Transcript 幻灯片 1
From Trusted to Secure:
Building and Executing Applications that
Enforce System Security
Boniface Hicks, Sandra Rueda, Trent Jaeger,
and Patrick McDaniel
present by: panmeng
Outline
Background & Problem
Architecture
Implementation
Current security OS
Security Enhanced (SE)Linux,Trusted
Solaris and TrustedBSD
Mandatory access controls (MAC)
multi-level security (MLS)
MAC+MLS
no read-up
Flow permitted
Top secret(S4)
Secret(S3)
Confidential(S2)
Classified(S1)
Unclassified(S0)
no write-down
Label
OS resource----Object (file, socket, etc.)
Application----Subject
Label:
[user: role: type: MLS level range]
Example-Logrotate
File labeled:
system_u : object_r : user_t : s4
Logrotate labeled:
system_u : system_r : logrotate_t : s0-s1
If logrotate accesses this file, LSM will
stop it.
File:s4
access
Stop
Logrotate:s0
LSM
log_file labeled:
system_u : object_r : var_log_t : s1
config_file labeled:
system_u : object_r : config_t : s0
Logrotate labeled:
system_u : system_r : logrotate_t : s0-s1
Now if logrotate read log file(s1), write configuration
file(s0), system will not stop it.
But this really leak secrets stored in the log file to the
publicly readable configuration file.
Virtual write flow
Violate
Log File:s1
Config File:s0
permit
LSM
read
permit
write
Logrotate:s0-s1
Reason
The MAC OS just handles the security
police outside the application, not within
the application.
Enforce security only at the granularity of
application inputs and outputs.
motivation
Let the application to handle the labels
internal.
Give the application not only the MSL
range, but also the sensibility to the flow
direction.
Outline
Background & Problem
Architecture
Implementation
Two requirement
Need a way to get/put labels from the OS
to the application.
Need a mechanism to make sure the
policy of the application is compliance with
that of the OS.
How can we pass operating system resources
along with their labels into an application?
How can we pass application data along with
their labels out into the operating system?
How can we be sure that the application will
faithfully enforce the operating system’s policy
on these labels?
solution
1. Extend OS API to export resource labels.
2. Use security-typed language (Jif). Extend its
runtime class to get labels from OS, and set its
own labels in the application.
3.security-typed language’s automated type
analysis can ensure no leakage can occur
through implicit or explicit flows when compiling.
4. A compliance analyzer to check whether the
policy in the application does not violate that in
the OS.
Process steps
0) Initial state
The OS must have a MAC policy implementing some information flow
security goals.
1) Program secure application
An application developer provides the bytecode for a security-typed
application along with a policy template that can be specialized by the user
for a particular operating system configuration. (Jif/Pol).
2) Specialize application policy
customized for different users running on different systems.
3) Invoke service
invoke an operating system service to check the application for compliance
with operating system security goals before running the application.
Outline
Background & Problem
Architecture
Implementation
SELinux
Jif/Pol
SIESTA(The Service for Inspecting and
Executing Security-Typed Applications)
First, extend the Runtime infrastructure of
the Jif compiler with an interface to
SELinux kernel 2.6.16 for getting and
setting SELinux security contexts on
network sockets and files.
Second, constructed the Service for
Inspecting and Executing Security-Typed
Applications (SIESTA). This includes a
system daemon along with an interface
that can be run by the user; both were
written in C. It also includes a policy
compliance checker which was written
written in XSB Prolog.
Thirdly, utilize this infrastructure to build
and test two demonstrative applications:
logrotate and JPmail.
All possible flow for logrotate
var_log_t:s2
var_log_t:s1
logP
Flow allowed
configP
config_t:s0
xserver_log_t:s1
Conclusion
Provide a way to monitor flow within
application.
Security typed language is not mature.
For each application, there is a flow
policy.—heavy work.
Thanks