1 / 35

The Simplified Mandatory Access Control Kernel

The Simplified Mandatory Access Control Kernel. Casey Schaufler January 2008. Casey Schaufler. Ported Unix Version 6 to 32bit Started Development of TSOL Architect of Trusted Irix B1, CAPP, LSPP evaluated US NSA’s Trusix Group POSIX P1003.1e/2c TSIG. Today’s Talk.

cece
Download Presentation

The Simplified Mandatory Access Control Kernel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Simplified Mandatory Access Control Kernel Casey Schaufler January 2008

  2. Casey Schaufler • Ported Unix Version 6 to 32bit • Started Development of TSOL • Architect of Trusted Irix • B1, CAPP, LSPP evaluated • US NSA’s Trusix Group • POSIX P1003.1e/2c • TSIG

  3. Today’s Talk • Mandatory Access Control (MAC) • What MAC is good for • How Smack implements MAC • What Smack is good for • Details of Smack

  4. Mandatory Access Control • Concepts • Subject is an active entity • Object is a passive entity • Access is an operation preformed on an object by a subject

  5. Mandatory Access Control • Principles • User has no say in it • Based on system controlled attributes

  6. Mandatory Access Control • Jargon • MAC • Label • Bell & LaPadula • Multilevel Security • CIPSO

  7. Mandatory Access Control

  8. MAC Implementations • Bell & LaPadula Sensitivity • Multics, Unix • Type Enforcement • SELinux • Pathname Controls • AppArmor, TOMOYO

  9. Uses of MAC Systems • Security Checkbox • Sharing an expensive machine • Disjoint sets of users • B&L Catagories • Hierarchical use of shared data • B&L Levels

  10. Where Did Smack Come From? • Traditionally • Label relationships hard coded • Names map to label values • Mythtory:TopSecret,Skeeve,Ahz,Chumly • Level=4,Catagories=17,49,113 • Users only use names • Why use anything but names?

  11. Smack Label Mechanism • Labels and label names are the same • No implicit relationship between labels • List of explicit access relationships • Every subject gets a label • Every object gets a label • Objects get creating Subject’s label

  12. Subjects Access Objects • lstat() reads a file object’s attributes • kill() writes to a process object • send() writes to a process object • bind() is uninteresting

  13. System Labels • _ floor • ^ hat • * star • Objects Only • Any single special character ^ * _

  14. User Labels ^ * SEAsia Dap _

  15. Explicit Access Rules • Dap SEAsia r • Med Pop w SEAsia Dap Pop Med

  16. Access Rule Specification • /etc/smack/accesses • Subject Object [–rwxa] • /smack/load • Strict fixed format • /sbin/smackload • Writes to /smack/load

  17. Bell & LaPadula Levels • Secret more sensitive than Unclass • TopSecret more sensitive than Secret • Secret Unclass rx • TopSecret Secret rx • TopSecret Unclass rx • All relationships must be specified

  18. Bell & LaPadula Categories • Categories Skeeve and Ahz • Labels: • “Skeeve,Ahz” • “Skeeve” • “Ahz” • Skeeve,Ahz Skeeve rx • Skeeve,Ahz Ahz rx

  19. Biba Integrity • Floor is highest integrity • Hat is lowest Integrity

  20. Ring of Vigilance • SEAsia Dap r • Med SEAsia r • Dap Med r SEAsia Dap Med

  21. Messaging • Informant Reporter w • Reporter Editor w • Editor Reporter w

  22. Time of Day • At 17:00 • WorkerBee Game x • At 08:00 • WorkerBee Game –

  23. Implementation • Label Scheme • Access Checks • File Systems • Networking • The LSM • Audit

  24. Label Scheme • Labels are short text strings • Compared for equality • Stored in a list • secid • Optional CIPSO value • Never forgotten

  25. Access Checks • Rules written to /smack/load • Hard Coded Labels • Subject and object equal • Find the subject/object pair • Check the request against the rule

  26. File Systems • Use xattrs if supported • Hard coded behavior • smackfs, pipefs, sockfs, procfs, devpts • Superblock values • File system root • File system default • File system floor and hat • Not yet implemented

  27. Networking Model • Sender writes to receiver • Sender is subject, receiver is object • Socket, packet not policy components • William Janet w • Allows a UDP packet • Janet William r • Does not allow a UDP Packet

  28. Packet Labeling • Unlabeled packets get ambient label • CIPSO option on every local packet • CIPSO value from the label list • Set via /smack/cipso • CIPSO direct mapping • Level 250 • Label copied into category bits • Same CIPSO as SELinux

  29. The LSM • Provides a restrictive interface • Evolved in step with SELinux • Imperfectly defined • Networking • Audit • USB • Module Stacking

  30. Programming interfaces • getxattr(), setxattr() • SMACK64 • /proc/<pid>/attr/current

  31. Socket Interfaces • Socket Attributes • fgetxattr(), fsetxattr() • SMACK64.IPIN • SMACK64.IPOUT • Packet Attributes • SO_PEERSEC • TCP • SCM_SECURITY • UDP

  32. Administrative Interfaces • /smack/load • /smack/cipso • /smack/doi • /smack/direct • /smack/nltype

  33. What Have You Learned? • Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted. • Smack is designed for simplicity • Smack is designed as a kernel mechanism

  34. Special Thank You • Paul Moore – Network interfaces • Ahmed S. Darwish – Work on smackfs • And a host of reviewers, including • Stephen Smalley, Seth Arnold, • Joshua Brindle, Al Viro, • James Morris, Kyle Moffett, • Pavel Machek

  35. Contact Information • http://schaufler-ca.com • casey@schaufler-ca.com • rancidfat@yahoo.com

More Related