Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Mandatory Integrity Protection for Operating Systems Authors: Ninghui Li, Ziqing Mao and Hong Chen “IEEE Symposium on Security and Privacy(SP’07)”

Published byWinifred Underwood Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Mandatory Integrity Protection for Operating Systems Authors: Ninghui Li, Ziqing Mao and Hong Chen “IEEE Symposium on Security and Privacy(SP’07)”"— Presentation transcript:

1 Usable Mandatory Integrity Protection for Operating Systems Authors: Ninghui Li, Ziqing Mao and Hong Chen “IEEE Symposium on Security and Privacy(SP’07)” By:Poornakumar Rasiraju

2 Introduction Host compromise is one of the most serious security problems today. What is the problem with the compromised hosts? Form Botnets which can be used to carry out the attacks such as phishing, Spamming and Distributed denial of service. Can we deal with these threats at the network level? Partially, by using technologies such as Firewall and Network Intrusion Detection System.

3 Introduction.. Two reasons why hosts can be easily compromised? Software is buggy. Discretionary access control mechanisms are insufficient to defend against network-based attacks. Are there any efforts to make computer systems secure? Adding MAC to Operating Systems such as SELinux, AppArmor, Systrace and LOMAC.

4 Introduction…. Then what is the problem? They are complex and difficult to configure. For example, SELinux. --29 different classes of objects --hundreds of operations --Thousands of policy rules SELinux policy interface is daunting even for security experts.

5 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

6 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

7 Six Design Principles for Usable Access Control Systems Principle 1: Provide “good enough” security with a high level of usability, rather than “better” security with a low level of usability. Aim at providing a system that is easy to configure which can greatly increase the level of security by reducing the attack surfaces. Principle 2: Provide policy, not just mechanism. The mechanism-not-policy approach is problematic for security. Principle 3: Have a well-defined security objective. In order to make a meaningful tradeoff between security and usability, we must identify the security objective and it is the first step in designing a policy.

8 Six Design Principles for Usable Access Control Systems.. Principle 4: Carefully design ways to support exceptions in the policy model. One must carefully design the policy model and the exception mechanisms so that the number of exceptions are small. Principle 5: Rather than trying to achieve “Strict least privilege”, aim for “good –enough least privilege”. Trying to achieve Strict least privilege results in large number of policy rules. Minimize the policy rules. Principle 6: Use familiar abstractions in the policy specification interface. The policy specification interface should use concepts and abstractions that administrators are familiar with.

9 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

10 Security Goal of the UMIP Model Aim: To protect the system integrity against network based attacks. Assumptions: Network server and client programs contain bugs Users may make careless mistakes Example: Downloading and running of malicious programs from the internet. Attacker doesn’t have physical access to the host to be protected. What does the proposed Model achieve? Attacker can only get limited privileges and cannot compromise system integrity.

11 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

12 Usability Goals of the UMIP Model Usability Goals for UMIP are twofold: Configuring a UMIP system should not be difficult. Existing applications can still be used under UMIP. Administrator can configure the system in an easier manner depending upon needs. UMIP can be implemented by using the Linux security Module Framework.

13 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

14 Overview uid, gid is too coarse-granulated, a natural extension is to treat a triple of uid, gid and the current program that is running in the process as a principal. In order to determine what the current process should be allowed to do, one has to consider the parent process and so on… We call this the request channel. How to capture the information in a request channel is a key challenge.

15 UMIP Model:- Each process has one bit that denotes its integrity level. When a process is created, it inherits the integrity level of the parent process. If the request channel is likely to be exploited by an attacker, then the process has low integrity. If the request channel is legitimately used for system administration, then the process has high integrity. The UMIP Model is extended with exceptions to support existing software.

16 Fig: The Summary of the UMIP Model

17 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

18 Dealing with communications The process integrity level drops, when it receives remote network traffic. In the UMIP Model, the process running the program (RAP), maintains its integrity level when receiving network traffic. RAP is introduced to trade off security in favor of usability. The UMIP Model leaves the decision of whether to allow remote administration or not to the system administrators.

19 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

20 Restricting Low integrity process Security critical operations are classified into two categories:- File operations and non-file administrative operations. In modern Linux, the operations are controlled by capabilities. The default UMIP rule grants only two capabilities CAP_SETGID and CAP_SETUID to low-integrity process.

