[5] Web HTTP [6] [7] Linux OS TOMOYO Linux OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identi

Size: px

Start display at page:

Download "[5] Web HTTP [6] [7] 2 3 4 Linux OS TOMOYO Linux 5 6 7 2. OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identi"

うまじにいだ
7 years ago
Views:

1 1,2,a) 3,b) 1,c) 1,d) , Linux TOMOYO Linux[1][2] Mandatory Access Control Method Based on Application Execution State Toshiharu Harada 1,2,a) Tetsuo Handa 3,b) Masaki Hashimoto 1,c) Hidehiko Tanaka 1,d) Received: December 2, 2011, Accepted: June 4, 2012 Abstract: Existing access control methods grant access requests based on the combinations of applications as subject and files as objects. Therefore intents of applications and the possible effects caused by granting the access requests have not been taken into consideration. In this paper, we propose a new access control method based on application history and intents. With our access control method, system administrators can reduce the risks caused by malicious access attempts and wrong operations. In this paper, the concept and implementation design will be explained as well as the brief evaluation report of TOMOYO Linux, our implementation of the new access control method to Linux INSTITUTE of INFORMATION SECURITY 2 NTT NTT DATA CORPORATION 3 NTT NTT DATA INTELLILINK CORPORATION a) dgs085101@iisec.ac.jp b) penguin-kernel@i-love.sakura.ne.jp c) hashimoto@iisec.ac.jp d) tanaka@iisec.ac.jp [3][4] c 2012 Information Processing Society of Japan 1

as objects. Therefore intents of applications and the possible effects caused by granting the access requests have not been taken into consideration.

2 [5] Web HTTP [6] [7] Linux OS TOMOYO Linux OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identity-based access control) MAC MAC (rule-based access control) MAC 1983 TCSEC (Trusted Computing Systems Evaluation Criteria)[9] MAC(Labeled Security) TCSEC MAC MAC 2006 MAC(pathname-based MAC) *1 Linux SELinux[10][11][12] SMACK[13], TOMOYO Linux, AppArmor[14] 4 MAC SELinux SMACK MAC TOMOYO Linux AppArmor MAC Subject Object *1 c 2012 Information Processing Society of Japan 2

control) MAC 1983 TCSEC (Trusted Computing Systems Evaluation Criteria)[9] MAC(Labeled Security) TCSEC MAC MAC 2006 MAC(pathname-based MAC)

3 OS Linux execve OS MAC Linux seccomp[15], FreeBSD Capsicum[16] seccomp prctl(pr_set_seccomp, 1); read(), write(), exit(), sigreturn() 4 seccomp Capsicum seccomp Capsicum 2.2 DAC DAC [17] MAC DAC MAC MAC Web Apache.htaccess Web index.txt MAC.htaccess index.txt Web Apache *2 SSH /usr/sbin/sshd -o Banner /etc/shadow /etc/shadow MAC Apache sshd *2 Fedora15 /var/www/html.htaccess c 2012 Information Processing Society of Japan 3

htaccess Web index.txt MAC.htaccess index.

4 SSH ( i ) ( ii ) ( iii ) (i)(ii) Linux SSH Web Apache CGI 1 Linux Fedora 15 *3 3 /bin/bash 1 3 /sbin/init Linux /bin/bash 3 1 /etc/rc.d/init.d/sshd sshd /bin/bash 2 /sbin/agetty /bin/login /bin/bash 3 2 /bin/bash su(switch user) /bin/bash Linux 3 /bin/bash SSH 3.2 *3 c 2012 Information Processing Society of Japan 4

5 Table 1 1 (Linux) Examples of Program Execution History (Linux). 1 SSH bash /sbin/init /etc/rc.d/init.d/sshd /usr/sbin/sshd /usr/sbin/sshd /bin/bash 2 bash /sbin/init /sbin/agetty /bin/login /bin/bash 3 su bash /sbin/init /sbin/agetty /bin/login /bin/bash /bin/su /bin/bash /etc/nologin,.htaccess MAC MAC 4. Linux TOMOYO Linux TOMOYO Linux Linux MAC TOMOYO Linux Linux TOMOYO Linux TOMOYO Linux SourceForge.jp *4 Linux TOMOYO Linux 4.1 Linux id TOMOYO Linux 1 /bin/bash *4 c 2012 Information Processing Society of Japan 5

/bin/login /bin/bash /bin/su /bin/bash /etc/nologin,.htaccess MAC MAC 4.

