In this chapter, I have explored concurrency vulnerabilities in system-call interposition security extensions, arguing that correctness with respect to concurrency is critical to access control and audit. I demonstrated that several wrapper systems suffer from com- mon classes of concurrency vulnerabilities allowing privilege escalation and intrusion detection bypass.
These vulnerabilities derive from the fundamental architectural separation of the wrapper from native kernel synchronisation strategies – the same structural separation that leads to an appealing but deceptive similarity to an idealised reference monitor. I also demonstrated that many deployed mitigation solutions suffer from vulnerabilities, as well as semantic and performance degradations, and that architectural solutions require much tighter integration of security with the kernel.
While the problems described here are technical in nature, they are also structural. Perhaps more fundamentally, these structural problems reflect a lack of OS vendor involvement in security extensibility. In the next chapter, I consider approaches by which OS vendors can directly support the needs of security extension authors. Such facilities have also proven valuable to OS vendors themselves, as they attempt to adapt their operating system products for changes in security requirements.
Chapter 3
The MAC Framework: extensible
kernel access control
This chapter describes the TrustedBSD MAC Framework, a kernel access control ex- tension framework for the FreeBSD and Mac OS X operating systems. The MAC Framework formalises the relationship between kernel subsystems and the policy ex- tensions that will control them. An explicit facility for pluggable access control policy extension brings a number of benefits:
1. Pluggable policy necessitates separation of policy from enforcement, as enforce- ment is scattered throughout the kernel. This introduces the structure of a refer- ence monitor, offering assurance benefits.
2. The cost of maintaining multiple versions of an operating system with differ- ent access control features is reduced, making it easier to develop and maintain “trusted” variants of commodity systems, as well as to specialise OS policy for appliances, embedded devices, and smart phones.
3. Vendors of third-party systems, such as anti-virus systems, intrusion detection systems, and hardening policies, can more easily write and maintain security extensions. A well-defined interface reduces dependence on OS implementation details, and offers a “contract” for semantics such as concurrency.
4. Access control research and technology transfer is facilitated.
The MAC Framework fulfils these goals: OS vendor and third-party security extensions can be compiled into the kernel, loaded at boot time, or if permitted by the semantics of a policy, even dynamically loaded and unloaded at runtime. The framework sup- ports a variety of access control policies, from historic information flow policies such as Biba [18] and MLS [15], rule-based labelled models such as Type Enforcement [22], to UNIX-centric hardening policies that augment, rather than supplement, existing ac- cess controls. It also provides common infrastructure needed by many policies, such as
security labelling for system subjects and objects, and policy-agnostic system calls and utilities for managing security labels. When multiple policies are loaded simultaneously, the results are deterministically composed in a useful way 1.
The argument for kernel access control extensibility is similar to the arguments made for other forms of kernel extension such as the Virtual File System (VFS) and device drivers: an initial investment to create the framework pays dividends by making code more modular, factors out common infrastructure, and facilitates customisation. For example, VFS allows the same OS APIs to access files across different file system types (such as NFS, which motivated the introduction of VFS [115]). Device driver frameworks reduce code duplication, allow new device support to be added without significant OS changes, and reduce the opportunity for errors by imposing a uniform structure. Likewise, an access control extension model enables access control localisa- tion, or the adaption of a kernel’s access control policy for a specific environment.
The MAC Framework’s design directly addresses the concurrency vulnerabilities de- scribed in Chapter 2 by integrating access control extensions with the kernel’s synchro- nisation model. This approach avoids multiple evaluations of arguments (syntactic or semantic), and allows policy modules atomic access to kernel structures, avoiding broad classes of time-of-check-to-time-of-use vulnerabilities endemic in system call wrappers. The starting point for this chapter was a paper presented at the Third DARPA Information Survivability Conference and Exposition (DISCEX III) in 2003, which presented the design, implementation, and evaluation of the MAC Framework as a research technology [143]. The chapter, however, describes the framework as a produc- tion technology as shipped in late 2009, and reframes its arguments and explanation in light of a further six years of research, development, and technology transfer experience. Collaborating with companies developing products based on the MAC Framework has been a central part of my PhD research into extensible access control. Significant parts of this chapter, and all of the following chapter, build on that experience:
• Extensive real-world feedback from deployment to millions of devices has led to non-trivial refinements of approach, especially with respect to allowing policy authors control of performance versus functionality tradeoffs. DTrace probes are an example of new infrastructure added during my PhD to ease policy profiling, debugging and framework validation.
• The transition to non-experimental status, and being compiled into the default FreeBSD kernel, required adaptation to increasingly parallel CPU designs, but also overcoming concerns with binary compatibility that are key to commodity system upgrade paths, much of this considered as part of my PhD.
1Earlier MAC Framework designs supported configurable meta-policies for composition, but a
static, predictable, and useful composition has proven adequate in practice. Neumann provides a detailed analysis of the interactions between composability and security in his CHATS final report [95].
• Aspects of the MAC Framework design have been substantially revised in order to meet new requirements brought to light by the development of new classes of policy in unanticipated environments – for example, the addition of privilege management discussed in Chapter 4, also performed as part of this PhD.
This chapter begins with a brief history of the MAC framework. It then presents the motivations and design principles for the framework, the implementation of the framework and the Biba policy module, performance evaluation of the framework, and a consideration of related research. In Chapter 4, we will explore in more detail changes in the framework’s design made during its evolution from a DARPA research prototype to a widely used product, focusing on specific products and their real-world use of the framework.