. GDC4S, Harris, all the intelligence and DOD agencies need this capability. BAE very interested in helping in upstream development, in partnership with an agency. Vmware and Citrix moving in this space aggressively. Currently shopping for an agency who will help organize, sponsor and accredit the work necessary to put these features in mainstream RHEL.

Download ppt "Before SELinux."

Similar presentations

© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.

© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.

XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Introduction to Virtualization

Introduction to Virtualization
Supporting ethtool with Linux Integration Service Open Source Technology Center Microsoft.

Supporting ethtool with Linux Integration Service Open Source Technology Center Microsoft.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Virtualization 101.

Virtualization 101.
1 Virtualization and Virtual Machines Sarah Diesburg 1/10/2013 COP 5641.

1 Virtualization and Virtual Machines Sarah Diesburg 1/10/2013 COP 5641.
WINDOWS 7 AND UBUNTU INSTALLING LINUX WITHIN WINDOWS.

WINDOWS 7 AND UBUNTU INSTALLING LINUX WITHIN WINDOWS.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.

Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.
Space Science and Engineering Center University of Wisconsin-Madison Virtual Machines: A method for distributing DB processing software Liam Gumley.

Space Science and Engineering Center University of Wisconsin-Madison Virtual Machines: A method for distributing DB processing software Liam Gumley.
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
DIY: Your First VMware Server. Introduction to ESXi, VMWare's free virtualization Operating System.

DIY: Your First VMware Server. Introduction to ESXi, VMWare's free virtualization Operating System.
V IRTUALIZATION Sayed Ahmed B.Sc. Engineering in Computer Science & Engineering M.Sc. In Computer Science.

V IRTUALIZATION Sayed Ahmed B.Sc. Engineering in Computer Science & Engineering M.Sc. In Computer Science.
Virtualization By Tim Ausburn & James Cantrell. Virtualization: Why? Reduce IT Costs Server consolidation Application Isolation Increase Server Utilization.

Virtualization By Tim Ausburn & James Cantrell. Virtualization: Why? Reduce IT Costs Server consolidation Application Isolation Increase Server Utilization.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to sandbox a problem. –Not full proof by any means. Many simple mistakes.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

Similar presentations

Ads by Google