The Simplified Mandatory Access Control Kernel

Casey Schaufler

January 2008

Casey Schaufler

• Ported Unix Version 6 to 32bit

• Started Development of TSOL

• Architect of Trusted Irix– B1, CAPP, LSPP evaluated

• US NSA’s Trusix Group

• POSIX P1003.1e/2c

• TSIG

Today’s Talk

• Mandatory Access Control (MAC)

• What MAC is good for

• How Smack implements MAC

• What Smack is good for

• Details of Smack

Mandatory Access Control

• Concepts– Subject is an active entity– Object is a passive entity– Access is an operation preformed on an

object by a subject

Mandatory Access Control

• Principles– User has no say in it– Based on system controlled attributes

Mandatory Access Control

• Jargon– MAC– Label– Bell & LaPadula– Multilevel Security– CIPSO

Mandatory Access Control

MAC Implementations

• Bell & LaPadula Sensitivity– Multics, Unix

• Type Enforcement– SELinux

• Pathname Controls– AppArmor, TOMOYO

Uses of MAC Systems

• Security Checkbox

• Sharing an expensive machine

• Disjoint sets of users– B&L Catagories

• Hierarchical use of shared data– B&L Levels

Where Did Smack Come From?

• Traditionally– Label relationships hard coded– Names map to label values

• Mythtory:TopSecret,Skeeve,Ahz,Chumly• Level=4,Catagories=17,49,113

– Users only use names

• Why use anything but names?

Smack Label Mechanism

• Labels and label names are the same

• No implicit relationship between labels

• List of explicit access relationships

• Every subject gets a label

• Every object gets a label

• Objects get creating Subject’s label

Subjects Access Objects

• lstat() reads a file object’s attributes

• kill() writes to a process object

• send() writes to a process object

• bind() is uninteresting

System Labels

• _ floor• ^ hat• * star

– Objects Only

• Any single special character

_

*

^

User Labels

_

*

^

DapSEAsia

Explicit Access Rules

• Dap SEAsia r• Med Pop w

Dap

Med

SEAsia

Pop

Access Rule Specification

• /etc/smack/accesses– Subject Object [–rwxa]

• /smack/load– Strict fixed format

• /sbin/smackload– Writes to /smack/load

Bell & LaPadula Levels

• Secret more sensitive than Unclass• TopSecret more sensitive than Secret• Secret Unclass rx• TopSecret Secret rx• TopSecret Unclass rx• All relationships must be specified

Bell & LaPadula Categories

• Categories Skeeve and Ahz• Labels:

– “Skeeve,Ahz”– “Skeeve”– “Ahz”

• Skeeve,Ahz Skeeve rx• Skeeve,Ahz Ahz rx

Biba Integrity

• Floor is highest integrity

• Hat is lowest Integrity

Ring of Vigilance

• SEAsia Dap r• Med SEAsia r• Dap Med r

Dap

Med

SEAsia

Messaging

• Informant Reporter w• Reporter Editor w• Editor Reporter w

Time of Day

• At 17:00– WorkerBee Game x

• At 08:00– WorkerBee Game –

Implementation

• Label Scheme

• Access Checks

• File Systems

• Networking

• The LSM

• Audit

Label Scheme

• Labels are short text strings

• Compared for equality

• Stored in a list– secid– Optional CIPSO value– Never forgotten

Access Checks

• Rules written to /smack/load

• Hard Coded Labels

• Subject and object equal

• Find the subject/object pair

• Check the request against the rule

File Systems

• Use xattrs if supported

• Hard coded behavior– smackfs, pipefs, sockfs, procfs, devpts

• Superblock values– File system root– File system default– File system floor and hat

• Not yet implemented

Networking Model

• Sender writes to receiver– Sender is subject, receiver is object

• Socket, packet not policy components• William Janet w

– Allows a UDP packet

• Janet William r– Does not allow a UDP Packet

Packet Labeling

• Unlabeled packets get ambient label

• CIPSO option on every local packet

• CIPSO value from the label list– Set via /smack/cipso

• CIPSO direct mapping– Level 250– Label copied into category bits

• Same CIPSO as SELinux

The LSM

• Provides a restrictive interface

• Evolved in step with SELinux

• Imperfectly defined– Networking– Audit– USB

• Module Stacking

Programming interfaces

• getxattr(), setxattr()– SMACK64

• /proc/<pid>/attr/current

Socket Interfaces

• Socket Attributes– fgetxattr(), fsetxattr()– SMACK64.IPIN– SMACK64.IPOUT

• Packet Attributes– SO_PEERSEC

• TCP– SCM_SECURITY

• UDP

Administrative Interfaces

• /smack/load• /smack/cipso• /smack/doi• /smack/direct• /smack/nltype

What Have You Learned?

• Smack is a modern implementation of old school Mandatory Access Control with the mistakes omitted.

• Smack is designed for simplicity

• Smack is designed as a kernel mechanism

Special Thank You

• Paul Moore – Network interfaces

• Ahmed S. Darwish – Work on smackfs

• And a host of reviewers, including– Stephen Smalley, Seth Arnold,– Joshua Brindle, Al Viro,– James Morris, Kyle Moffett,– Pavel Machek

Contact Information

• http://schaufler-ca.com

• casey@schaufler-ca.com

• rancidfat@yahoo.com