DOC PREVIEW
U of I CS 498 - Example Trusted OS

This preview shows page 1-2-17-18-19-35-36 out of 36 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 36 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide #6-1Example Trusted OSCS498SH – Information AssuranceFall 2006Susan HinrichsSlide #6-2Overview•Examine several Trusted Operating Systems•Compare MAC mechanisms•Computer Integrity mechanisms•Identify tricky bits that arise in real systemsSlide #6-3Reading•Pitbull Foundation – Traditional BLP –http://www.argus-systems.com/public/docs/AIX/foundation_admin_guide.pdf•SE Linux Type Enforcement –http://www.nsa.gov/selinux/papers/policy2.pdf•SE Linux MLS – BLP mechanism–http://selinux-symposium.org/2006/papers/03-SELinux-and-MLS.pdf•SE Linux – Multi-Category Security (MCS)–http://james-morris.livejournal.com/5583.html•Pitbull LX – Compartment oriented MAC–http://www.argus-systems.com/public/docs/AIX/PBLX20/lx_admin_guide.pdf•Data General B2 Unix System–Computer Security text 5.2.2Slide #6-4Common points•All implement kernel level access control•All implement MAC–Plus additional DAC mechanisms (MCS)•All keep base OS DACSlide #6-5Pitbull Foundation•Two types of Mandatory Controls–Mandatory Access Control (MAC)• implemented as BLP–Also have Mandatory Integrity Controls (MIC)• implemented as strict Biba•Subjects have 6 labels each–Max, Min, effective Sensitivity Label (SL)–Max, Min, effective Trust Label (TL)–Max must dominate min•Directories have range of labelsSlide #6-6Pitbull Foundations•Initial process and file labels must be explicitly enumerated•Assume an Information System Security Officer (ISSO) to configureSlide #6-7SE Linux MLS•Implemented in addition to type enforcement•Supports MAC as BLP•Many of the same issues as Pitbull FoundationsSlide #6-8Problem 1 – common directories•Programs running at TopSecret and Unclassified both need to write to /tmp–Could re-write all programs…•Introduce partitioned or poly-instantiated or multi-level directoriesSlide #6-9Multi-level or Poly-instantiated Directories•Can be implemented as a nested directory–Special top level multi-level directory–Sub directory for each level•Normal users see only one directory with the contents at their own level•SE Linux plays with filesystem namespace–Hooks with PAM to unmap “wrong” versions from users's namespaceSlide #6-10Problem 2 – exceptions to BLP•Normal users should follow BLP•Need special users and programs–Administer labels and labeling–Declassify data–Change effective sensitivity labels–Backup and restore data•Special user in vanilla Unix is root–Root bypasses all restrictionsSlide #6-11Privileges for Exceptions•Foundation uses privileges–Essentially splits root’s bypasses into more refined elements–Least privilege–Privilege hierarchy–PV_ROOT, PV_DAC, PV_DAC_R•SELinux uses type attributes and constraint rules to model privileged exceptionsSlide #6-12Problem 3 – Constraining Privilege•What privilege does a new process inherit?–Same privilege as calling process?–More privileges?–Fewer?Slide #6-13Additional Labels to Constrain Process Privilege•Label process with three sets–Effective Privilege – set of active privileges–Maximum privilege – set current process can activate–Limiting Privilege – Upper limit on privileges that can be inherited by child process. May include privileges not in maximum set.•Label executable with three sets–Innate Privilege – Intersected with parent’s limiting privilege set to get maximum set of new process–Proxy Privilege – Intersected with parent’s maximum set to add to maximum set of new process–Authorized Privilege – Added to new process maximum set only if user is authorizedSlide #6-14Problem 4 – What about network data?•What is the granularity of labeling network data?•Can you exchange labels between trusted systems?•How is the label of network data tracked between systems?–Label can be encoded in IP Options•Encoded using CIPSO•IP Options have routing problems–SE Linux has patch to label IPSec Security Association•Leverage SA negotiation to exchange labels.–Netrules refer to protocol port and interface•define label of outgoing traffic•Define label of incoming traffic for unlabeled networkSlide #6-15Labelled Network Data•Label can be encoded in IP Options–Encoded using CIPSO–IP Options have routing problems•SE Linux has patch to label IPSec Security Association–Leverage SA negotiation to exchange labels.•Netrules refer to protocol port and interface–define label of outgoing traffic–Define label of incoming traffic for unlabeled networkSlide #6-16Problem 5: When are Checks Performed?• Ideally the mandatory checks is performed on each object access• Normally, checks correspond to file opens–If subject changes effective level some illegal accesses may be allowedSlide #6-17Example ScenarioProj1HighCharlesDev ManagerProj1,Proj2LowBobInternProj1,Proj2,Proj3HighAliceProject ManagerProjectsClearanceUserRoleSlide #6-18Foundation Sensitivity LabelsHigh:Proj1CharlesLow:Proj1,Proj2BobHigh:Proj1,Proj2,Proj3AliceSensitivity LabelUserSlide #6-19Operations•What is the highest Proj1 file label such that–Alice and Bob can both read?–Alice and Charles can both read?–All three can read•What about write?Slide #6-20Pitbull LX•Compartment only labels•Less restrictive rules more oriented to collaborating on multiple projects•Each user and file is labeled with a domain set for read, write, execute–dom1(r-x) = read:dom1, write:, execute:dom1Slide #6-21LX Access Rules•Dominator operator is superset–DomSet1 dominates DomSet2 if DomSet1 is a superset of DomSet2•For read, write, and execute, access is allowed if:–Process DomSet for the right dominates file DomSet for the right–E.g., process has domset D1(r-x),D2(rwx) and file has DomSet D1(rwx)•Process dominates for read and execute but not for write•Network access is controlled by intersectSlide #6-22LX Example Domain SetsProj1(rwx), SecretProj1(rwx)CharlesProj1(r-x), Proj2(r-x)BobProj1(rwx), Proj2(rwx), Proj3(rwx), SecretProj1(rwx), SecretProj2(rwx)AliceDomain SetsUserSlide #6-23Operations•What should be the file label to enable Alice, Bob, and Charles to operate on Proj1 files?•How can Alice and Charles keep Proj1 information from Charles?•What is the security impact of the symmetric read, write, and execute constraints?Slide #6-24LX Opt Out Model•Files and Processes must be tagged with AGS_AWARE flag for LX MAC to apply–AGS_AWARE processes can add further tags to avoid working


View Full Document

U of I CS 498 - Example Trusted OS

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Example Trusted OS
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Example Trusted OS and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Example Trusted OS 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?