1、Approaches for Designing Flexible Mandatory System Security Policies,Trent Jaeger IBM Research July 8, 2004,Linux 2.6 Has LSM and SELinux,Linux Security Modules Framework Reference monitor interface w/i kernel No problems with redundant parsing or races Enforce mandatory access control (MAC) Restric
2、ts discretionary permissions Noteworthy LSM Features Comprehensive MAC enforcement 200+ hooks Control access to 29 kernel data typesSELinux module Supports comprehensive MAC Enhanced Type Enforcement policy: roles, subject types, transitions, etc. Large “example” policy (25,000+ permission assignmen
3、ts) Requires customization to security target,Integrity,Subject,Perm,Subject,Perm,High Subject,Object Read,Low Subject,Object Write,Low Subject Can Modify Input To High,SELinux & Integrity,Subject Type,Subject Attr,Attr Perm,Perm,Subject Type,Subject Attr,Attr Perm,Perm,SELinux Integrity Problem,fil
4、e_type read,sshd_tmp read,lastlog write,sysadm,sshd,logrotate,logfile read,setfiles,user_ssh rw,lastlog read,sshd_tmp rw,user_ssh rw,user,httpd admin,xdm,High Subject Type,Attr Perm,Perm,Perm,Low Subject Type,Conflict,Integrity Models,Biba Integrity No high integrity subject may depend on low integr
5、ity data/code Implication: No information flow from low integrity to high LOMAC The integrity level of a subject is equal to lowest integrity input Implication: same as Biba Caernarvon The integrity level of a subject or object is specified by a range Implication: Subjects may depend on/modify a ran
6、ge of integrity levels Clark-Wilson Only high integrity Transformation Procedures modify high integrity data Implication: Can read low integrity data if they can upgrade or discard only,Our Integrity Goal,Use flexible policy expression SELinuxs extended Type Enforcement policy Defines all relevant p
7、olicy decisionsFind integrity problems Information flows that satisfy Biba are permitted “Resolve” others remove or manage (Clark-Wilson)Compute information to assist in resolution Find problems: Minimal cover set Identify solutions: Resolutions Determine solutions: Impact,Minimal Cover Set for Inte
8、grity Violations,Subject Type,Subject Attr,Attr Perm,Perm,Subject Type,Perm,Subject-Permission Assignment,Minimal Cover Set,file_type read,sshd_tmp read,lastlog write,sysadm,sshd,logrotate,logfile read,setfiles,user_ssh rw,lastlog read,sshd_tmp rw,user_ssh rw,user,httpd admin,xdm,High Subject Type,A
9、ttr Perm,Perm,Perm,Low Subject Type,Conflict,S-P Assign,S-P Assign,Integrity Resolutions,Remove Subject Type or Object Type Reclassify Subject Type of Object Type Change Subject Type-Permission assignment Clark-Wilson reads Allow reading of low integrity data that meet Clark-Wilson No dependency rea
10、d (move file) Deny Object Access Track low integrity writes per object LOMAC Subject Type (sysadm) Reduce integrity level of subject when reading low integrity data,Example Resolutions,file_type read,sshd_tmp read,lastlog write,sysadm,sshd,logrotate,logfile read,setfiles,user_ssh rw,lastlog read,ssh
11、d_tmp rw,user_ssh rw,user,httpd admin,xdm,High Subject Type,Attr Perm,Perm,Perm,Conflict,S-P Assign,S-P Assign,Low Subject Type,Resolution Independence,file_type read,sshd_tmp read,lastlog write,sysadm,sshd,logrotate,logfile read,setfiles,user_ssh rw,lastlog read,sshd_tmp rw,user_ssh rw,user,httpd a
12、dmin,xdm,High Subject Type,Attr Perm,Perm,Perm,Conflict,S-P Assign,S-P Assign,Low Subject Type,X,Resolution Impact,Basic resolution impact Number of conflicts that result from a flow assignment or node Real resolution impact Number of conflicts that are eliminated by removal of an assignment or node
13、 Changes on Extremes Have Bigger Impact Subject Type, Object Type changes Permission assignment is generally low impact,Policy Design Tool: Gokyo,Load entire SELinux example policy Find Biba conflicts in SELinux policy Display conflicts in terms of minimal cover set Compute basic impacts for nodes a
14、nd assignments Enable expression of resolutions and re-evaluation Resulting policies provide Clark-Wilson integrity Assuming high integrity applications meet assurance requirements Assuming sanitization either discards or upgrades low integrity data Does not fix SELinux module to enforce resolutions
15、,Gokyo Resolution,file_type read,sshd_tmp read,lastlog write,sysadm,sshd,logrotate,logfile read,setfiles,user_ssh rw,lastlog read,sshd_tmp rw,user_ssh rw,user,httpd admin,xdm,High Subject Type,Attr Perm,Perm,Perm,Conflict,S-P Assign,S-P Assign,Low Subject Type,X,X,X,X,X,Policy Design Results,1 Biba
16、constraint (no flow from low to high) 36 TCB subject types (high integrity subjects) 83 excluded subject types (low integrity) All other subject types are assumed low 4 object type excludes 1 LOMAC sysadm 18 denials 83 sanitizations for 24 subject types,Other SELinux Policy Analysis Tools,Tresys Apo
17、l - analyze an SE Linux policy (GUI). SeAudit - analyze audit messages from SELinux (GUI). SeCmds - analyze an SELinux policy and search/replace file contexts. SeUser - GUI and command-line “user manager“ for SELinux. SePCuT - customize an SE Linux policy (GUI). MITRE SLAT Information flow policy ex
18、pression Hitachi SELinux/Aid inspect, edit SELinux security policies and inspect log messages,Summary,Comprehensive security is complex Security requirements should be simple Clark-Wilson integrity with assumptions is achievable Resolution requires tools to support decision-making Modeling concepts
19、enable focus: Minimal cover set Resolution options Resolution impact And guide resolution process SELinux policy model requires adjustments to achieve resolution,Summary (cont),Research Results ACM TISSEC journal Access Control Spaces USENIX Security Conference Configure TCB policy ACM SACMAT Underl
20、ying graph properties for resolution Working Tool Gokyo analysis infrastructure Lacks GUI Analysis Tools for Security Contact for more info ,Resolution Issues,Low integrity side vs. High integrity side Which is easier to address? Big impact vs. Ease of understanding Small, independent cases are eas
21、y Small, cases with some overlap are not so hard Extensive cases with overlap are difficult Some assignments result in extensive overlap How to apply graph theory? Node weights based on basic or real impact? Minimum cut across graph Cost of making a change is the cost of the cut,Current Approach,Ide
22、ntify the minimal cover set for constraint conflicts Subject-permission assignmentsCompute the basic impact value of each cover assignment Number of conflicts reachableCompute number of subjects/objects impacted by cover assignment Examine remove/reclassification or LOMAC semanticsCompute individual
23、 node and assignment impacts on demandApply permission resolutions Sanitize or deny,LSM,System Interface,Entry Points,Module,Achieving Security Goals,Large Number of Security Decisions Comprehensive vs limited security 150+ decisions points defined by LSM Defining the Security Goal Least Privilege C
24、onfidentiality Integrity Security Goal Specification Simply-stated goals are often too restrictive (e.g., no low integrity data dependencies) Flexible languages enable complex goals, but too complex (e.g., access matrix) Our Solution Aims: Comprehensive Integrity Use simple model as target, but enable flexible fine tuning,
