Transcript 幻灯片 1
From Trusted to Secure: Building and Executing Applications that Enforce System Security Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel present by: panmeng Outline Background & Problem Architecture Implementation Current security OS Security Enhanced (SE)Linux,Trusted Solaris and TrustedBSD Mandatory access controls (MAC) multi-level security (MLS) MAC+MLS no read-up Flow permitted Top secret(S4) Secret(S3) Confidential(S2) Classified(S1) Unclassified(S0) no write-down Label OS resource----Object (file, socket, etc.) Application----Subject Label: [user: role: type: MLS level range] Example-Logrotate File labeled: system_u : object_r : user_t : s4 Logrotate labeled: system_u : system_r : logrotate_t : s0-s1 If logrotate accesses this file, LSM will stop it. File:s4 access Stop Logrotate:s0 LSM log_file labeled: system_u : object_r : var_log_t : s1 config_file labeled: system_u : object_r : config_t : s0 Logrotate labeled: system_u : system_r : logrotate_t : s0-s1 Now if logrotate read log file(s1), write configuration file(s0), system will not stop it. But this really leak secrets stored in the log file to the publicly readable configuration file. Virtual write flow Violate Log File:s1 Config File:s0 permit LSM read permit write Logrotate:s0-s1 Reason The MAC OS just handles the security police outside the application, not within the application. Enforce security only at the granularity of application inputs and outputs. motivation Let the application to handle the labels internal. Give the application not only the MSL range, but also the sensibility to the flow direction. Outline Background & Problem Architecture Implementation Two requirement Need a way to get/put labels from the OS to the application. Need a mechanism to make sure the policy of the application is compliance with that of the OS. How can we pass operating system resources along with their labels into an application? How can we pass application data along with their labels out into the operating system? How can we be sure that the application will faithfully enforce the operating system’s policy on these labels? solution 1. Extend OS API to export resource labels. 2. Use security-typed language (Jif). Extend its runtime class to get labels from OS, and set its own labels in the application. 3.security-typed language’s automated type analysis can ensure no leakage can occur through implicit or explicit flows when compiling. 4. A compliance analyzer to check whether the policy in the application does not violate that in the OS. Process steps 0) Initial state The OS must have a MAC policy implementing some information flow security goals. 1) Program secure application An application developer provides the bytecode for a security-typed application along with a policy template that can be specialized by the user for a particular operating system configuration. (Jif/Pol). 2) Specialize application policy customized for different users running on different systems. 3) Invoke service invoke an operating system service to check the application for compliance with operating system security goals before running the application. Outline Background & Problem Architecture Implementation SELinux Jif/Pol SIESTA(The Service for Inspecting and Executing Security-Typed Applications) First, extend the Runtime infrastructure of the Jif compiler with an interface to SELinux kernel 2.6.16 for getting and setting SELinux security contexts on network sockets and files. Second, constructed the Service for Inspecting and Executing Security-Typed Applications (SIESTA). This includes a system daemon along with an interface that can be run by the user; both were written in C. It also includes a policy compliance checker which was written written in XSB Prolog. Thirdly, utilize this infrastructure to build and test two demonstrative applications: logrotate and JPmail. All possible flow for logrotate var_log_t:s2 var_log_t:s1 logP Flow allowed configP config_t:s0 xserver_log_t:s1 Conclusion Provide a way to monitor flow within application. Security typed language is not mature. For each application, there is a flow policy.—heavy work. Thanks