The Simplified Mandatory Access Control Kernel - PowerPoint PPT Presentation
Title:
The Simplified Mandatory Access Control Kernel
Description:
Dap. Med. SEAsia. Pop. Access Rule Specification /etc/smack/accesses. Subject Object [ rwxa] ... Dap Med r. Dap. Med. SEAsia. Messaging. Informant Reporter w ... – PowerPoint PPT presentation
Number of Views:141
Avg rating:3.0/5.0
Title: The Simplified Mandatory Access Control Kernel
1
The Simplified Mandatory Access Control Kernel
- Casey Schaufler
- January 2008
2
Casey Schaufler
- Ported Unix Version 6 to 32bit
- Started Development of TSOL
- Architect of Trusted Irix
- B1, CAPP, LSPP evaluated
- US NSAs Trusix Group
- POSIX P1003.1e/2c
- TSIG
3
Todays Talk
- Mandatory Access Control (MAC)
- What MAC is good for
- How Smack implements MAC
- What Smack is good for
- Details of Smack
4
Mandatory Access Control
- Concepts
- Subject is an active entity
- Object is a passive entity
- Access is an operation preformed on an object by
a subject
5
Mandatory Access Control
- Principles
- User has no say in it
- Based on system controlled attributes
6
Mandatory Access Control
- Jargon
- MAC
- Label
- Bell LaPadula
- Multilevel Security
- CIPSO
7
Mandatory Access Control
8
MAC Implementations
- Bell LaPadula Sensitivity
- Multics, Unix
- Type Enforcement
- SELinux
- Pathname Controls
- AppArmor, TOMOYO
9
Uses of MAC Systems
- Security Checkbox
- Sharing an expensive machine
- Disjoint sets of users
- BL Catagories
- Hierarchical use of shared data
- BL Levels
10
Where Did Smack Come From?
- Traditionally
- Label relationships hard coded
- Names map to label values
- MythtoryTopSecret,Skeeve,Ahz,Chumly
- Level4,Catagories17,49,113
- Users only use names
- Why use anything but names?
11
Smack Label Mechanism
- Labels and label names are the same
- No implicit relationship between labels
- List of explicit access relationships
- Every subject gets a label
- Every object gets a label
- Objects get creating Subjects label
12
Subjects Access Objects
- lstat() reads a file objects attributes
- kill() writes to a process object
- send() writes to a process object
- bind() is uninteresting
13
System Labels
- _ floor
- hat
- star
- Objects Only
- Any single special character
_
14
User Labels
Dap
SEAsia
_
15
Explicit Access Rules
- Dap SEAsia r
- Med Pop w
Dap
SEAsia
Pop
Med
16
Access Rule Specification
- /etc/smack/accesses
- Subject Object rwxa
- /smack/load
- Strict fixed format
- /sbin/smackload
- Writes to /smack/load
17
Bell LaPadula Levels
- Secret more sensitive than Unclass
- TopSecret more sensitive than Secret
- Secret Unclass rx
- TopSecret Secret rx
- TopSecret Unclass rx
- All relationships must be specified
18
Bell LaPadula Categories
- Categories Skeeve and Ahz
- Labels
- Skeeve,Ahz
- Skeeve
- Ahz
- Skeeve,Ahz Skeeve rx
- Skeeve,Ahz Ahz rx
19
Biba Integrity
- Floor is highest integrity
- Hat is lowest Integrity
20
Ring of Vigilance
- SEAsia Dap r
- Med SEAsia r
- Dap Med r
Dap
SEAsia
Med
21
Messaging
- Informant Reporter w
- Reporter Editor w
- Editor Reporter w
22
Time of Day
- At 1700
- WorkerBee Game x
- At 0800
- WorkerBee Game
23
Implementation
- Label Scheme
- Access Checks
- File Systems
- Networking
- The LSM
- Audit
24
Label Scheme
- Labels are short text strings
- Compared for equality
- Stored in a list
- secid
- Optional CIPSO value
- Never forgotten
25
Access Checks
- Rules written to /smack/load
- Hard Coded Labels
- Subject and object equal
- Find the subject/object pair
- Check the request against the rule
26
File Systems
- Use xattrs if supported
- Hard coded behavior
- smackfs, pipefs, sockfs, procfs, devpts
- Superblock values
- File system root
- File system default
- File system floor and hat
- Not yet implemented
27
Networking Model
- Sender writes to receiver
- Sender is subject, receiver is object
- Socket, packet not policy components
- William Janet w
- Allows a UDP packet
- Janet William r
- Does not allow a UDP Packet
28
Packet Labeling
- Unlabeled packets get ambient label
- CIPSO option on every local packet
- CIPSO value from the label list
- Set via /smack/cipso
- CIPSO direct mapping
- Level 250
- Label copied into category bits
- Same CIPSO as SELinux
29
The LSM
- Provides a restrictive interface
- Evolved in step with SELinux
- Imperfectly defined
- Networking
- Audit
- USB
- Module Stacking
30
Programming interfaces
- getxattr(), setxattr()
- SMACK64
- /proc/ltpidgt/attr/current
31
Socket Interfaces
- Socket Attributes
- fgetxattr(), fsetxattr()
- SMACK64.IPIN
- SMACK64.IPOUT
- Packet Attributes
- SO_PEERSEC
- TCP
- SCM_SECURITY
- UDP
32
Administrative Interfaces
- /smack/load
- /smack/cipso
- /smack/doi
- /smack/direct
- /smack/nltype
33
What Have You Learned?
- Smack is a modern implementation of old school
Mandatory Access Control with the mistakes
omitted. - Smack is designed for simplicity
- Smack is designed as a kernel mechanism
34
Special Thank You
- Paul Moore Network interfaces
- Ahmed S. Darwish Work on smackfs
- And a host of reviewers, including
- Stephen Smalley, Seth Arnold,
- Joshua Brindle, Al Viro,
- James Morris, Kyle Moffett,
- Pavel Machek
35
Contact Information
- http//schaufler-ca.com
- casey_at_schaufler-ca.com
- rancidfat_at_yahoo.com
