The document discusses operating system security and introduces TOMOYO Linux as an access control mechanism for Linux that can restrict administrator privileges and limit the damage caused by stolen devices or exploited vulnerabilities. It explains that TOMOYO Linux tracks process executions to generate security policies and allows administrators to view process histories to define access control rules. The presentation also provides an overview of SELinux and concludes with an announcement of a demonstration of TOMOYO Linux's policy learning mode capabilities.

1. TOMOYO LINUX ON
ANDROID
2009 at Taipei
October 27, 2009
(Toshiharu Harada)
(Tetsuo Handa)
NTT DATA CORPORATION

2. AGENDA
Part 1: Operating System Security Overview
Part 2: Demonstration
Q and A

3. DO YOU KNOW THIS?
28
Controller
of

4. 28
is very powerful
Has no intelligence
Operated by the controller

5. is an ordinary boy
(has no power)
He is the owner of the
controller of 28

6. CONTROLLER
Can be used to control
Communicate with
wirelessly (bluetooth?)

7. TOTAL SCENARIO
1. looses his
important controller
2. is operated by bad guys
3. takes back the
controller
4. Goto line 1

8. OH

9. MY GOD!

10. FAULT OF
No, not really
is just a machine
is responsible to keep the control of
Like a driver is responsible for a car accident

11. EVER THOUGHT?
Your PC/Embedded device are the same as
It does not know what is good and what is bad
You, as the owner of PC, has to administrate it
Separating accounts and use passwords
Setting access mode for files and directories

12. UNFORTUNATELY
Those things are not sufficient
Because
1. Bugs can cause buffer overflows
2. It is possible to take over administrator privilege via
buffer overflows
3. Administrator privilege means all mighty

13. SO YOU NEED
Something to restrict (or limit) the administrator
privilege
Windows VISTA introduced UAC
Linux and other mainstream OS are equipped with
a better access control mechanisms: SELinux,
Smack and TOMOYO Linux

14. The green field is the
operating system space
A car is a process (program)
In normal OS, car can go
anywhere (can do anything)
If your car is stolen, your
damage is unlimited

15. WHY “UNLIMITED”?
Operating system does not know you
Operating system does not understand good
operations and bad operations
If one gets privilege, he is a God and can do anything
(format the drive, stop the service, setting a
backdoor ..)

16. Total idea is “limiting” the freedom
You have to be careful not to limit the proper usage

17. The ideal state is car can go places you
need, but cannot go anywhere else

18. YOUR ROLE
Like , SELinux and TOMOYO Linux can’t know
which operation is good and which is bad
You have to tell them as a set of conditions, which are
called “policy”

19. WHY IT IS DIFFICULT?
Because additional access control works in the deep
inside of the operating system (in Linux kernel)
Linux kernel is not very user friendly world
inode, file descriptor, lock …
Policy is like a assembler language of computer
security

20. pathname human
inode policy

21. EMBEDDED TOO?

22. EMBEDDED, TOO?
The more and more devices are using Linux
A rich set of software (TCP/IP, apache, samba …)
Vulnerabilities are the same with server machines
Embedded devices store personal information, so
security is more important
Embedded devices can physically cause harm
(remotely destroy/damage your possessions)

23. 3 CHOICES
SELinux (fully-featured, most robust and reliable)
Smack (simplified version)
TOMOYO Linux (since 2.6.30)

24. SELINUX
Makes judge by the combination of “label” (security
context information)
You can see labels by executing “ls -Z”, “ps -Z” ...

25. TOMOYO LINUX
Has a feature called “policy learning mode”
It gathers information inside the kernel and shows you

26. TOMOYO Linux keeps track of every process
executions
Each process has its “history” and we call that
“domain”

27. DEMONSTRATION

28. TRADEMARKS
Linux is a trademark of Linus Torvalds in Japan and
other countries
TOMOYO is a trademark of NTT DATA
CORPORATION in Japan

29. http://www.slideshare.net/haradats/
presentations