SlideShare a Scribd company logo

Directions in SELinux Networking

J
James Morris

The document discusses directions for improving SELinux networking capabilities. It outlines ideas such as using Netfilter/iptables for IP packet controls instead of the current implementation, leveraging IPsec to label security associations rather than individual packets, extending SELinux policy to the distributed environment, and developing mechanisms for distributing and synchronizing policy across security realms. Long term trends toward high assurance distributed computing are also noted.

TechnologyNews & Politics
1 of 15
Download to read offline
Directions in SELinux Networking Linux Kernel Networking Summit Montréal, Canada July 2005 James Morris <jmorris@redhat.com>
SELinux ● SELinux provides fine­grained, flexible MAC. ● Subjects and objects are labeled with security  contexts, policy determines interactions. ● Type Enforcement (TE) model provides an  expressive abstraction of security classes and  their interactions.
Current Status ● SELinux provides broad coverage across the  kernel (140 hooks). ● All socketcalls are mediated, provides high level  control over local networking. ● Protocol specific controls for Netlink, Unix, some  IP (name_bind, name_connect, rudimentary  packet filter).
Networking Directions ● Performance of IP network controls needs to be  improved. ● Hit by per­packet lookups for security context of  port and IP addresses. ● IBM did some work on an RCU cache, needs  further investigation. ● May be replacing IP packet hooks anyway.
Netfilter/iptables ● Possibly replace existing IP packet controls with  Netfilter/iptables integration (selipt). ● More flexible & expressive, makes use of  conntrack, matches, targets etc. ● Need receiving socket: current code uses  ipt_owner patch. ● Better to use socket hook work from Patrick  McHardy.
Distributed MAC ● MAC is currently limited to the local machine. ● Historically used with Multi­Level Security  (MLS). ● Typically, each packet is labeled via IP options  (CIPSO, FIPS­188). ● Selopt implemented, dropped for upstream  merge.
Leveraging IPsec ● Trent Jaeger's implicit labeling work (IBM). ● Label SAs instead of packets. ● Draws on previous Flask work. ● Not MLS or even SELinux specific. ● Utilizes IPsec services: confidentiality;  authentication; negotiation; automation.
Leveraging IPsec II ● Hooks into xfrm subsystem. ● IPsec policies are labeled: only authorized  policies may be used, controlled via SELinux. ● SA labels must match (existing SA or triggered  negotiation with IKE). ● Matching packets considered labeled. ● Policy for unlabeled packets (e.g. ISAKMP).
Leveraging IPsec III ● Useful for MLS networking, suitable for LSPP  (B1) and beyond. ● Not compatible with IP options schemes. ● More generally useful for extending SELinux  across the network. ● Control communication between processes on  different systems.
Networked Filesystems ● NSA developed support for NFSv3. ● Future is NFSv4 with named attributes. ● SMB desired by some parties. ● Cluster Filesystems (some OCFS2 work).
Remote Attestation ● Use of TPM and associated hardware to  cryptographically verify system from boot. ● IBM Integrity Measurement Architecture (IMA). ● Requires protocol which queries TPM with  nonce; TPM signs measurement list and nonce. ● SELinux policy could be used to require that the  remote system is attested before some other  communication.
Cryptographic Policy ● SELinux policy could be extended to express  more general cryptographic policy. ● e.g. foo_t file must be stored with X encryption,  and only transmitted by local admin_t to remote  admin_t on trusted hosts with Y encryption and Z  authentication on the wire. ● May also require use of specific crypto device or  software.
Distributed Policy ● Mechanism for distributing and synchronizing  policy within a security realm may be useful  when using distributed MAC.
Longer Term ● General trend toward increasingly high assurance  distributed computing. ● Inter­realm communication.  Establishing trust  between different “domains of interpretation” is  very difficult. ● SE aware firewalling, complicated by Ipsec.
Resources ● SELinux Enhanced IPTables http://people.redhat.com/jmorris/selinux/selipt/ ● “Architecture of SELinux Network Access Controls” http://www.selinux­symposium.org/2005/presentations/session2/2­2­morris.pdf ● “Leveraging IPSec for network access control for SELinux” http://www.selinux­symposium.org/2005/presentations/session2/2­3­jaeger.pdf ● Full IBM research report on the above (and more generalized). Not yet published ● Ajaya Chitturi's Flask Thesis http://www.cs.utah.edu/flux/papers/ajay­thesis­abs.html

