Kernel Recipes 2013 – Samir Bellabes
Linux Security Modules
SELinux, AppArmor & Tomoyo
trough security models
-
Kernel Rec...
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
● Formal models for computer security
● Specify functional ...
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
● LOMAC : Low Water-Mark Mandatory Access Control - 2000
● ...
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
security
integrity
authentication
IMA
keys
availability
con...
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
access control objectssubject
policy
What is MAC ?
Kernel Recipes 2013 – Samir Bellabes
Previously on KR Season 1
access control objectssubject
policy
What is MAC ?
Attribut...
Kernel Recipes 2013 – Samir Bellabes
Summary
Kernel Recipes 2013 – Samir Bellabes
Summary
● Model for SELinux
– History & discuss
● Model for AppArmor
– History & disc...
Kernel Recipes 2013 – Samir Bellabes
Access Control: timetable
SELinux proposed by NSA
Hooks mechanism
2001
hooks upstream...
Kernel Recipes 2013 – Samir Bellabes
SELinux
Kernel Recipes 2013 – Samir Bellabes
Model for SELinux : history
● NSA was the original developer
● Implementation of the ...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : the Flask architecture
● Flask architecture simply implements MAC
● P...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : the Flask architecture
● Security policy over process and objects
● T...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : TE – type enforcement
● SAT : Secure Ada Target, 1st implementation, ...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : TE – type enforcement
● obj3, obj1 and obj2 are in the same type “foo...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : type enforcement
● “So it's all about classification ?”
– I think so,...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : RBAC
● RBAC : Role Based Access Control
● Attaching roles on users, a...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : MLS
● It's about security levels
● SELinux implements Bell-Lapadula m...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : MLS
● It's about security levels
● SELinux implements Bell-Lapadula m...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : MLS
● It's about security levels
● SELinux implements Bell-Lapadula m...
Kernel Recipes 2013 – Samir Bellabes
SELinux model : MLS
● It's about security levels
● SELinux implements Bell-Lapadula m...
Kernel Recipes 2013 – Samir Bellabes
SELinux : booting
● Booting / quit is a real deal : assure reliability on security is...
Kernel Recipes 2013 – Samir Bellabes
AppArmor
Kernel Recipes 2013 – Samir Bellabes
Model for AppArmor : history
● Originally from 1998
● Upstream in 2.6.36
Kernel Recipes 2013 – Samir Bellabes
AppArmor model : type enforcement
● A modified domain type enforcement (again) : Prof...
Kernel Recipes 2013 – Samir Bellabes
Tomoyo
Kernel Recipes 2013 – Samir Bellabes
Tomoyo model : type enforcement
● Process are attached a single domain
● If a process...
Kernel Recipes 2013 – Samir Bellabes
Tomoyo model : domain → path-named
● Starting with domain <kernel>
● Domain for /sbin...
Kernel Recipes 2013 – Samir Bellabes
Tomoyo model : type enforcement
● Process are attached a single domain
● If a process...
Kernel Recipes 2013 – Samir Bellabes
Model for Tomoyo : history
● As far as I remember : Fighting
● Revive “void *security...
Kernel Recipes 2013 – Samir Bellabes
Summary of Linux Security Summit 2013
Kernel Recipes 2013 – Samir Bellabes
Summary of LSS 2013
● Update on all security modules.
● Security mechanisms : ASLR, a...
Kernel Recipes 2013 – Samir Bellabes
Using LSM hooks for
“information flow”
Kernel Recipes 2013 – Samir Bellabes
Using LSM hooks for
“information flow”
Entering #no_bullshit zone
Thanks Gandi for sp...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● It's all about state machine and transitions
State 0
...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● It's all about state machine and transitions
State 0
...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
because ghosts are among us !
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● Let's take a memory buffer
● There are lots of functi...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● Let's take a memory buffer
● There are lots of functi...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● Ghosts ?
window window window
Doors
pick-locking anyo...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● Ghosts ?
window window window
Doors
pick-locking anyo...
Kernel Recipes 2013 – Samir Bellabes
Information flow with hooks ?