6 Linux 1 Linux /bin/bash /bin/date Linux UNIX OS fork() execve() 1 /bin/bash fork() execve() /bin/date /bin/date /bin/bash execve() TOMOYO Linux TOMOYO Linux <kernel> <kernel> <kernel> Linux /sbin/init <kernel> /sbin/init /bin/bash <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash TOMOYO Linux 2 Fedora 15 TOMOYO Linux 4.2 Linux i 4.3 MAC [18][19] 2.6 Linux Linux Security Modules[20] LSM LSM c 2012 Information Processing Society of Japan 6

2 TOMOYO Linux TOMOYO Linux <kernel> <kernel> <kernel> Linux /sbin/init <kernel> /sbin/init /bin/bash <kernel>

7 1 Fig. 1 Defining Program Execution History. 2 (Fedora 15) Fig. 2 Domain Transition Example (Fedora 15). c 2012 Information Processing Society of Japan 7

8 LSM LSM TOMOYO Linux LSM 4.4 TOMOYO Linux TOMOYO Linux file rename, execute /tmp ID Web TOMOYO Linux 2 TOMOYO Linux 2 file rename 2 TOMOYO Linux Web *5 *5 policy-specification/index.html 2 TOMOYO Linux Table 2 TOMOYO Linux wild card patterns. \* / 0 \@ /. 0 \? / 1 \$ 1 10 \ \X 1 16 \x 16 1 \A 1 \a 1 \- /\{dir\}/ 1 dir/ TOMOYO Linux <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash) /usr/bin/passwd /usr/bin/passwd <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd /usr/bin/passwd TOMOYO Linux 3 1 /sbin/init /sbin/agetty /bin/login /bin/bash passwd 3 /usr/bin/passwd exec.argv[0] passwd exec.argv[] exec.argc=1 TOMOYO Linux c 2012 Information Processing Society of Japan 8

4.1 TOMOYO Linux <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash) /usr/bin/passwd /usr/bin/passwd <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd

9 1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash 2 3 file execute /usr/bin/passwd exec.realpath="/usr/bin/passwd" exec.argv[0]="passwd" 4 file read/write /dev/tty 5 file read /etc/passwd 6 file read /etc/profile 7 file read /home/harada/.bash_profile 8 file read /home/harada/.bashrc 9 file read /etc/bashrc 10 file write /dev/null 3 /bin/bash Fig. 3 Policy of /bin/bash Domain. /usr/bin/passwd 4 10 /bin/bash 4 3 /usr/bin/passwd /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd passwd /etc/shadow /etc/nshadow /etc/shadow ID ID MAC ( i ) file rename /etc/mtab.tmp /etc/mtab /etc/mtab.tmp /etc/mtab file create /var/lock/subsys/crond 0644 /var/lock/subsys/crond 0644 file chmod /dev/mem 0644 /dev/mem 0644 file execute /bin/ls /bin/ls ( ii ) =!= file symlink /dev/cdrom symlink.target="hdc" hdc /dev/cdrom file execute /bin/bash task.uid= ID /bin/bash file read /tmp/file001.tmp task.uid=path1.uid ID /tmp/file001.tmp ID file execute /usr/bin/ssh exec.realpath="/usr/bin/ssh" exec.argv[0]="ssh" ssh /usr/bin/ssh /usr/bin/ssh file execute /bin/bash exec.realpath="/bin/bash" exec.argv[0]="-bash" task.uid!=0 task.euid!=0 -bash /bin/bash ID ID 0 root /bin/bash 4.5 TOMOYO Linux /etc/ccs/domain_policy.conf c 2012 Information Processing Society of Japan 9

bashrc 9 file read /etc/bashrc 10 file write /dev/null 3 /bin/bash Fig. 3 Policy of /bin/bash Domain.

10 1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd 2 3 file read /etc/passwd 4 file read /etc/shadow 5 file write /etc/.pwd.lock 6 file read /dev/urandom 7 file create /etc/nshadow file write /etc/nshadow 9 file chown/chgrp /etc/nshadow 0 10 file chmod /etc/nshadow file rename /etc/nshadow /etc/shadow 4 /usr/bin/passwd Fig. 4 Policy of /usr/bin/passwd Domain. root emacs TOMOYO Linux emacs / TOMOYO Linux CUI (Character User Interface) 2 TOMOYO Linux Web * TOMOYO Linux *7 TOMOYO Linux disabled, learning, permissive, enforcing 4 3 TOMOYO Linux *6 html *7 3 TOMOYO Linux Table 3 TOMOYO Linux mode. disabled learning permissive enforcing ( i ) learning ( ii ) ( iii )permissive ( iv )enforcing enforcing c 2012 Information Processing Society of Japan 10

/usr/bin/passwd Fig. 4 Policy of /usr/bin/passwd Domain. root emacs TOMOYO Linux emacs / TOMOYO Linux CUI (Character User Interface) 2 TOMOYO Linux Web *6 4.5.

