%include "default.mgp" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Running NSA SE Linux on a PDA What is SE Linux? LSM Problems with DAC and benefits of MAC Compatibility Work that needs to be done Q/A http://www.coker.com.au/selinux/ http://www.nsa.gov/selinux/index.html %center Russell Coker %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What is SE Linux? A system for MAC based on LSM Uses features of role-based and domain-type access control Tracks user identity through all operations (su, role and domain transition) and uses it to limit the available roles Removes the power of root, I gave away the root password to a server on the Internet and no-one could do any damage %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page LSM - Linux Security Modules Framework for security enhancements to Linux Restrictive controls only SE Linux is based on LSM and the patch is distributed from http://lsm.immunix.org/ Current version of LSM (2.4.x kernels) has it's own system call interface and SE Linux has many system calls chained from this. New version has no system calls and is more portable to different architectures as a result. New version is in the 2.6.0 test tree %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What is wrong with DAC? Programs have full control over the access given to files they create Therefore no protection against malicious software or "social engineering" Example, trick a user into running a program, it can listen to a TCP port that's not firewalled, accept remote logins and allow full control of their account When program A runs program B both programs MUST have access to every file each of them needs with the exception of SUID programs (in which case program B gets full access but program A doesn't) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Other Problems of "Unix Security" Too coarse grained (root vs non-root gives boolean security model for many cases) Consequently many system programs are forced to run with full administrative access BIND needs access to port 53 and gets access to write any file in the system as well! BIND9 mitigates this problem through use of capabilities, but does not solve it. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What does MAC provide? Strong separation of security domains Fine grained control over resources Ability for the user to run suspect programs in a different domain Domain transitions so that to run a program you don't need to have access to it's files (and it does not have to get access to all your files) Root is no longer always all-powerful %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Domain Type Access Control (1/2) Every process has a domain, every object has a type Domain is changed at process execution either automatically through policy or through code in "login" type programs Different domains have different access rights, no domain is necessarily a superset of other domains The user can re-authenticate at any time to change domains, or the domain can be changed automatically by process execution according to policy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Domain Type Access Control (2/2) Each object (file, network port/interface, etc) has a type Policy rules determine what access every domain has to each type Policy rules control interaction between domains (signals, pipes, etc) Having one domain would give the same result as a non-SE system, the more domains the more detailed the control you have over security (and the more work to set it up) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Role Based Access Control Each role has a list of domains that may exist in it At login time the session is changed, also the newrole program may be used to change roles (comparable to an su operation) A role doesn't often change (unlike the domain which regularly changes automatically without the user noticing) The role determines which domains are valid User can only change roles by re-authenticating with newrole or run_init in the current utility programs The extent of role use is optional, it is not used much in my iPaQ policy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Identities Identity is usually the Unix account name when the details of an account have been compiled into the policy, or user_u otherwise - a login program issue that can be changed in the libraries Identity controls the available roles which controls the available domains %image "contexts.png" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Porting to the ARM CPU The most difficult work involved porting the code for the execve_secure() system call which calls architecture specific functions and thus forces all calling code to be partly architecture specific up until sys_security(). The NSA now support an ARM port, but it is based on kernel 2.4.19 while the latest i386 version is at 2.4.21. The 2.6 version of LSM (and the new version of SE Linux which is based on it) should run on ARM without any special effort providing that the file system in use supports XATTR. I have not investigated this yet. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Why would you want SE Linux on a PDA? In corporate deployments PDAs are almost impossible to upgrade PDAs have good networking options (802.11b, bluetooth, and IRDA), are often used in hostile environments Often a handheld device is in the posession of an untrusted user who has almost unlimited access to try and break the security PDAs almost never have firewalls to protect them SE Linux provides significant benefits if you want machines to run without security patches in hostile environments for a long time %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Policy for the PDA At the time I wrote my paper for OLS the largest iPaQ had 64M of RAM. Since then a 128M iPaQ has been released. SE Linux in my tests seems to take about 1.3M of non-swappable kernel memory, this is a significant portion of the system's resources on a 64M machine which has no swap! On a machine with 128M of RAM it is less of a problem. The kernel memory used is largely dependant on the policy size, a smaller policy means less memory use. Since I did the memory analysis I have reduced the policy size by removing redundancy, but I expect to add more features to make it a similar size. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Work that needs to be done Needs to be ported to more CPUs (2.6.0 should solve this) Policy needs to be optimised for PDAs to remove some unnecessary policy to save space %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Q/A I have a SE Linux play machine online. See my web site for the details. Articles on SE Linux by Faye and I are in the August issue of Linux Journal Russell Coker http://www.coker.com.au/ Links to everything http://www.coker.com.au/selinux/ SE Linux Debian packages etc http://www.coker.com.au/russell/ My home page