whitelisting in selinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf ·...
TRANSCRIPT
![Page 1: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/1.jpg)
ioctl command whitelisting in SELinux
Jeff Vander Stoep08/21/2015
![Page 2: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/2.jpg)
Stephen Smalley
Nick Kralevich
Dan Cashman
Mark Salyzyn
Paul Moore
Rom Lemarchand
Acknowledgements
![Page 3: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/3.jpg)
NAME:int ioctl(int filed, int command, ...);
CONFORMING TO:No single standard. Arguments, returns, and semantics of ioctl() vary according to the device driver in question (the call is used as a catch-all for operations that don't cleanly fit the UNIX stream I/O model).
ioctl(2)
![Page 4: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/4.jpg)
Ioctl command
Size14 bits
Type8 bits
Number8 bits
Dir2
bits
![Page 5: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/5.jpg)
■ Protect user privacy - Limit access to persistent device identifiers○ E.g. MAC address can be used by apps to
fingerprint a device. Used to create an in-app DRM, licensing, etc
■ Protect the kernel - Reduce attack surface.○ Limit access to driver i/o. - e.g. GPU○ Limit leaking of information - e.g. kernel
pointers.
Motivation
![Page 6: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/6.jpg)
[...] the security of an SELinux system depends primarily on the correctness of the kernel and its security-policy configuration.
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
![Page 7: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/7.jpg)
Some numbers
Kernel crash analysis - ~500 kernel crashes across multiple types of devices
~45% of crashes happened in a system call
~15% of crashes happened in an ioctl call
![Page 8: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/8.jpg)
Linux Security Module
User space
Kernel space
User-mode Process
System Call
DAC check
LSM hook
AccessGranted/Denied
SELinuxAppArmor
Smack...
![Page 9: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/9.jpg)
Why use SELinux?
![Page 10: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/10.jpg)
Selinux and system operations
■ chown■ kill■ setuid■ ipc_lock■ mmap■ DAC
override■ mknod■ ...
capable(CAP_ CHOWN)
![Page 11: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/11.jpg)
SELinux and ioctls
● Benign functionality○ driver version○ socket type○ …
● Dangerous functionality○ debugging capabilities○ read/write/execute to
physical memory○ privacy sensitive data○ information leaks
![Page 12: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/12.jpg)
Constraints
■ Performance:○ many ioctls are performance sensitive e.g.
network and graphics○ thousands of ioctl calls per second. ~150000
ioctl calls during device boot.■ Targeted whitelisting
○ support existing policy.■ Optimize for ioctls with a large command set
○ small command sets adequately protected with existing ioctl command.
![Page 13: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/13.jpg)
SELinux Architecture
User space
Kernel space
User-mode Process
System Call
DAC check
LSM hook
AccessGranted/Denied
SELinuxhooks Cache lookup Policy lookup
![Page 14: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/14.jpg)
Architecture
■ Only examine ioctl type and number. Size and direction are considered to be arguments○ allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds○ auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
■ Use information regarding ioctl distribution to create a constant permission check time
○ Commands are grouped by type, so cache commands by type
Size14 bits
Type8 bits
Number8 bits
Dir2
bits
![Page 15: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/15.jpg)
Extended Permissions
■ Provide additional permissions in the Access Vector Cache (AVC). ○ In increments of 256 bits
struct avc_entry { u32 ssid; u32 tsid; u16 tclass; struct av_decision avd;+ struct avc_xperms_node *xp_node; };
![Page 16: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/16.jpg)
Boot performance: 150000 ioctl calls
![Page 17: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/17.jpg)
Individual ioctl calls
![Page 18: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/18.jpg)
Case Study
Blocking third party app access to MAC address
![Page 19: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/19.jpg)
Fuzzing the GPU
![Page 20: whitelisting in SELinux ioctl command - kernsec.orgkernsec.org/files/lss2015/vanderstoep.pdf · ioctl command whitelisting in SELinux Jeff Vander Stoep 08/21/2015. Stephen Smalley](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b49df027f8b9aac238bbe5f/html5/thumbnails/20.jpg)
Questions?