Example Trusted OSOverviewReadingCommon pointsPitbull FoundationPitbull FoundationsSE Linux MLSProblem 1 – common directoriesMulti-level or Poly-instantiated DirectoriesProblem 2 – exceptions to BLPPrivileges for ExceptionsProblem 3 – Constraining PrivilegeConstraining Privilege in PitbullProblem 4 – What about network data?Labelled Network DataProblem 5: When are Checks Performed?Example ScenarioFoundation Sensitivity LabelsOperationsPitbull LXLX Access RulesLX Example Domain SetsSlide 23LX Opt Out ModelLX New Process LabelingSE Linux Type Enforcement (TE)Example TE mappingTE RulesSlide 29Domain TransitionsTE Policy ProblemsAttributesAttributes UseSE Linux Multi-Category SecuritySE Linux MCSKey Points1Example Trusted OSCS461 - Introduction to Computer SecuritySpring 2007Nikita Boriov2Overview•Examine several Trusted Operating Systems•Compare MAC mechanisms•Identify tricky bits that arise in real systems3Reading•Pitbull Foundation – Traditional BLP http://www.argus-systems.com/public/docs/AIX/foundation_admin_guide.pdf•SE Linux Type Enforcement http://www.nsa.gov/selinux/papers/policy2.pdf•SE Linux MLS – BLP mechanismhttp://selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf•SE Linux – Multi-Category Security (MCS)http://james-morris.livejournal.com/5583.html•Pitbull LX – Compartment oriented MAChttp://www.argus-systems.com/public/docs/AIX/PBLX20/lx_admin_guide.pdf•Data General B2 Unix SystemComputer Security text 5.2.24Common points•All implement kernel level access control•All implement MACPlus additional DAC mechanisms (MCS)•All keep base OS DAC5Pitbull Foundation•Two types of Mandatory ControlsMandatory Access Control (MAC)• implemented as BLPAlso have Mandatory Integrity Controls (MIC)• implemented as strict Biba•Subjects have 6 labels eachMax, Min, effective Sensitivity Label (SL)Max, Min, effective Trust Label (TL)Max must dominate min•Directories have range of labels6Pitbull Foundations•Initial process and file labels must be explicitly enumerated•Assume an Information System Security Officer (ISSO) to configure7SE Linux MLS•Implemented in addition to type enforcement•Supports MAC as BLP•Many of the same issues as Pitbull Foundations8Problem 1 – common directories•Programs running at TopSecret and Unclassified both need to write to /tmpCould re-write all programs…•Introduce partitioned or poly-instantiated or multi-level directories9Multi-level or Poly-instantiated Directories•Can be implemented as a nested directorySpecial top level multi-level directorySub directory for each level•Normal users see only one directory with the contents at their own level•SE Linux plays with filesystem namespaceHooks with PAM to unmap “wrong” versions from users's namespace10Problem 2 – exceptions to BLP•Normal users should follow BLP•Need special users and programsAdminister labels and labelingDeclassify dataChange effective sensitivity labelsBackup and restore data•Special user in vanilla Unix is rootRoot bypasses all restrictions11Privileges for Exceptions•Foundation uses privilegesEssentially splits root’s bypasses into more refined elementsLeast privilegePrivilege hierarchyPV_ROOT, PV_DAC, PV_DAC_R•SELinux uses type attributes and constraint rules to model privileged exceptions12Problem 3 – Constraining Privilege•What privilege does a new process inherit?Same privilege as calling process?More privileges?Fewer?13Constraining Privilege in Pitbull•Label process with three setsEffective Privilege – set of active privilegesMaximum privilege – set current process can activateLimiting Privilege – Upper limit on privileges that can be inherited by child process. May include privileges not in maximum set.•Label executable with three setsInnate Privilege – Intersected with parent’s limiting privilege set to get maximum set of new processProxy Privilege – Intersected with parent’s maximum set to add to maximum set of new processAuthorized Privilege – Added to new process maximum set only if user is authorized14Problem 4 – What about network data?•What is the granularity of labeling network data?•Can you exchange labels between trusted systems?•How is the label of network data tracked between systems?Label can be encoded in IP Options•Encoded using CIPSO•IP Options have routing problemsSE Linux has patch to label IPSec Security Association•Leverage SA negotiation to exchange labels.Netrules refer to protocol port and interface•define label of outgoing traffic•Define label of incoming traffic for unlabeled network15Labelled Network Data•Label can be encoded in IP OptionsEncoded using CIPSOIP Options have routing problems•SE Linux has patch to label IPSec Security AssociationLeverage SA negotiation to exchange labels.•Netrules refer to protocol port and interfacedefine label of outgoing trafficDefine label of incoming traffic for unlabeled network16Problem 5: When are Checks Performed?•Ideally the mandatory checks is performed on each object access•Normally, checks correspond to file opensIf subject changes effective level some illegal accesses may be allowed17Example ScenarioProj1HighCharlesDev ManagerProj1,Proj2LowBobInternProj1,Proj2,Proj3HighAliceProject ManagerProjectsClearanceUserRole18Foundation Sensitivity LabelsHigh:Proj1CharlesLow:Proj1,Proj2BobHigh:Proj1,Proj2,Proj3AliceSensitivity LabelUser19Operations•What is the highest Proj1 file label such thatAlice and Bob can both read?Alice and Charles can both read?All three can read•What about write?20Pitbull LX•Compartment only labels•Less restrictive rules more oriented to collaborating on multiple projects•Each user and file is labeled with a domain set for read, write, executedom1(r-x) = read:dom1, write:, execute:dom121LX Access Rules•Dominator operator is supersetDomSet1 dominates DomSet2 if DomSet1 is a superset of DomSet2•For read, write, and execute, access is allowed if:Process DomSet for the right dominates file DomSet for the rightE.g., process has domset D1(r-x),D2(rwx) and file has DomSet D1(rwx)•Process dominates for read and execute but not for write•Network access is controlled by intersect22LX Example Domain SetsProj1(rwx), SecretProj1(rwx)CharlesProj1(r-x), Proj2(r-x)BobProj1(rwx), Proj2(rwx), Proj3(rwx),
View Full Document