Upload
cece
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The Simplified Mandatory Access Control Kernel. Casey Schaufler January 2008. Casey Schaufler. Ported Unix Version 6 to 32bit Started Development of TSOL Architect of Trusted Irix B1, CAPP, LSPP evaluated US NSA’s Trusix Group POSIX P1003.1e/2c TSIG. Today’s Talk. - PowerPoint PPT Presentation
Citation preview
The Simplified Mandatory Access Control Kernel
Casey SchauflerJanuary 2008
Casey Schaufler
• Ported Unix Version 6 to 32bit• Started Development of TSOL• Architect of Trusted Irix
– B1, CAPP, LSPP evaluated• US NSA’s Trusix Group• POSIX P1003.1e/2c• TSIG
Today’s Talk
• Mandatory Access Control (MAC)• What MAC is good for• How Smack implements MAC• What Smack is good for• Details of Smack
Mandatory Access Control
• Concepts– Subject is an active entity– Object is a passive entity– Access is an operation preformed on an
object by a subject
Mandatory Access Control
• Principles– User has no say in it– Based on system controlled attributes
Mandatory Access Control
• Jargon– MAC– Label– Bell & LaPadula– Multilevel Security– CIPSO
Mandatory Access Control
MAC Implementations
• Bell & LaPadula Sensitivity– Multics, Unix
• Type Enforcement– SELinux
• Pathname Controls– AppArmor, TOMOYO
Uses of MAC Systems
• Security Checkbox• Sharing an expensive machine• Disjoint sets of users
– B&L Catagories• Hierarchical use of shared data
– B&L Levels
Where Did Smack Come From?
• Traditionally– Label relationships hard coded– Names map to label values
• Mythtory:TopSecret,Skeeve,Ahz,Chumly• Level=4,Catagories=17,49,113
– Users only use names• Why use anything but names?
Smack Label Mechanism
• Labels and label names are the same• No implicit relationship between labels• List of explicit access relationships• Every subject gets a label• Every object gets a label• Objects get creating Subject’s label
Subjects Access Objects
• lstat() reads a file object’s attributes• kill() writes to a process object• send() writes to a process object• bind() is uninteresting
System Labels• _ floor• ^ hat• * star
– Objects Only• Any single special
character
_
*
^
User Labels
_
*
^
DapSEAsia
Explicit Access Rules
• Dap SEAsia r• Med Pop w
Dap
Med
SEAsia
Pop
Access Rule Specification
• /etc/smack/accesses– Subject Object [–rwxa]
• /smack/load– Strict fixed format
• /sbin/smackload– Writes to /smack/load
Bell & LaPadula Levels
• Secret more sensitive than Unclass• TopSecret more sensitive than Secret• Secret Unclass rx• TopSecret Secret rx• TopSecret Unclass rx• All relationships must be specified
Bell & LaPadula Categories
• Categories Skeeve and Ahz• Labels:
– “Skeeve,Ahz”– “Skeeve”– “Ahz”
• Skeeve,Ahz Skeeve rx• Skeeve,Ahz Ahz rx
Biba Integrity
• Floor is highest integrity• Hat is lowest Integrity
Ring of Vigilance
• SEAsia Dap r• Med SEAsia r• Dap Med r
Dap
Med
SEAsia
Messaging
• Informant Reporter w• Reporter Editor w• Editor Reporter w
Time of Day
• At 17:00– WorkerBee Game x
• At 08:00– WorkerBee Game –
Implementation
• Label Scheme• Access Checks• File Systems• Networking• The LSM• Audit
Label Scheme
• Labels are short text strings• Compared for equality• Stored in a list
– secid– Optional CIPSO value– Never forgotten
Access Checks
• Rules written to /smack/load• Hard Coded Labels• Subject and object equal• Find the subject/object pair• Check the request against the rule
File Systems
• Use xattrs if supported• Hard coded behavior
– smackfs, pipefs, sockfs, procfs, devpts• Superblock values
– File system root– File system default– File system floor and hat
• Not yet implemented
Networking Model
• Sender writes to receiver– Sender is subject, receiver is object
• Socket, packet not policy components• William Janet w
– Allows a UDP packet• Janet William r
– Does not allow a UDP Packet
Packet Labeling
• Unlabeled packets get ambient label• CIPSO option on every local packet• CIPSO value from the label list
– Set via /smack/cipso• CIPSO direct mapping
– Level 250– Label copied into category bits
• Same CIPSO as SELinux
The LSM
• Provides a restrictive interface• Evolved in step with SELinux• Imperfectly defined
– Networking– Audit– USB
• Module Stacking
Programming interfaces
• getxattr(), setxattr()– SMACK64
• /proc/<pid>/attr/current
Socket Interfaces
• Socket Attributes– fgetxattr(), fsetxattr()– SMACK64.IPIN– SMACK64.IPOUT
• Packet Attributes– SO_PEERSEC
• TCP– SCM_SECURITY
• UDP
Administrative Interfaces
• /smack/load• /smack/cipso• /smack/doi• /smack/direct• /smack/nltype
What Have You Learned?
• Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted.
• Smack is designed for simplicity• Smack is designed as a kernel mechanism
Special Thank You
• Paul Moore – Network interfaces• Ahmed S. Darwish – Work on smackfs• And a host of reviewers, including
– Stephen Smalley, Seth Arnold,– Joshua Brindle, Al Viro,– James Morris, Kyle Moffett,– Pavel Machek
Contact Information
• http://schaufler-ca.com• [email protected]• [email protected]