Security Engineering Research Group

SELinux LPM Basic Tutorial

Posted tutorial on my  blog. See here:

Writing a basic SELinux LPM

“Applications that Enforce System Security”

[These are comments to the paper titled, "From Trusted to Secure: Building and Executing Applications That Enforce System Security" available at USENIX ATC'07.]

The paper deals with the issue of differences between security enforcement on the operating system level and within applications. It describes a mechanism through which security labels of a MAC mechanism from the OS can be communicated to the application; the application provides assurance that it enforces the security policies within its logic; the output of information from the application is also communicated to the OS MAC mechanism to ensure that these outputs get the correct labels.

Things to notice:

• The architecture relies on security typed languages (Jif to be specific) to ensure that no illegal information flow can occur within the application
• The architecture provides an interface through which OS policies can be communicated to and from the application
• It provides a mechanism which provides assurance that the policies of the OS are being implemented correctly and
• It uses a high level policy to describe “declassifiers” — interfaces which are allowed to move information from high level of security to a lower level.

I found the last point of particular importance because it explained to me exactly what PRIMA meant by ‘interfaces which convert data of low integrity to high integrity’.

Another important point to note is that the information flow analysis to and from the application is not static (as in Jif - which uses compile time checks only, as far as I know) but dynamic in that the lattice of principals is created at runtime (meaning that mappings of labels to and from the OS would occur at runtime thus depending on the OS policy at runtime).

The developer does not have to know these mappings either. They are defined in a separate high-level policy so that they can be defined by the system administrator on the target machine.

The concept of mappings is particularly clarified through Figure 6 and the fifth paragraph in Section 4.3. The policy within the appplication allows pub -> siic -> sec. pub is mapped to security level s0 of the OS and sec to s1. Information can thus from from s0 to s1 (but only if this is allowed by the OS!) The Jif Runtime takes care of this sort of information flow.

Future directions of my interest:

1. policy compliance analysis between application policy and OS policy.
2. declassifier generalization (although the authors themselves have pointed out a few works in this direction).
3. issues of attestation of the architecture. (I believe this is not so straight forward due to the inter-linkages between different modules of the architecture but then, attestation is never easy anyway. )

Needs of network for MAC

After the comparison of trendy MAC enhancements, I have been figuring out the general needs of a network for MAC. We have three places where MAC can and is enforced:

1. In Application: Where flow control of application is controled by labeling the data of the application. Current research is limited to MLS becuase its simple. And because the security type languages are not mature enough to handle the granularity. I have seen two framworks at this level, which make use of these languages. One of them has been partially integerated with selinux by using the application layer API to selinuxfs. I am curious why they are so interested in JAVA! There is no C extension.
2. On Application Layer: This is achieved for applications that do not use TCP/IP directly. They use RPCs so the common network controls cannot handle properly. The reason is that port to application mapping is done by portmapper daemon. Thus the rpc headers carry the security contexts. Such applications are NFS and NIS.
3. At TCP/IP Layer: Here the ports are labeled for the associated applications on both sides. I a hostile environment this would not prove useful so encryption would also be required. This is achieved by IPSEC associations being labeled. I am not fully satisfied by the mechanisms at this level because at one extreme we have lack of security and on the other hand manageability issues.

LDAP is on the todo list but nothing is currently being done about it upto my knowledge. The todo list also wants more granularity and API at TCP/IP layer.

Policy distribution being a great issue has no solid solutions yet. The only possibility to till now is a tranlation server, which would provide an equivalence mehanism for internode security contexts. But this is has been left as an idea and no progress is being made. IPSEC associations were provided only for subjects but currently they are working for providing object support but the work is hidden yet. They are thinking for CIFS support as well. Ephimeral ports can be handled with standard SELinux API for applications.

The biggest problem with distributed policy is the type enforcement, which is part of the security model/context. Leaving it out would be a solution but will affect greatly because code bindings will be lost, which will result in loss of integrity control. The context has three main models. User identity, role and TE. If one is lost it will affect the others because they are tied together to help each other. I am figuring out how much affect will be made. At the same time integrity can be measured with IMA and alike. I would like comments on what you ppl think about the differences in the integrity model of TE and IMA.