● But it's possible to catch incoherent status of cours...
Kernel Recipes 2013 – Samir Bellabes
Exiting #no_bullshit zone
Kernel Recipes 2013 – Samir Bellabes
What's next ? Security at KR season 3 ?..
● what are “technical mechanism” for securi...
Kernel Recipes 2013 – Samir Bellabes
Linux Security Modules
-
Thanks hupstream for this event !
Kernel Recipes 2013
Upcoming SlideShare
Loading in...5
×

Kernel Recipes 2013 - Linux Security Modules: different formal concepts

1,195

Published on

This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.

An introduction to implementation will be presented in order to understand how to develop a security module.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,195
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Kernel Recipes 2013 - Linux Security Modules: different formal concepts

  1. 1. Kernel Recipes 2013 – Samir Bellabes Linux Security Modules SELinux, AppArmor & Tomoyo trough security models - Kernel Recipes 2013
  2. 2. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1
  3. 3. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1 ● Formal models for computer security ● Specify functional & assurance requirements → CC ● Implementation ● Testing → CC CC = Common Criteria
  4. 4. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1 ● LOMAC : Low Water-Mark Mandatory Access Control - 2000 ● Bell-La Padula (BLP) – 1973 ● object-capability - 1981 ● Take-grant - 1977 ● Biba – 1977 ● Access control Matrix – 1971 ● ..
  5. 5. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1 security integrity authentication IMA keys availability confidentiality auditcrypto accounting non repudiation Shared properties
  6. 6. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1 access control objectssubject policy What is MAC ?
  7. 7. Kernel Recipes 2013 – Samir Bellabes Previously on KR Season 1 access control objectssubject policy What is MAC ? Attributes are applied They are differents
  8. 8. Kernel Recipes 2013 – Samir Bellabes Summary
  9. 9. Kernel Recipes 2013 – Samir Bellabes Summary ● Model for SELinux – History & discuss ● Model for AppArmor – History & discuss ● Model for Tomoyo – History & discuss ● Summary of the Linux Security Summit 2013 meeting ● Discuss about using LSM hooks for “information flow”
  10. 10. Kernel Recipes 2013 – Samir Bellabes Access Control: timetable SELinux proposed by NSA Hooks mechanism 2001 hooks upstream 2003 removing LSM ? 2006 tomoyo 2009 → AppArmor 2010 → smack 2008 → Stacking / chaining : 2004 → .. RBAC 92/96 LOMAC 2000 PaX 2000 → Linux 2.2 : 99 Linux 2.6 : 03 Linux 2.0 : 96 Linux 2.4 : 01 Take Grant 77 Biba 77 Access Control Matrix 71 Object capablity 81 OrBAC 2003 TCSEC Orange book 85 RSBAC 98 TMAC 98 ABAC 2003 RBAC : Role TMAC : team RSBAC : rule set LOMAC : low OrBAC : organise ABAC : attribute MAC/DAC 60/70 Bell-LP 73 SELinux 2003 →
  11. 11. Kernel Recipes 2013 – Samir Bellabes SELinux
  12. 12. Kernel Recipes 2013 – Samir Bellabes Model for SELinux : history ● NSA was the original developer ● Implementation of the operating system security architecture called Flask ● In the 2.5.x series, LSM framework was developed,so SELinux was ported for 2.6.0 ● Flask : Flux Advanced Security Kernel
  13. 13. Kernel Recipes 2013 – Samir Bellabes SELinux model : the Flask architecture ● Flask architecture simply implements MAC ● Principle of “least privilege” ● Objects and subjects are related to security attributes inside a “security context” ● Dealing with security context is not easy, so we can refer to it with a SID : security identifier, a kind or pointer, reference to the context. Exemple : it's working well for persistent objects ● A security decision can be made with {SID(subject), SID(object)}. ● Two kind of decisions exist : – Labeling decision : obj/sub transition → creating new file from directory – Access decision : check permissions for operations using Access Vector Cache (AVC) : access vector gives decisions for all permissions for a object, or directly on the server policy
