the simplified mandatory access control kernel
DESCRIPTION
The Simplified Mandatory Access Control Kernel. Casey Schaufler January 2008. Casey Schaufler. Ported Unix Version 6 to 32bit Started Development of TSOL Architect of Trusted Irix B1, CAPP, LSPP evaluated US NSA’s Trusix Group POSIX P1003.1e/2c TSIG. Today’s Talk. - PowerPoint PPT PresentationTRANSCRIPT
The Simplified Mandatory Access Control Kernel
Casey Schaufler
January 2008
Casey Schaufler
• Ported Unix Version 6 to 32bit
• Started Development of TSOL
• Architect of Trusted Irix– B1, CAPP, LSPP evaluated
• US NSA’s Trusix Group
• POSIX P1003.1e/2c
• TSIG
Today’s Talk
• Mandatory Access Control (MAC)
• What MAC is good for
• How Smack implements MAC
• What Smack is good for
• Details of Smack
Mandatory Access Control
• Concepts– Subject is an active entity– Object is a passive entity– Access is an operation preformed on an
object by a subject
Mandatory Access Control
• Principles– User has no say in it– Based on system controlled attributes
Mandatory Access Control
• Jargon– MAC– Label– Bell & LaPadula– Multilevel Security– CIPSO
Mandatory Access Control
MAC Implementations
• Bell & LaPadula Sensitivity– Multics, Unix
• Type Enforcement– SELinux
• Pathname Controls– AppArmor, TOMOYO
Uses of MAC Systems
• Security Checkbox
• Sharing an expensive machine
• Disjoint sets of users– B&L Catagories
• Hierarchical use of shared data– B&L Levels
Where Did Smack Come From?
• Traditionally– Label relationships hard coded– Names map to label values
• Mythtory:TopSecret,Skeeve,Ahz,Chumly• Level=4,Catagories=17,49,113
– Users only use names
• Why use anything but names?
Smack Label Mechanism
• Labels and label names are the same
• No implicit relationship between labels
• List of explicit access relationships
• Every subject gets a label
• Every object gets a label
• Objects get creating Subject’s label
Subjects Access Objects
• lstat() reads a file object’s attributes
• kill() writes to a process object
• send() writes to a process object
• bind() is uninteresting
System Labels
• _ floor• ^ hat• * star
– Objects Only
• Any single special character
_
*
^
User Labels
_
*
^
DapSEAsia
Explicit Access Rules
• Dap SEAsia r• Med Pop w
Dap
Med
SEAsia
Pop
Access Rule Specification
• /etc/smack/accesses– Subject Object [–rwxa]
• /smack/load– Strict fixed format
• /sbin/smackload– Writes to /smack/load
Bell & LaPadula Levels
• Secret more sensitive than Unclass• TopSecret more sensitive than Secret• Secret Unclass rx• TopSecret Secret rx• TopSecret Unclass rx• All relationships must be specified
Bell & LaPadula Categories
• Categories Skeeve and Ahz• Labels:
– “Skeeve,Ahz”– “Skeeve”– “Ahz”
• Skeeve,Ahz Skeeve rx• Skeeve,Ahz Ahz rx
Biba Integrity
• Floor is highest integrity
• Hat is lowest Integrity
Ring of Vigilance
• SEAsia Dap r• Med SEAsia r• Dap Med r
Dap
Med
SEAsia
Messaging
• Informant Reporter w• Reporter Editor w• Editor Reporter w
Time of Day
• At 17:00– WorkerBee Game x
• At 08:00– WorkerBee Game –
Implementation
• Label Scheme
• Access Checks
• File Systems
• Networking
• The LSM
• Audit
Label Scheme
• Labels are short text strings
• Compared for equality
• Stored in a list– secid– Optional CIPSO value– Never forgotten
Access Checks
• Rules written to /smack/load
• Hard Coded Labels
• Subject and object equal
• Find the subject/object pair
• Check the request against the rule
File Systems
• Use xattrs if supported
• Hard coded behavior– smackfs, pipefs, sockfs, procfs, devpts
• Superblock values– File system root– File system default– File system floor and hat
• Not yet implemented
Networking Model
• Sender writes to receiver– Sender is subject, receiver is object
• Socket, packet not policy components• William Janet w
– Allows a UDP packet
• Janet William r– Does not allow a UDP Packet
Packet Labeling
• Unlabeled packets get ambient label
• CIPSO option on every local packet
• CIPSO value from the label list– Set via /smack/cipso
• CIPSO direct mapping– Level 250– Label copied into category bits
• Same CIPSO as SELinux
The LSM
• Provides a restrictive interface
• Evolved in step with SELinux
• Imperfectly defined– Networking– Audit– USB
• Module Stacking
Programming interfaces
• getxattr(), setxattr()– SMACK64
• /proc/<pid>/attr/current
Socket Interfaces
• Socket Attributes– fgetxattr(), fsetxattr()– SMACK64.IPIN– SMACK64.IPOUT
• Packet Attributes– SO_PEERSEC
• TCP– SCM_SECURITY
• UDP
Administrative Interfaces
• /smack/load• /smack/cipso• /smack/doi• /smack/direct• /smack/nltype
What Have You Learned?
• Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted.
• Smack is designed for simplicity
• Smack is designed as a kernel mechanism
Special Thank You
• Paul Moore – Network interfaces
• Ahmed S. Darwish – Work on smackfs
• And a host of reviewers, including– Stephen Smalley, Seth Arnold,– Joshua Brindle, Al Viro,– James Morris, Kyle Moffett,– Pavel Machek