Unveiling SE Linux Secret: Part 1 SE Linux code for the first in-depth discussion
Larry Loeb (larryloeb@prodigy.net) author, Secure Electronic Transactions 2001 March
Recently, the US National Security Agency has unusually published a security enhanced version of Linux-including code and all parts to open source communities. This DW proprietary article explored this unexpected development - it meant, what impact will have, and in-depth study of SE Linux architecture.
It is completely unsatisfactory, and there is no more than a little actions. "New" National Security Agency publishes a security enhanced version of Linux 2.2 core (called SE Linux) to the open source community. Not only that, but they also provide background briefing articles on the research methods used to simulate whether SE Linux is really safe.
If you have recently been studied in the field of cryptography, then I can guarantee you that this action in NSA is like the Pope walks down from the balcony of Rome, and people work together, share large blocks and some fish , Then invite everyone to his residence to see the football game, drink some beer. Some things are never imagined anyway, but NSA does hand over the source code and the security mechanism behind it. So far, NSA has been a specific embodiment of typical cold war paranoidrase in the past 50 years ("If you know what we know, you will agree with our statement"). Look at it like some Changstein's student, contributes the code enough to make people can't control the cold war.
But they seem to achieve this effect. Distribution .TGZ file does not contain mysterious "Trojan Horse", and does not read the data on your hard disk to send all the data back to Mid. There is no way to hide the code in the code, you can post a guest to comment or analyze the door. NSA does need a safe OS to implement the witch, they seem to have a plan to use SE Linux internally. According to reports, by merging a commercial product called Nettop, NSA will use a computer running SE Linux to replace some physical separated computers (which means operating security "void" method - physically separated The system zone is divided into different security levels) (see Resources).
What are they thinking? SE Linux authors have a real understanding of what they need to do. When you ask if the SE Linux group is asked if the SE Linux team is booting the current Linux disk encrypted security audit, Peter Luscocco (SE Linux Author and NSA's current SE Linux project leader) answer:
"No. The goal of the project is very clear. We have to merge flexible and necessary access control architecture into Linux. We don't try to find / correct errors or analyze security components (such as Crypto FS) to improve their design This is not to say that these activities have no use or need to improve Linux security. It is just not what we have to do. Linux security will be improved by increasing security features in SE Linux. "
"From the perspective of this project, our interest in cryptography is actually the method of choosing the same strategy flexibility in the study of the MAC policy integration mechanism, and the implementation and strategy decision is determined. One sentence In other words, we want to see the flexible password use strategy, just as the system security policy. We hope to make a Crypto mechanism selection decision, even in accordance with security context to decide whether to need Crypto. "
"I think these ideas should be studied in the implementation of file systems and networks. Of course, passwords defined after defining a complete Crypto API make this idea more feasible. Implement this operation for file password is still our hope The attempt to be made later, but there is no planning [do this]. However, we do have pronounced in this area of the network relies on our previous work. We will integrate IKE and IPsec with existing MAC strategies. Because This work has actually started, we will have more to talk about. "" In addition, our project goals are not to improve or guarantee existing cryptography. What we are interested is to provide the necessary system support to use the system To some extent, any cryptography supported by the necessary access control strategy. The details of the cryptography should be independent of the support, or as long as it is possible to have nothing to do with the support. "
SE Linux Security Architecture: Overview So, How does SE Linux work? First, don't expect to be distributed in the beginning. The author has declared that SE Linux is a result in the standard, not to think that its results are the standard. The author hopes to have the necessary access control in the Linux kernel, which is the idea of supporting SE Linux. Many implementations need to be addressed before it can be used in the real world (or code written). Fortunately, there are some suppliers in Linux history to do these things, I hope to see the redhat's SE Linux in a certain day.
The entire security architecture is called Flask, which is designed by the NSA under the Assistance of Utah and Secure Computing Corp.. In the FLASK architecture, the logical and general interfaces of the security policy are packaged together with the independent components with the operating system, and the general interface is used to obtain security policy decisions. This separate component is called a security server, even if it is just a kernel subsystem. The server's SE Linux implementation defines a hybrid security policy that consists of type implementation (TE), role-based access control (RBAC) and optional multi-level security (MLS), so widely used for military security. Sex. This policy is compiled by another program called CheckPolicy, which is read by the security server when booted. The file is marked as / ss_policy. This means that security policies will vary in each system boot. The strategy can even change during system operation by using the Security_Load_Policy interface (as long as the policy is configured to allow such changes).
FLASK has two data types-free data types-security context and security logos for security tags. Safety context is a growing string representing a security tag. The security logo (SID) is an integer that is mapped by the security server to the security context. SID serves as a simple handle that actually context. It can only be explained by the security server. Flask performs actual system binding by constructing a target manager. They do they have processed SID and security contexts, and do not involve the properties of security context. No changes in any format should do not need to make changes to the Object Manager.
figure 1
Source: The Flask Security Architecture: System Support for Diverse Security Policies, Ray Spencer (Secure Computing Corporation), Stephen Smalley, Peter Loscocco (National Security Agency), Mike Hibler, David Andersen and Jay Lepreau (University of Utah) co. (See Referring).
The security server provides SID only for security contexts that include user, role, type, and optional MLS-wide combination. "Legality" is determined by the security policy configuration (will be described later in this article).