  14. 14. Kernel Recipes 2013 – Samir Bellabes SELinux model : the Flask architecture ● Security policy over process and objects ● True innovation : splitting the technical architecture from the policy (not only a modularity) ● Demonstration by implementing : – Type enforcement (TE) 1980-1985 – Role Based Access Control (RBAC) 1992-1996 – Multi Level Security (MLS)
  15. 15. Kernel Recipes 2013 – Samir Bellabes SELinux model : TE – type enforcement ● SAT : Secure Ada Target, 1st implementation, late 1980s ● Labels (security informations) on subjects and objects ● security context with labels on subjects → “domain label” (DTE) ● security context with labels on objects → “type label” (DTE) ● class exist for using objects directly: – Same type, but different class → can manage the situation ● TE uses role for users, not domain. – credentials mechanism → b6dff3 : separate task security context from task_struct, so no more true label on subject ● TE enables the labeling decisions and the access decisions
  16. 16. Kernel Recipes 2013 – Samir Bellabes SELinux model : TE – type enforcement ● obj3, obj1 and obj2 are in the same type “foo_t” obj2 obj1 obj3 S1 S0 obj0 foo_t bar_t
  17. 17. Kernel Recipes 2013 – Samir Bellabes SELinux model : type enforcement ● “So it's all about classification ?” – I think so, but it is not really a shared idea..
  18. 18. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles
  19. 19. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles USER
  20. 20. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles USER R0 R1 R2
  21. 21. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles USER R0 R1 R2 bar_t snafu_t ack_t truc_t foo_t
  22. 22. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles USER R0 R1 R2 foo_t bar_t snafu_t ack_t truc_t obj2 obj1 obj0
  23. 23. Kernel Recipes 2013 – Samir Bellabes SELinux model : RBAC ● RBAC : Role Based Access Control ● Attaching roles on users, attaching permissions on roles USER R0 R1 R2 foo_t bar_t snafu_t ack_t truc_t obj2 obj1 obj0 USER+ Role transition
  24. 24. Kernel Recipes 2013 – Samir Bellabes SELinux model : MLS ● It's about security levels ● SELinux implements Bell-Lapadula model
  25. 25. Kernel Recipes 2013 – Samir Bellabes SELinux model : MLS ● It's about security levels ● SELinux implements Bell-Lapadula model secret top secret confidential unclassified Transition states are managed time
  26. 26. Kernel Recipes 2013 – Samir Bellabes SELinux model : MLS ● It's about security levels ● SELinux implements Bell-Lapadula model time secret top secret confidential unclassified Transition states are managed Read-down : Security(subject) > Security(object) write-up: Security(subject) < Security(object)
  27. 27. Kernel Recipes 2013 – Samir Bellabes SELinux model : MLS ● It's about security levels ● SELinux implements Bell-Lapadula model time secret top secret confidential unclassified Transition states are managed Read-down : Security(subject) > Security(object) write-up: Security(subject) < Security(object) Opposite is Biba for integrity
  28. 28. Kernel Recipes 2013 – Samir Bellabes SELinux : booting ● Booting / quit is a real deal : assure reliability on security is hard (embedded, ...). ● start_kernel() ● security_init() ● Initial SID (1) ● Initialize AVC, selinuxfs ● Set enforcing mode from config ● (some stuff called relabeling) ● Start /sbin/init with label context
  29. 29. Kernel Recipes 2013 – Samir Bellabes AppArmor
  30. 30. Kernel Recipes 2013 – Samir Bellabes Model for AppArmor : history ● Originally from 1998 ● Upstream in 2.6.36
  31. 31. Kernel Recipes 2013 – Samir Bellabes AppArmor model : type enforcement ● A modified domain type enforcement (again) : Profile is the domain type – Normally subject ↔ objects ↔ permissions (type enforcement) – But profile A = { (obj0, perm0), (obj1, perm1), .. } – Profiles are stored in database ● Using information labels on objects (void *security) until creds patches (2.6.29) ● For files, AppArmor is using path-name as information, no label (dealing with mount point) (called implicit labeling) ● Using a technical mean called “deriving implicit types” ..
