from trusted to secure: building and executing applications that enforce system security
DESCRIPTION
From Trusted to Secure: Building and Executing Applications that Enforce System Security. Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel present by: panmeng. Outline. Background & Problem Architecture Implementation. Current security OS. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/1.jpg)
From Trusted to Secure:From Trusted to Secure:Building and Executing Applications Building and Executing Applications
that Enforce System Securitythat Enforce System Security
Boniface Hicks, Sandra Rueda, Trent Jaeger,Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDanieland Patrick McDaniel
present by: panmengpresent by: panmeng
![Page 2: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/2.jpg)
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
![Page 3: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/3.jpg)
Current security OS
Security Enhanced (SE)Linux,Trusted Solaris and TrustedBSD
Mandatory access controls (MAC) multi-level security (MLS)
![Page 4: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/4.jpg)
MAC+MLSMAC+MLS
Top secret(S4)Top secret(S4)
Secret(S3)Secret(S3)
Confidential(SConfidential(S2)2)
Classified(S1)Classified(S1)
Unclassified(SUnclassified(S0)0)
Flow permitted
no write-down
no read-up
![Page 5: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/5.jpg)
Label
OS resource----Object (file, socket, OS resource----Object (file, socket, etc.)etc.)
Application----SubjectApplication----Subject
Label:Label:
[user: role: type: MLS level range][user: role: type: MLS level range]
![Page 6: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/6.jpg)
Example-LogrotateExample-Logrotate
File labeled:File labeled:system_u : object_r : user_t : s4system_u : object_r : user_t : s4
Logrotate labeled:Logrotate labeled:system_u : system_r : logrotate_t : s0-s1system_u : system_r : logrotate_t : s0-s1
If logrotate accesses this file, LSM will stIf logrotate accesses this file, LSM will stop it.op it.
![Page 7: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/7.jpg)
File:s4
Logrotate:s0
access LSMStop
![Page 8: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/8.jpg)
log_file labeled:log_file labeled:system_u : object_r : var_log_t : s1system_u : object_r : var_log_t : s1
config_file labeled:config_file labeled:system_u : object_r : config_t : s0system_u : object_r : config_t : s0
Logrotate labeled:Logrotate labeled:system_u : system_r : logrotate_t : s0-s1system_u : system_r : logrotate_t : s0-s1
Now if logrotate read log file(s1), write configuration fiNow if logrotate read log file(s1), write configuration file(s0), system will not stop it.le(s0), system will not stop it.
But this really leak secrets stored in the log file to the But this really leak secrets stored in the log file to the publicly readable configuration file.publicly readable configuration file.
![Page 9: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/9.jpg)
Logrotate:s0-s1
Config File:s0Log File:s1
read write
LSMpermit permit
Virtual write flow
Violate
![Page 10: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/10.jpg)
ReasonReason
The MAC OS just handles the security The MAC OS just handles the security police police outsideoutside the application, not the application, not withinwithin the application. the application.
Enforce security only at the granularity of application inputs and outputs.
![Page 11: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/11.jpg)
motivationmotivation
Let the application to handle the Let the application to handle the labels internal.labels internal.
Give the application not only the MSL Give the application not only the MSL range, but also the sensibility to the range, but also the sensibility to the flow direction.flow direction.
![Page 12: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/12.jpg)
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
![Page 13: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/13.jpg)
Two requirementTwo requirement
Need a way to get/put labels from Need a way to get/put labels from the OS to the application.the OS to the application.
Need a mechanism to make sure the Need a mechanism to make sure the policy of the application is policy of the application is compliance with that of the OS.compliance with that of the OS.
![Page 14: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/14.jpg)
How can we pass operating system resources along with their labels into an application?
How can we pass application data along with their labels out into the operating system?
How can we be sure that the application will faithfully enforce the operating system’s policy on these labels?
![Page 15: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/15.jpg)
solutionsolution
1. Extend OS API to export resource labels.1. Extend OS API to export resource labels. 2. Use security-typed language (Jif). Extend 2. Use security-typed language (Jif). Extend
its runtime class to get labels from OS, and its runtime class to get labels from OS, and set its own labels in the application.set its own labels in the application.
3.security-typed language’s automated 3.security-typed language’s automated type analysis can ensure no leakage can type analysis can ensure no leakage can occur through implicit or explicit flows occur through implicit or explicit flows when compiling.when compiling.
4. A compliance analyzer to check whether 4. A compliance analyzer to check whether the policy in the application does not the policy in the application does not violate that in the OS.violate that in the OS.
![Page 16: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/16.jpg)
![Page 17: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/17.jpg)
Process stepsProcess steps0) Initial state
The OS must have a MAC policy implementing some information flow security goals.
1) Program secure applicationAn application developer provides the bytecode for a security-typed application along with a policy template that can be specialized by the user for a particular operating system configuration. (Jif/Pol).
2) Specialize application policycustomized for different users running on different systems.
3) Invoke serviceinvoke an operating system service to check the application for compliance with operating system security goals before running the application.
![Page 18: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/18.jpg)
![Page 19: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/19.jpg)
OutlineOutline
Background & ProblemBackground & Problem ArchitectureArchitecture ImplementationImplementation
![Page 20: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/20.jpg)
SELinuxSELinux Jif/PolJif/Pol SIESTA(The Service for Inspecting and E
xecuting Security-Typed Applications)
![Page 21: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/21.jpg)
First, extend the Runtime infrastructure of the Jif compiler with an interface to SELinux kernel 2.6.16 for getting and setting SELinux security contexts on network sockets and files.
![Page 22: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/22.jpg)
Second, constructed the Service for Inspecting and Executing Security-Typed Applications (SIESTA). This includes a system daemon along with an interface that can be run by the user; both were written in C. It also includes a policy compliance checker which was written written in XSB Prolog.
![Page 23: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/23.jpg)
Thirdly, utilize this infrastructure to build and test two demonstrative applications:
logrotate and JPmail.
![Page 24: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/24.jpg)
![Page 25: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/25.jpg)
All possible flow for logrotateAll possible flow for logrotate
config_t:s0
configP
logP
xserver_log_t:s1var_log_t:s1var_log_t:s2
Flow allowed
![Page 26: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/26.jpg)
ConclusionConclusion
Provide a way to monitor flow within Provide a way to monitor flow within application.application.
Security typed language is not Security typed language is not mature.mature.
For each application, there is a flow For each application, there is a flow policy.—heavy work.policy.—heavy work.
![Page 27: From Trusted to Secure: Building and Executing Applications that Enforce System Security](https://reader036.vdocument.in/reader036/viewer/2022070404/56813b46550346895da4246c/html5/thumbnails/27.jpg)
ThanksThanks