In general, the Object Manager queries the security server to obtain access decisions based on the label pair (main body and object) and class class. The class is an integer that identifies the object is (for example, regular files, directories, processes, UNIX domain sets, or TCP sockets). Permissions in the vector are typically defined by the security policies that can be supported by the object and implementation. Access vector permissions are interpreted based on classes because different types of objects have different services. For example, the permission bit of the access to the permissions used in the access vector represents the 'UNLINK' license of the file, which is also used to represent the 'Connect' permission of the socket. The vector can cache in the Access Vector Cache (AVC), or you can store with the object so that the object manager does not have to be submerged by those requested by those decisions. Object Manager must also define a mechanism to assign objects to them. The control policy that specifies how the manager specifies the manager in the service stream must also be defined and implemented by the manager. In the case of a policy change, the Object Manager must define the process routine that will call. In any case, both the object manager must treat the security context of the object as an opaque string. In this way, there should be no policy-specific logic merged into the object manager.
figure 2
Source: The Flask Security Architecture: System Support for Diverse Security Policies, Ray Spencer (Secure Computing Corporation), Stephen Smalley, Peter Loscocco (National Security Agency), Mike Hibler, David Andersen and Jay Lepreau (University of Utah) co. (See Referring).
It is possible to perform runtime during a security policy. If this happens, the security server updates the SID mapping by unauthorized SID and reset AVC.
image 3
Source: The Flask Security Architecture: System Support for Diverse Security Policies, Ray Spencer (Secure Computing Corporation), Stephen Smalley, Peter Loscocco (National Security Agency), Mike Hibler, David Andersen and Jay Lepreau (University of Utah) co. (See Referring).
The file is a special instance of the object class. The new file inherits the same type of files in its parent directory. There is a permanent integer SID (PSID) associated with the file, which then maps the security tag in the component area table. This table (separated by the object / psid and psid / security tag map) is loaded into memory when installing the file system. When a new security tag is applied to a file, it updates in memory (and disk). If it is remotely installed, even if it has been renamed by the file system, it can also make inode-based PSID / object mapping table trace files.
Figure 4
Source: The Flask Security Architecture: System Support for Diverse Security Policies, Ray Spencer (Secure Computing Corporation), Stephen Smalley, Peter Loscocco (National Security Agency), Mike Hibler, David Andersen and Jay Lepreau (University of Utah) co. (See Referring). Flask creates a label for file descriptions and controls it. Creating the SID of the process appears in the label of the file, it is different from the label of the file itself. Even if the process has a permission to access the file, the open file description it inherits may also be a non-representative file itself. Such a process must use a file tag (and its related permissions) to access the file. Flask also controls each object affected by the file or directory service. In addition to checking access to the file parent directory, there are permissions related to individual files themselves for various operations.
In Flask, sockets are used as a communication agent, and have the default name of the creation process due to the rejuvenation. Security policies can connect to the client and server through the permissions to connect the client and server (here, they are both CONNECTTTO and AcceptFrom). It also limits the use of port numbers and path names in a specific process.
The message is related to the send socket tag and the distinction message tag. By default, this is also sending a socket tag. SE Linux cannot send these message tags through the network.
Security Policy Configuration Flask blurred the traditional type / domain difference in the TE security program. In Flask, the domain is the type, but the type associated with the process. The same type can be related to the process and objects. Each process has a domain associated with it, each object with a type of link, which may be a domain, or may not be a domain.
Security Policy Configuration Defines the domain of Type Enforcement and types. Configuration will specify access allowed by the domain and domain interaction. It also specifies automatic conversion between domains when performing a particular type. This means that specific processes can be automatically placed in their own domain. It seems that the automatic domain conversion is mainly used to put the system daemon into their own domain during system initialization, and change privileges when performing a specific program. An example of it is to add permissions to trusters, such as newrole that changes roles. It is also possible to limit the damage caused by the leakful web browser by removing the license for potential hazardous procedures (such as Netscape).
The role is also defined in the configuration. Each process has a role associated with it: The system process runs in system_r roles, and the user can be user_r or sysadim_r. The configuration also enumerates a domain that can be entered by the role. Let us assume that the user performs a program "FOOBAR". Let us assume that the user performs a program "FOOBAR". By executing it, the user transferred to the user_foobar_t domain. This domain may only contain a small portion of the permissions in the User_T domain that is initially logged in the user.
The security policy configuration target includes controlling the original access, protecting the integrity of the kernel, and system software to prevent privileged processes to perform dangerous code, and restrict damage caused by process defects with privileges. Another important goal is to protect administrator characters (and domains) that are not entered without authentication. This is implemented by requesting the "login" program (with relevant authorization processes) to the administrator role and the transition of the domain - only doing actually.
The actual configuration process is processed by macro. The M4 macro is extended to these macros.
This code list shows how SE Linux uses a macro language to define rlogin_t domain rules.
That's it. Those who are not clearly allowed is prohibited. There is no gray area. Very extreme. If you think carefully, this is your expectation of security systems. However, you have to remember that there is a range of rules in Policy / Domains / Every.TE, except for the domain-specific rules, each domain. It is also possible to use such a "global" rule to provide minimum privilege, and only those necessary roles are added to each individual domain.
In Part 2 of this series, we will look at some more original SE Linux code. We will discuss how to calculate how security_av, and how certain other SE Linux security features are called. If it comes to this step, Part 2 will be decisive.
Reference
By merging a commercial product called Nettop, it is reported that NSA will replace some physical separated computers. See Stephen Smalley's paper Flask: Flux Advanced Security Kernel, the source of Figure 1-4 herein. Get NATION Security Agency's Perspective for Security Enhanced Linux. SE Linux documents include the design and implementation of the kernel security mechanism, as well as the details of the security policy configuration. Source code from the NSA site.
About the author Larry Loeb is an editor or contributor to many "Death Planens" computer magazines in the last century. He published a book about SET, and set was an agreement developed by Visa and Mastercard as secure electronic trading. You can contact him through larryloeb@prodigy.net, usually you can get your reply.