21 Restricting Low integrity process.. Low integrity process running as root cannot set its uid to a new normal user. To identify which files should be considered sensitive is a challenging task. Utilizes the valuable information in existing Discretionary Access Control (DAC) mechanisms for MAC.  A low integrity process is forbidden from changing the DAC permission of any (read- or write-) protected file. Exception policies The binary “/usr/sbin/vsftpd” is allowed to use the capabilities CAP_NET_BIND_SERVICE, CAP_SYS_SETUID, CAP_SYS_SETGID and CAP_SYS_CHROOT, to read the file /etc/shadow, to read all files under the directory /etc/vsftpd, and to read or write the file /var/log/xferlog.

22 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

23 Contamination through files Process integrity level drops after reading and executing files that are not write-protected.  Even if a file is write-protected, it may still be written by low- integrity process, due to the exception policies. Sticky bit is used to track contamination for files. A low-integrity process is forbidden from changing the sticky bit of a file. The sticky bit can be reset by a special utility program provided by the protection system.

24 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

25 Files owned by Non-System Accounts UMIP allows exceptions to be specified for specific users. Global exceptions can be applied to all processes with that users user id as specified in the account’s exception policy. A low-integrity process is disallowed from using setuid to change its user id to another user account.

26 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

27 Design principles in UMIP Principle 1:Aimed at providing good enough security with high level of usability. Principle 2&3:Used an existing mechanism and focused on designing a policy to achieve the security objective. Principle 4:Designed Exception Mechanisms. Principle 5:Two design choices were made to increase the simplicity of the model.  No limitation is placed on high-integrity process.  Non-sensitive files are not protected. Principle 6:Uses files and capabilities in policy specifications.

28 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

29 Novel features of UMIP UMIP has the following novel features:  Supports a number of ways to specify some programs as partially trusted.  A file has two integrity level values.  Integrity protection is compartmentalized by users.  Allows low-integrity files to be upgraded to high-integrity.  In addition to integrity protection, it offers some confidentiality protection.  Uses DAC information to determine integrity and confidentiality labels for objects.

30 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

31 Implementation When a process issues a request, it should be authorized by both Linux DAC system and UMIP. Exceptions must be specified in a policy file. The policy file includes a list of entries. Each entry contains four fields: 1)A path that points to the program 2)The type of a program 3)A list of exceptions 4)A list of executing relationships

32 Implementation.. Figure: The four forms of file exceptions in UMIP. SyntaxMeaning (f, read)f is a regular file or a directoryAllowed to read f (f, full)f is a regular file or a directoryAllowed to do anything to f (f, read, R)d is a directoryAllowed to read any file in d recursively (f, full, R) d is a directoryAllowed to do anything to any file in d recursively

33 Fig: Sample Policy

34 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

35 Evaluation Evaluation of the UMIP Model:  Usability Transparency Flexibility Ease of configuration  Security Installing a rootkit  Kernel-mode rootkit  User-mode rootkit Stealing the shadow file Altering web files.  Performance

36 Fig: The performance results of Unixbench 4.1 measurements BenchmarkBaseEnforcingOverhead(%)SELinux(%) Dhrystone335.8334.20.5 Double-precision211.9211.60.1 Execl Throughput616.6608.315 File Copy 1K474.0454.245 File Copy 256B364.0344.1510 File Copy 4K507.5490.432 Pipe Throughput272.6269.6116 Process Creation816.9801.222 Shell Scripts648.3631.20.74 System Call217.9217.40.2 Overall446.6435.03

37 Outline Six design principles for Usable Access Control Systems. Security Goal of the UMIP Model Usability goals of the UMIP Model UMIP Model Overview Dealing with Communications Restricting Low integrity process Contamination through files Files owned by Non-System Accounts Design principles in UMIP Novel features of UMIP Implementation Evaluation Conclusion

38 The UMIP Model defends against network-based attacks and preserves the system integrity. It supports existing applications and system administration practices, and has a simple policy configuration interface.

39 References K.J.Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE. U. Shankar, T. Jaeger, and R. Sailer. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the2006 ISOC Networked and Distributed Systems Security Symposium, February 2006. T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In 2000 IEEE Symposium on Security and Privacy, May 2000. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the FREENIX track: USENIX Annual Technical Conference.

40

Download ppt "Usable Mandatory Integrity Protection for Operating Systems Authors: Ninghui Li, Ziqing Mao and Hong Chen “IEEE Symposium on Security and Privacy(SP’07)”"

Similar presentations

Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Department Of Computer Engineering

Department Of Computer Engineering
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google