  32. 32. Kernel Recipes 2013 – Samir Bellabes Tomoyo
  33. 33. Kernel Recipes 2013 – Samir Bellabes Tomoyo model : type enforcement ● Process are attached a single domain ● If a process exec a program, divide or transit the domain ● Operations granularity on objects are “read/write/execute”
  34. 34. Kernel Recipes 2013 – Samir Bellabes Tomoyo model : domain → path-named ● Starting with domain <kernel> ● Domain for /sbin/init is <kernel>/sbin/init/ ● Exemple : – <kernel>/sbin/init/etc/rc.d/service – <kernel>/usr/sbin/sshd/bin/bash ● There are some exceptions (restarting services no more <kernel>/..)
  35. 35. Kernel Recipes 2013 – Samir Bellabes Tomoyo model : type enforcement ● Process are attached a single domain ● If a process exec a program, divide or transit the domain ● Operations granularity on objects are “read/write/execute” exec obj0 obj1 obj0 obj2 Permission on domain Not process
  36. 36. Kernel Recipes 2013 – Samir Bellabes Model for Tomoyo : history ● As far as I remember : Fighting ● Revive “void *security” : b6dff3 ● Hook for network : post_accept ● Merging ● ..
  37. 37. Kernel Recipes 2013 – Samir Bellabes Summary of Linux Security Summit 2013
  38. 38. Kernel Recipes 2013 – Samir Bellabes Summary of LSS 2013 ● Update on all security modules. ● Security mechanisms : ASLR, anti-patterns : using PaX plugins for gcc (!), using Coccinelle (!!!!), ● Stacking (agaaaaain..) but now it's called multiple concurrent security models ● technical papers for embedded ● http://kernsec.org/wiki/index.php/Linux_Security_Summit_2013
  39. 39. Kernel Recipes 2013 – Samir Bellabes Using LSM hooks for “information flow”
  40. 40. Kernel Recipes 2013 – Samir Bellabes Using LSM hooks for “information flow” Entering #no_bullshit zone Thanks Gandi for sponsoring Kernel Recipes
  41. 41. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● It's all about state machine and transitions State 0 S1 socket() S2 bind() S1S1 S3 connect()
  42. 42. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● It's all about state machine and transitions State 0 S1 socket() S2 bind() S1S1 S3 connect() How can we build this interesting kind of graphs ? Why not using LSM hooks as “borders” ?
  43. 43. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? because ghosts are among us !
  44. 44. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● Let's take a memory buffer ● There are lots of functions which can modify m – write(m,..), mmap(m,..), str*(m,..) ● Let's say you can actually don't miss a function which can modify m and you can put a trap (hook) inside all this functions. ● So now you can have the graph ..
  45. 45. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● Let's take a memory buffer ● There are lots of functions which can modify m – write(m,..), mmap(m,..), str*(m,..) ● Let's say you can actually don't miss a function which can modify m and you can put a trap (hook) inside all this functions. ● So now you can have the graph .. ● What about m[10] = 0; ?? ● How can you hook this operation ?
  46. 46. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● Ghosts ? window window window Doors pick-locking anyone? backdoor
  47. 47. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● Ghosts ? window window window Doors pick-locking anyone? backdoor I'm a ghost, I can cross walls.. Where is the hook ?
  48. 48. Kernel Recipes 2013 – Samir Bellabes Information flow with hooks ? ● But it's possible to catch incoherent status of course – Before there was 3 users inside, now there is 4 users. ● The incoherence will appears by keeping label informations on objects, and between two hooks.
  49. 49. Kernel Recipes 2013 – Samir Bellabes Exiting #no_bullshit zone
  50. 50. Kernel Recipes 2013 – Samir Bellabes What's next ? Security at KR season 3 ?.. ● what are “technical mechanism” for security implementation ? ● It's called “hardened kernel” → ASLR, PaX, PIE/SSP, RELRO, toolchain, … → KR Season 3 ?
  51. 51. Kernel Recipes 2013 – Samir Bellabes Linux Security Modules - Thanks hupstream for this event ! Kernel Recipes 2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×