If anyone can come up with other ideas of network needs plz brainstorm so I figure out the requirements. There are others which I have’nt mentioned because they are trusted applications by SELinux. I find a gap over here because trusting applications is not a good idea. Information flows can work here. More on this when I get a solid insight on them.

What do you guys think should be my next target. Amin is sorting out to integerate his study with all this. So give ideas of possibilities. Any of you who thinks their work can have relevance plz share your findings so that we can be more useful to each other.

Some new selinux ideas

I have come across some talks about enabling selinux to achieve resource utilization using rbac. This sounds as a good research area. Do we have anyone to handle this.

For SHAZ KHAN!

here are links…

http://www.linux.com/articles/59932

http://www.bastille-linux.org/

http://mimirsecure.blogspot.com/

http://www.osnews.com/subthread.php?news_id=15784&comment_id=160864

http://www.linux.com/articles/58789

plz each link very closely…some detail are very hiiden…needs some effort…

will post more.

amin.

Loadable Policy Module

I have been throught  the architecture of loadable policy module. Its really nice. Now I am understanding to handle it and write policies accordingly. I am going through 2005 nsa technical document containing configuration of selinux policies. I hope it helps.

Currently I need to know where the text form of the policy lies if any? And if it is’nt there how do I make one. Per package or per module is easy and i know it but what about base. Then how do I make a policy for corenetwork. And I am not getting any messages in permissive mode! There is a solution but this should be by default!

Mr. MMA what do u suggest?

IMA info required

Salams, today we had a comprehensive talk about selinux, trusted computing and formal methods. It was a good get together and we need to have these on regular bases.

Secondly, Mr. MMA discussed his experiance related to IMA usage side by side with selinux. He will share his experiance with us. This will benefit me and Mr. TAT.

I am expecting the code snippets and know how of the process that Mr. MMA used on this blog or on our mailing group. This is required soon!

Thirdly, we can utilize this blog for a lot of communication. I request group members to post their updates regarding their specific topic and this will benefit all of us. Apart from this we can share other things off the topic that we come across for knowledge sharing. If someone is feeling shy regarding their ideas that they might be stolen, we have our mailing group which is always there! This keeps everyone motivated and it makes the tough gets going if u understand what I mean. It promotes the competitive psyche and everyone will work hard then.

The Practical Part Starts Now

As soon as I am over with Recluze, I am going to start working with IPSec and SELinux now that my literature survey is complete (I think so). Next I plan to get some help from MR. MMA to let me in on his findings regarding how to stack IMA on SELinux.

I personally think using TPM’s PCR will be another good thing instead of IMA because IMA has more then I need. But according to Mr. MMA its very problematic. Sir have you tried to copy the technique IMA uses to address PCR.

Side by side I am trying to understand the functionality of the Tresys’ Policy Management Server and the module support it provides for policies because I am looking forward to incorporate it for ditributed MAC implementation.

One thing that confuses me, this is for Mr TAT and Mr. MMA, can we skip DAC if we use MAC? Is MAC’s use enough for OS requirements?

If we could just have a few more people we could start adjusting applications for MAC implementations! Its also a good idea for BSc/BCS projects. We could also move towards LDAP NIS etc.

Distributed Selinux

This is what I had in mind!

->      Network Policy Management

But there is still lots of room for work! . This is especially for Mr. MMA.

SELinux Internals

I am studying how selinux is implemented in the kernel. This obiously enables me to know how lsm is also spread out in the kernel. I have not yet started out with LXR and ima because IMA is a patch and not source code! Well patch can be viewed as a text document but I did not find any source code. Does this mean I am stupid? Actually the patch has all the code layed in the open so I don’t know what to do.

I have also downloaded TrouSeRs which is source code. I can give it a try as well. I can try tpm emulator as well! For the time being I am concentrating on SELinux internal architecture implementation as lsm.

Mr. MMA have you gone through Leveraging of IPSEC for distributing of SElinux? I have a strong feeling that its going to be of good use. It is also part of the linux kernel since kernel 2.6.16.