350 likes | 458 Vues
The Simplified Mandatory Access Control Kernel. Casey Schaufler January 2008. Casey Schaufler. Ported Unix Version 6 to 32bit Started Development of TSOL Architect of Trusted Irix B1, CAPP, LSPP evaluated US NSA’s Trusix Group POSIX P1003.1e/2c TSIG. Today’s Talk.
E N D
The Simplified Mandatory Access Control Kernel Casey Schaufler January 2008
Casey Schaufler • Ported Unix Version 6 to 32bit • Started Development of TSOL • Architect of Trusted Irix • B1, CAPP, LSPP evaluated • US NSA’s Trusix Group • POSIX P1003.1e/2c • TSIG
Today’s Talk • Mandatory Access Control (MAC) • What MAC is good for • How Smack implements MAC • What Smack is good for • Details of Smack
Mandatory Access Control • Concepts • Subject is an active entity • Object is a passive entity • Access is an operation preformed on an object by a subject
Mandatory Access Control • Principles • User has no say in it • Based on system controlled attributes
Mandatory Access Control • Jargon • MAC • Label • Bell & LaPadula • Multilevel Security • CIPSO
MAC Implementations • Bell & LaPadula Sensitivity • Multics, Unix • Type Enforcement • SELinux • Pathname Controls • AppArmor, TOMOYO
Uses of MAC Systems • Security Checkbox • Sharing an expensive machine • Disjoint sets of users • B&L Catagories • Hierarchical use of shared data • B&L Levels
Where Did Smack Come From? • Traditionally • Label relationships hard coded • Names map to label values • Mythtory:TopSecret,Skeeve,Ahz,Chumly • Level=4,Catagories=17,49,113 • Users only use names • Why use anything but names?
Smack Label Mechanism • Labels and label names are the same • No implicit relationship between labels • List of explicit access relationships • Every subject gets a label • Every object gets a label • Objects get creating Subject’s label
Subjects Access Objects • lstat() reads a file object’s attributes • kill() writes to a process object • send() writes to a process object • bind() is uninteresting
System Labels • _ floor • ^ hat • * star • Objects Only • Any single special character ^ * _
User Labels ^ * SEAsia Dap _
Explicit Access Rules • Dap SEAsia r • Med Pop w SEAsia Dap Pop Med
Access Rule Specification • /etc/smack/accesses • Subject Object [–rwxa] • /smack/load • Strict fixed format • /sbin/smackload • Writes to /smack/load
Bell & LaPadula Levels • Secret more sensitive than Unclass • TopSecret more sensitive than Secret • Secret Unclass rx • TopSecret Secret rx • TopSecret Unclass rx • All relationships must be specified
Bell & LaPadula Categories • Categories Skeeve and Ahz • Labels: • “Skeeve,Ahz” • “Skeeve” • “Ahz” • Skeeve,Ahz Skeeve rx • Skeeve,Ahz Ahz rx
Biba Integrity • Floor is highest integrity • Hat is lowest Integrity
Ring of Vigilance • SEAsia Dap r • Med SEAsia r • Dap Med r SEAsia Dap Med
Messaging • Informant Reporter w • Reporter Editor w • Editor Reporter w
Time of Day • At 17:00 • WorkerBee Game x • At 08:00 • WorkerBee Game –
Implementation • Label Scheme • Access Checks • File Systems • Networking • The LSM • Audit
Label Scheme • Labels are short text strings • Compared for equality • Stored in a list • secid • Optional CIPSO value • Never forgotten
Access Checks • Rules written to /smack/load • Hard Coded Labels • Subject and object equal • Find the subject/object pair • Check the request against the rule
File Systems • Use xattrs if supported • Hard coded behavior • smackfs, pipefs, sockfs, procfs, devpts • Superblock values • File system root • File system default • File system floor and hat • Not yet implemented
Networking Model • Sender writes to receiver • Sender is subject, receiver is object • Socket, packet not policy components • William Janet w • Allows a UDP packet • Janet William r • Does not allow a UDP Packet
Packet Labeling • Unlabeled packets get ambient label • CIPSO option on every local packet • CIPSO value from the label list • Set via /smack/cipso • CIPSO direct mapping • Level 250 • Label copied into category bits • Same CIPSO as SELinux
The LSM • Provides a restrictive interface • Evolved in step with SELinux • Imperfectly defined • Networking • Audit • USB • Module Stacking
Programming interfaces • getxattr(), setxattr() • SMACK64 • /proc/<pid>/attr/current
Socket Interfaces • Socket Attributes • fgetxattr(), fsetxattr() • SMACK64.IPIN • SMACK64.IPOUT • Packet Attributes • SO_PEERSEC • TCP • SCM_SECURITY • UDP
Administrative Interfaces • /smack/load • /smack/cipso • /smack/doi • /smack/direct • /smack/nltype
What Have You Learned? • Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted. • Smack is designed for simplicity • Smack is designed as a kernel mechanism
Special Thank You • Paul Moore – Network interfaces • Ahmed S. Darwish – Work on smackfs • And a host of reviewers, including • Stephen Smalley, Seth Arnold, • Joshua Brindle, Al Viro, • James Morris, Kyle Moffett, • Pavel Machek
Contact Information • http://schaufler-ca.com • casey@schaufler-ca.com • rancidfat@yahoo.com