From Trusted to Secure:From Trusted to Secure:Building and Executing Applications Building and Executing Applications
that Enforce System Securitythat Enforce System Security
Boniface Hicks, Sandra Rueda, Trent Jaeger,Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDanieland Patrick McDaniel
present by: panmengpresent by: panmeng
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
Current security OS
Security Enhanced (SE)Linux,Trusted Solaris and TrustedBSD
Mandatory access controls (MAC) multi-level security (MLS)
MAC+MLSMAC+MLS
Top secret(S4)Top secret(S4)
Secret(S3)Secret(S3)
Confidential(SConfidential(S2)2)
Classified(S1)Classified(S1)
Unclassified(SUnclassified(S0)0)
Flow permitted
no write-down
no read-up
Label
OS resource----Object (file, socket, OS resource----Object (file, socket, etc.)etc.)
Application----SubjectApplication----Subject
Label:Label:
[user: role: type: MLS level range][user: role: type: MLS level range]
Example-LogrotateExample-Logrotate
File labeled:File labeled:system_u : object_r : user_t : s4system_u : object_r : user_t : s4
Logrotate labeled:Logrotate labeled:system_u : system_r : logrotate_t : s0-s1system_u : system_r : logrotate_t : s0-s1
If logrotate accesses this file, LSM will stIf logrotate accesses this file, LSM will stop it.op it.
File:s4
Logrotate:s0
access LSMStop
log_file labeled:log_file labeled:system_u : object_r : var_log_t : s1system_u : object_r : var_log_t : s1
config_file labeled:config_file labeled:system_u : object_r : config_t : s0system_u : object_r : config_t : s0
Logrotate labeled:Logrotate labeled:system_u : system_r : logrotate_t : s0-s1system_u : system_r : logrotate_t : s0-s1
Now if logrotate read log file(s1), write configuration fiNow if logrotate read log file(s1), write configuration file(s0), system will not stop it.le(s0), system will not stop it.
But this really leak secrets stored in the log file to the But this really leak secrets stored in the log file to the publicly readable configuration file.publicly readable configuration file.
Logrotate:s0-s1
Config File:s0Log File:s1
read write
LSMpermit permit
Virtual write flow
Violate
ReasonReason
The MAC OS just handles the security The MAC OS just handles the security police police outsideoutside the application, not the application, not withinwithin the application. the application.
Enforce security only at the granularity of application inputs and outputs.
motivationmotivation
Let the application to handle the Let the application to handle the labels internal.labels internal.
Give the application not only the MSL Give the application not only the MSL range, but also the sensibility to the range, but also the sensibility to the flow direction.flow direction.
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
Two requirementTwo requirement
Need a way to get/put labels from Need a way to get/put labels from the OS to the application.the OS to the application.
Need a mechanism to make sure the Need a mechanism to make sure the policy of the application is policy of the application is compliance with that of the OS.compliance with that of the OS.
How can we pass operating system resources along with their labels into an application?
How can we pass application data along with their labels out into the operating system?
How can we be sure that the application will faithfully enforce the operating system’s policy on these labels?
solutionsolution
1. Extend OS API to export resource labels.1. Extend OS API to export resource labels. 2. Use security-typed language (Jif). Extend 2. Use security-typed language (Jif). Extend
its runtime class to get labels from OS, and its runtime class to get labels from OS, and set its own labels in the application.set its own labels in the application.
3.security-typed language’s automated 3.security-typed language’s automated type analysis can ensure no leakage can type analysis can ensure no leakage can occur through implicit or explicit flows occur through implicit or explicit flows when compiling.when compiling.
4. A compliance analyzer to check whether 4. A compliance analyzer to check whether the policy in the application does not the policy in the application does not violate that in the OS.violate that in the OS.
Process stepsProcess steps0) Initial state
The OS must have a MAC policy implementing some information flow security goals.
1) Program secure applicationAn application developer provides the bytecode for a security-typed application along with a policy template that can be specialized by the user for a particular operating system configuration. (Jif/Pol).
2) Specialize application policycustomized for different users running on different systems.
3) Invoke serviceinvoke an operating system service to check the application for compliance with operating system security goals before running the application.
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
SELinuxSELinux Jif/PolJif/Pol SIESTA(The Service for Inspecting and E
xecuting Security-Typed Applications)
First, extend the Runtime infrastructure of the Jif compiler with an interface to SELinux kernel 2.6.16 for getting and setting SELinux security contexts on network sockets and files.
Second, constructed the Service for Inspecting and Executing Security-Typed Applications (SIESTA). This includes a system daemon along with an interface that can be run by the user; both were written in C. It also includes a policy compliance checker which was written written in XSB Prolog.
Thirdly, utilize this infrastructure to build and test two demonstrative applications:
logrotate and JPmail.
All possible flow for logrotateAll possible flow for logrotate
config_t:s0
configP
logP
xserver_log_t:s1var_log_t:s1var_log_t:s2
Flow allowed
ConclusionConclusion
Provide a way to monitor flow within Provide a way to monitor flow within application.application.
Security typed language is not Security typed language is not mature.mature.
For each application, there is a flow For each application, there is a flow policy.—heavy work.policy.—heavy work.
ThanksThanks