Mandatory Access
Control Systems
CSE497b - Spring 2007
Introduction Computer and Network Security
Professor Jaeger
Mandatory Access Control
• System-Defined Policy
– Fixed Set of Subject and Object Labels – Fixed Permission Assignments
– Fixed Label Assignments: (e.g., file to object label)
O1 O2 O3 J R R W R W S2 N R R W
MAC and Systems
• What is necessary to be a system that enforces MAC
policies?
– Specify: MAC Policy Model – Enforce: Reference Monitor
– Transitions: Changes of privilege must be controlled
• Plus, others
– Management: Policy development tools – Services: MAC-aware services
– Applications: Work with MAC limitations
• What do these systems look like?
Multics
•
Multiplexed Information and
Computing Service
– Project started as a timesharing
system in 1965 -- Used until 2000
– Research project that led to a
commercial product
• Invented a number of important OS
features
– Segmented and Virtual Memory
– Shared Memory Multiprocessor
– Online Reconfiguration
Multics Security Features
• Also, a number of security features were pioneered
– First Multilevel Secure (MLS) system – Isolation based on segments and rings
– Ring crossing mechanisms to protect integrity
– Guard-like functions for integrity protection (Gatekeepers)
– One-way encrypted passwords – Covert channel defenses
– And software assurance techniques...
• But, function over security
Protection Rings
• Successively less-privileged “domains”
What do rings mean?
• What’s in a ring?
– Processes, with the code that they can access – Data they can access directly
• Execute in ring
i
– Process runs with rights of ring i
– Data in rings >= i can be accessed – Any procedure may be accessible
• Ring-crossings (generalized)
– If process calls procedure in a different ring – Traps to kernel to authorize transition
– If authorized, process runs the new procedure in the new ring
Multics Ring Interpretation
• Kernel resides in ring 0
• Process runs in a ring r
– Access based on current ring
• Process accesses
data segments
– Each data segment has an access bracket: (a1, a2)
• a1 <= a2
– Describes read and write access
• r is the current ring
• r <= a1: access permitted
• a1 < r <= a2: r permitted; w denied • a2 < r: all access denied
Multics Ring Interpretation (con’t)
• Also different
procedure segments
– with call brackets: (c1, c2)
• c1 <= c2
– and access brackets (a1, a2)
– Rights to execute code in a new procedure segment
• (1) r < a1: access permitted with ring-crossing fault • (2) a1 <= r <= a2 = c1: access permitted and no fault • (3) a2 < r <= c2: access permitted through a valid gate • (4) c2 < r: access denied
• What’s it mean?
– case 1: ring-crossing fault changes procedure’s ring
• increases from r to a1
– case 2: keep same ring number
Examples
• Process in ring 3 accesses data segment
– access bracket: (2, 4)
– What operations can be performed?
• Process in ring 5 accesses same data segment
– What operations can be performed?
• Process in ring 5 accesses procedure segment
– access bracket (2,4) – call bracket (4, 6)
– Can call be made?
– Can new procedure segment access the data segment above?
Multics Community
Secure Operating Systems
• Provably Secure OS (PSOS)
• GEMSOS
• KeyKOS and EROS (capability systems)
• IX (Secure UNIX variant)
• Trusted Solaris
• Trusted IRIX (SGI)
• Trusted Mach
• Distributed Trusted Mach
• XTS-400 and STOP (BAE Systems)
• Flask (Microkernel based system)
MAC in Linux
• In 2000, Linus authorized the development of a
reference monitor for Linux
– So, he didn’t have to choose a single security approach
• Linux Security Modules framework was born
– LSM defines an interface for reference monitoring modules – Anybody could build an LSM!
• Introduced in Linux 2.6
– Version built for BSD
Linux Security Modules Approach
• Linux Security Modules framework
• What security function and how does implementation
satisfy it?
