secure operating systems
DESCRIPTION
Secure Operating Systems. Lesson D : SELinux. Where are we?. We just studied Linux security features… but it appears we can go one better: SELinux. SELinux : History. Developed by the NSA, and open sourced in 2000 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/1.jpg)
Secure Operating SystemsLesson D: SELinux
![Page 2: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/2.jpg)
Where are we? We just studied Linux security features… but
it appears we can go one better: SELinux
![Page 3: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/3.jpg)
SELinux: History Developed by the NSA, and open sourced in
2000 Basically, it’s not as exciting as it sounds –
leverages LSM to provide for MAC
![Page 4: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/4.jpg)
Linux Security Modules If you were designing changes to support
security to the Linux kernel what design paradigm would you pick and why?
Pluggable modules – double edged Great for adding flexible security Horrible, as they allow rootkits easy access to the
kernel
![Page 5: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/5.jpg)
Components The SELinux Reference Monitor Trusted services for administration General trusted services
![Page 6: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/6.jpg)
The Reference Monitor Doesn’t just apply to users and files – can
include sockets etc. Uses LSM hooks to determine authorization Example: file access Kernel decides based on inode (ultimately)
Subject, object, operation model (who, where, what, kind of…)
![Page 7: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/7.jpg)
Context/relationship
User
Role 1
Context A
Context B
Context C
Role 2Context D
Context E
![Page 8: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/8.jpg)
Type Enforcement The combination of TE and MLS is powerful in
SELinux… Rule: allow <subject> <object>: <obj class> <ops> Rule: allow user_t bin_t : file {execute getattr}; Means: a process with a domain of user_t can execute
and get the attributes of a file with a type of bin_t SELinux is default deny environment TE is VERY powerful… perhaps we should do a
class on it?
![Page 9: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/9.jpg)
Labels All of the above relies on labels (like user_t) Can define for files based on location Labels inherited from parents (i.e. file gets
label from parent directory) Can create rules that override default labeling
using type_transition rules
![Page 10: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/10.jpg)
SELinux – Transition state Can change label at execution time Better that setuid:
Transition to a specified label not a whole user (e.g. setuid root)
Limits who/what can execute our transition (anyone can call a setuid root program, not true for SELinux)
Reminiscent of Multics (hello Hilary) ring bracketing but much finer grained
![Page 11: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/11.jpg)
Administration Yow… as you can imagine, this can be gnarly Can enforce least privilege for services – very
handy! Typically, you don’t do this yourself; there’s
plenty of books on this topic! What happens to “root” under SELinux?
![Page 12: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/12.jpg)
SELinux Trusted Programs Some applications – like X server – need to
be customized to work in SELinux properly. Of course, there’s a bunch of trusted programs
too (like passwd or init)
![Page 13: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/13.jpg)
Verification? Complete Mediation?
Yes! Designed to mediate all access according to TE etc. Should mitigate TOCTOU
Tamperproof? Modules run in Ring 0 (huh… didn’t we talk
about this?) Verifiable?
Kind of
![Page 14: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/14.jpg)
Things to Do Take a look at “Securing Android-Powered
Mobile Devices Using SELinux” Easy read, lots of good information!
![Page 15: Secure Operating Systems](https://reader036.vdocuments.us/reader036/viewer/2022070500/568168b4550346895ddf8840/html5/thumbnails/15.jpg)
Questions & Comments What do you want to know?