Recommended

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
James Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
James Morris
 

Recommended

Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris
 
Adding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
James Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 TokyoMandatory Access Control Networking Update - Netonf 2006 Tokyo
Mandatory Access Control Networking Update - Netonf 2006 Tokyo
James Morris
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
Kernel TLV
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core Systems
Davidlohr Bueso
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
Lubomir Rintel
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
Sandeep Patil
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 

More Related Content

What's hot

Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
Kernel TLV
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core Systems
Davidlohr Bueso
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
Lubomir Rintel
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
 

What's hot (20)

Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Linux security
Linux securityLinux security
Linux security
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Futex Scaling for Multi-core Systems
Futex Scaling for Multi-core SystemsFutex Scaling for Multi-core Systems
Futex Scaling for Multi-core Systems
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
SELinux basics
SELinux basicsSELinux basics
SELinux basics
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
SELinux Basic Usage
SELinux Basic UsageSELinux Basic Usage
SELinux Basic Usage
 

Similar to Directions in SELinux Networking

IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
Sandeep Patil
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
James Morris
 
운영체제론 Ch22
운영체제론 Ch22운영체제론 Ch22
운영체제론 Ch22
Jongmyoung Kim
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
Rajeev Verma
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
Abdullah Deeb
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
KishoreTs3
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
karthikvcyber
 
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Rambus
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
ICT PRISTINE
 
Chapter 8 Presentaion
Chapter 8 PresentaionChapter 8 Presentaion
Chapter 8 Presentaion
Amy McMullin
 
Understanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionUnderstanding senetas layer 2 encryption
Understanding senetas layer 2 encryption
Senetas
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peter
ICT PRISTINE
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
9781305094352 ppt ch08
9781305094352 ppt ch089781305094352 ppt ch08
9781305094352 ppt ch08
Amy McMullin
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
Chuck Speicher
 
下午1 intel yang, elton_mee_go-arch-update-final
下午1 intel yang, elton_mee_go-arch-update-final下午1 intel yang, elton_mee_go-arch-update-final
下午1 intel yang, elton_mee_go-arch-update-final
csdnmobile
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt
Sabreen Irfana
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
ADVA
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
Shawn Wells
 

Similar to Directions in SELinux Networking (20)

IBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and RestIBM Spectrum Scale Secure- Secure Data in Motion and Rest
IBM Spectrum Scale Secure- Secure Data in Motion and Rest
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
운영체제론 Ch22
운영체제론 Ch22운영체제론 Ch22
운영체제론 Ch22
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit ...
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 
Chapter 8 Presentaion
Chapter 8 PresentaionChapter 8 Presentaion
Chapter 8 Presentaion
 
Understanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionUnderstanding senetas layer 2 encryption
Understanding senetas layer 2 encryption
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peter
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
9781305094352 ppt ch08
9781305094352 ppt ch089781305094352 ppt ch08
9781305094352 ppt ch08
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
下午1 intel yang, elton_mee_go-arch-update-final
下午1 intel yang, elton_mee_go-arch-update-final下午1 intel yang, elton_mee_go-arch-update-final
下午1 intel yang, elton_mee_go-arch-update-final
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 

More from James Morris

sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
James Morris
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
James Morris
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008
James Morris
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
James Morris
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
James Morris
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
James Morris
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
James Morris
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
James Morris
 

More from James Morris (10)

sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
OLPC Networking Overview
OLPC Networking OverviewOLPC Networking Overview
OLPC Networking Overview
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008SELinux Project Overview - Linux Foundation Japan Symposium 2008
SELinux Project Overview - Linux Foundation Japan Symposium 2008
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 TokyoBetter IPSec Security Association Resolution - Netconf 2006 Tokyo
Better IPSec Security Association Resolution - Netconf 2006 Tokyo
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
 
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
How and Why You Should Become a Kernel Hacker - FOSS.IN/2007
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
Anatomy of Fedora Kiosk Mode (FOSS.MY/2008)
 