System Interface Entry Points Monitor Policy Access Hook Access Hook Access Hook Security-sensitive Security-sensitive Operation Authorize Request?SELinux
• LSM + much more
Linux Kernel SELinux LSM SELinuxfs System Processes SELinux-aware Services SELinux Bootstrap(1) Load Policy (2) Authenticate
SELinux uses Type Enforcement
• MAC Policy
– Subjects and Objects Labeled
• Access Matrix Policy
– Processes with subject label
– Can access object of object label – If operations in matrix cell allow
• Focus: Least Privilege
– Integrity bias
O1 O2 O3
S1 Y Y N
S2 N Y N
SELinux Execute Transitions
• Run the privileged
passwd
program
• Simplified view -- takes 4 policy rules to do this
User Proc user_t User Proc user_t Root Proc passwd_t Fork Exec passwd_t
MAC Systems
• Policy
– Define a fixed access policy (mandatory access control) – Multics MLS and ring policies; SELinux TE
• Enforcement
– Use a reference monitor (remember the guarantees required)
– Multics kernel; Linux LSM (SELinux)
• Transitions
– Enable controlled transition between privilege levels – Complexity most due to limiting transitions
Assurance
• We want to know
– Security model we are enforcing (Security Function) – That it enforces this model correctly (Assurance)
• Suppose
– We have a system that enforces Bell-LaPadula – What should a system do that enforces BLP?
– How do we know that the implementation is correct?
• Assurance
Rainbow Series
• Trusted Computer Systems Evaluation Criteria
• From 1983-1999
– A variety of documents to help build secure systems – Password Management
– Audit
– Configuration Management
• Orange Book (1985)
– Defined 6 classes of security systems
• Function that the class provides
• Requirements for verifying that implementation met the class
– Requirements fall into a number of categories
Orange Book Classes
• C1 and C2
– Discretionary protection
• Authentication, audit for discretionary access • Testing and documentation
– C2 is the most common class for commercial products
• B1, B2, and B3
– Labeled security protection:
• Multi-level security (Bell-LaPadula) • More testing and more documentation
– B1: MLS on some objects; B2: MLS on all
• B2 also introduces covert channel protections and config mgmt
– B3 more software engineering documentation
• A1: Verified protection
Common Criteria
• Started 1993 by US, Canada, and European Countries • Attempt to identify a set of common criteria to evaluate
information security
– V1.0 1996, V2.0 1998, ISO Standard 15408 1999
– A set of evaluation techniques used to vet technologies – … and tell which ones were good and bad (more or less).
– This allows consumers of goods and services to know if the security advertised is as good as is claimed
Common Criteria
• Separate
– Protection Profile – Assurance Level Protection Profile Security Target• This is the definition of what and how the TOE (target of evaluation) meets a set of security requirements
EAL1 … EAL7
• This is really just the set of requirements for the class of products of this type (e.g., firewalls)
EAL Levels
• EAL1: Functionally Tested
– Breathing
• EAL2: Structurally Tested
– High-level design
• EAL3: Methodically Tested and Checked
– High-level design motivates testing
• EAL4: Methodically Designed, Tested, and Reviewed
– Low-level design and vulnerability analysis
• EAL5: Semi-formally Designed and Tested
– Rigorous development using (semi-)formal models
Common Criteria and Linux
• Linux is assured to:
– EAL4 for Controlled Access Protection Profile
• Discretionary access control with a low-level system design
• With LSM and SELinux (MLS)
– EAL4 for Labeled Security Protection Profile – Done September 6, 2006
• Challenges
– Upstream all code
• Assure a mainline Linux kernel
– Enable applications
• E.g., Polymorphic file system
– Package into distribution
Take Away
• Assurance of security enforcement requires
– Security Function
• So we know what is being enforced
– Justification for Function
• So we know that it is being enforced
• Assurance really aims for MAC policies
– Fixed policies
• So we know what accesses are enforced
– Reference monitor
• So we know the enforcement is comprehensive
– Transitions