Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Linux Security Modules Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory February 25 2010 Page 1 Linux Authorization circa 2000 Systems and Internet Infrastructure Security SIIS Laboratory Page 2 Linux Security circa 2000 Systems and Internet Infrastructure Security SIIS Laboratory Page 3 Linus Dilemna Systems and Internet Infrastructure Security SIIS Laboratory Page 4 The Answer The solution to all computer science problems Add another layer of indirection Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Linux Before and After Systems and Internet Infrastructure Security SIIS Laboratory Page 6 Linux Security Modules Was Born Systems and Internet Infrastructure Security SIIS Laboratory Page 7 LSM Requirements Systems and Internet Infrastructure Security SIIS Laboratory Page 8 LSM Tasks Systems and Internet Infrastructure Security SIIS Laboratory Page 9 LSM Security Fields Systems and Internet Infrastructure Security SIIS Laboratory Page 10 LSM Security Fields Systems and Internet Infrastructure Security SIIS Laboratory Page 11 LSM Hooks Systems and Internet Infrastructure Security SIIS Laboratory Page 12 LSM Hooks Systems and Internet Infrastructure Security SIIS Laboratory Page 13 LSM API Systems and Internet Infrastructure Security SIIS Laboratory Page 14 POSIX Capabilities Systems and Internet Infrastructure Security SIIS Laboratory Page 15 Hook Details Systems and Internet Infrastructure Security SIIS Laboratory Page 16 LSM Performance Systems and Internet Infrastructure Security SIIS Laboratory Page 17 LSM Use Systems and Internet Infrastructure Security SIIS Laboratory Page 18 LSM and Complete Mediation LSM is mainly responsible for complete mediation What was the basis for choosing security sensitive operations Pretty ad hoc How did that work out Systems and Internet Infrastructure Security SIIS Laboratory Page 19 LSM Analysis Static analysis of Zhang Edwards and Jaeger USENIX Security 2002 Based on a tool called CQUAL Many supplementary analyses were necessary Found a TOCTTOU bug Systems and Internet Infrastructure Security SIIS Laboratory Page 20 LSM Analysis Static analysis of Zhang Edwards and Jaeger USENIX Security 2002 Based on a tool called CQUAL Many supplementary analyses were necessary THREAD A 1 fd1 2 fd2 3 fcntl from fs fcntl c long sys fcntl unsigned int fd unsigned int cmd unsigned long arg struct file filp filp fget fd err security ops file ops fcntl filp cmd arg err do fcntl fd cmd arg filp static long do fcntl unsigned int fd unsigned int cmd unsigned long arg struct file filp switch cmd case F SETLK err fcntl setlk fd Found a TOCTTOU bug Systems and Internet Infrastructure Security SIIS Laboratory from fs locks c fcntl getlk fd struct file filp filp fget fd operate on filp Figure 8 Code path from Linux 2 4 9 containing an exploitable type error KER 4 5 6 THREAD B this c and as 7 dup2 KER 8 9 chance of ra not properly tial exploits Here we pre curity check are performe ple the follo dentry str on the inod from f security setat inode d inode set It is also qui Page 21 data structur LSM Analysis Runtime analysis of Edwards Zhang and Jaeger ACM CCS 2002 Built a runtime kernel monitor Logs structure member accesses Rules describe expected consistency Good for finding missing hooks where one is specified Six cases were found Systems and Internet Infrastructure Security SIIS Laboratory Page 22 LSM Analysis Automatically inferring security specifications from code Tan Zhang Ma Xiong Zhou USENIX Security 2008 Automate look at which fns are behind pointers Systems and Internet Infrastructure Security SIIS Laboratory Page 23 Take Away Aiming for mandatory controls in Linux But everyone had their own approach Linux Security Modules is a general interface for any authorization module Much finer controls interface is union of what everyone can do What does this say about whether complete mediation should be policy dependent Complete mediation Not that easy Systems and Internet Infrastructure Security SIIS Laboratory Page 24