Recently uploaded

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 

Recently uploaded (20)

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 

Directions in SELinux Networking

  • 1. Directions in SELinux Networking Linux Kernel Networking Summit Montréal, Canada July 2005 James Morris <jmorris@redhat.com>
  • 2. SELinux ● SELinux provides fine­grained, flexible MAC. ● Subjects and objects are labeled with security  contexts, policy determines interactions. ● Type Enforcement (TE) model provides an  expressive abstraction of security classes and  their interactions.
  • 3. Current Status ● SELinux provides broad coverage across the  kernel (140 hooks). ● All socketcalls are mediated, provides high level  control over local networking. ● Protocol specific controls for Netlink, Unix, some  IP (name_bind, name_connect, rudimentary  packet filter).
  • 4. Networking Directions ● Performance of IP network controls needs to be  improved. ● Hit by per­packet lookups for security context of  port and IP addresses. ● IBM did some work on an RCU cache, needs  further investigation. ● May be replacing IP packet hooks anyway.
  • 5. Netfilter/iptables ● Possibly replace existing IP packet controls with  Netfilter/iptables integration (selipt). ● More flexible & expressive, makes use of  conntrack, matches, targets etc. ● Need receiving socket: current code uses  ipt_owner patch. ● Better to use socket hook work from Patrick  McHardy.
  • 6. Distributed MAC ● MAC is currently limited to the local machine. ● Historically used with Multi­Level Security  (MLS). ● Typically, each packet is labeled via IP options  (CIPSO, FIPS­188). ● Selopt implemented, dropped for upstream  merge.
  • 7. Leveraging IPsec ● Trent Jaeger's implicit labeling work (IBM). ● Label SAs instead of packets. ● Draws on previous Flask work. ● Not MLS or even SELinux specific. ● Utilizes IPsec services: confidentiality;  authentication; negotiation; automation.
  • 8. Leveraging IPsec II ● Hooks into xfrm subsystem. ● IPsec policies are labeled: only authorized  policies may be used, controlled via SELinux. ● SA labels must match (existing SA or triggered  negotiation with IKE). ● Matching packets considered labeled. ● Policy for unlabeled packets (e.g. ISAKMP).
  • 9. Leveraging IPsec III ● Useful for MLS networking, suitable for LSPP  (B1) and beyond. ● Not compatible with IP options schemes. ● More generally useful for extending SELinux  across the network. ● Control communication between processes on  different systems.
  • 10. Networked Filesystems ● NSA developed support for NFSv3. ● Future is NFSv4 with named attributes. ● SMB desired by some parties. ● Cluster Filesystems (some OCFS2 work).
  • 11. Remote Attestation ● Use of TPM and associated hardware to  cryptographically verify system from boot. ● IBM Integrity Measurement Architecture (IMA). ● Requires protocol which queries TPM with  nonce; TPM signs measurement list and nonce. ● SELinux policy could be used to require that the  remote system is attested before some other  communication.
  • 12. Cryptographic Policy ● SELinux policy could be extended to express  more general cryptographic policy. ● e.g. foo_t file must be stored with X encryption,  and only transmitted by local admin_t to remote  admin_t on trusted hosts with Y encryption and Z  authentication on the wire. ● May also require use of specific crypto device or  software.
  • 13. Distributed Policy ● Mechanism for distributing and synchronizing  policy within a security realm may be useful  when using distributed MAC.
  • 14. Longer Term ● General trend toward increasingly high assurance  distributed computing. ● Inter­realm communication.  Establishing trust  between different “domains of interpretation” is  very difficult. ● SE aware firewalling, complicated by Ipsec.
  • 15. Resources ● SELinux Enhanced IPTables http://people.redhat.com/jmorris/selinux/selipt/ ● “Architecture of SELinux Network Access Controls” http://www.selinux­symposium.org/2005/presentations/session2/2­2­morris.pdf ● “Leveraging IPSec for network access control for SELinux” http://www.selinux­symposium.org/2005/presentations/session2/2­3­jaeger.pdf ● Full IBM research report on the above (and more generalized). Not yet published ● Ajaya Chitturi's Flask Thesis http://www.cs.utah.edu/flux/papers/ajay­thesis­abs.html