11 Web enforcing TO- MOYO Linux TOMOYO Linux OS /etc/ccs/domain_policy.conf MAC TOMOYO Linux MAC MAC MAC 5. TOMOYO Linux 5.1 ( i ) ( ii ) MAC ( iii ) MAC SELinux 4 ( iv )Role-Based Access Control Role-Based Access Control Model[21] (RBAC) Identity-Based Access Control Model 3 /bin/su /bin/su [22] ID ID root Linux/UNIX root ID ID c 2012 Information Processing Society of Japan 11

1 ( i ) ( ii ) MAC ( iii ) MAC SELinux 4 ( iv )Role-Based Access Control Role-Based Access

12 5.2 MAC SELinux 2007 TOMOYO Linux SELinux Web [23]. SELinux * NPO OS WG OS Web TOMOYO Linux Apache Web Web CGI CGI Apache TOMOYO Linux Linux *8 * 9 * TOMOYO Linux UNIX LMBench[24] LMBench OS TOMOYO Linux TOMOYO Linux TOMOYO Linux LMBench LMBench 4 LMBench Web * 11 TOMOYO Linux 5 TOMOYO Linux 6 5, 6 Func. LMBench Base TOMOYO Linux (µsec)tomoyo TOMOYO Linux MAC (µsec)diff TOMOYO Base (µsec)overhead Overhead = T OMOY O Base Base 100 Overhead 100 TOMOYO Linux 100% 2 5 TOMOYO Linux ±5%TO- MOYO Linux LMBench *9 *10 *11 c 2012 Information Processing Society of Japan 12

LMBench Base TOMOYO Linux (µsec)tomoyo TOMOYO Linux MAC (µsec)diff TOMOYO Base (µsec)overhead Overhead = T OMOY O Base Base 100 Overhead 100 TOMOYO Linux 100% 2 5

13 5 LMBench Table 5 Result of LMBench (not hooked). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) null syscall null I/O Select on 100 tcp fd s Signal handler installation p/0K ctxsw p/16K ctxsw p/64K ctxsw p/16K ctxsw p/64K ctxsw p/16K ctxsw p/64K ctxsw Pipe AF UNIX Mmap Page Fault Select on 100 fd s LMBench Table 6 Result of LMBench (hooked by TOMOYO). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) Simple stat Simple open/close Signal handler overhead Process fork+exit Process fork+execve Process fork+/bin/sh -c UDP RPC/UDP TCP RPC/TCP TCP/IP connection cost K File Create K File Delete K File Create K File Delete c 2012 Information Processing Society of Japan 13

5-3.81 8p/64K ctxsw 14.035 14.095 0.1 0.43 16p/16K ctxsw 12.185 12.04-0.1-1.19 16p/64K ctxsw 14.135 14.225 0.1 0.64 Pipe 38.3 36.73-1.6-4.10 AF UNIX 24.47 24.28-0.2-0.78 Mmap 2341.55 2375.1 33.5 1.43 Page Fault 2.

14 4 Table 4 Benchmark Envrionment. specification/version CPU Core 2 Duo T GHz Memory 2GB OS Ubuntu x86 64 Kernel TOMOYO Linux 1.8.3p5 Benchmark tool LMBench 3.0-a9 6 stat, open/close, signal handler 50%0K File Create 60% 10K File Create 18.49% 10KB write TOMOYO fork fork exec 5%fork+/bin/sh -c /bin/sh exec exec 2 LSM MAC OS LSM Performance Monitor (LSMPMON)[25] LSMPMON execve /tmp/reexec /tmp/reexec 5 delay (microseconds) 0.4 "bench1.dat" number of domains (logscale) 5 Fig. 5 Performace delay due to domain number increase. 2 TOMOYO Linux TOMOYO Linux µsec /dev/null open /dev/null open 6 1 TOMOYO Linux TOMOYO Linux µsec Linux TOMOYO Linux 2000 c 2012 Information Processing Society of Japan 14

49% 10KB write TOMOYO fork fork exec 5%fork+/bin/sh -c /bin/sh exec exec 2 LSM MAC OS LSM Performance Monitor (LSMPMON)[25] LSMPMON 5.3.

15 delay (microseconds) 1.6 "bench2.dat" number of acl definitions (logscale) 6 Fig. 6 Performace delay due to ACL number increase MAC ( i ) MAC MAC MAC ( ii ) DAC ( iii ) TCSEC 1983 MAC AppArmor TOMOYO Linux AppArmor MAC ( i ) TOMOYO Linux AppArmor AppArmor AppArmor * 12 TOMOYO Linux AppArmor ( ii ) AppArmor TOMOYO Linux TOMOYO Linux AppArmor Web ( iii )AppArmor TOMOYO Linux AppArmor TOMOYO Linux RBAC \ * November/ html c 2012 Information Processing Society of Japan 15

$2011 11 AppArmor * 12 TOMOYO Linux AppArmor ( ii ) AppArmor TOMOYO Linux TOMOYO Linux AppArmor Web ( iii )AppArmor TOMOYO Linux AppArmor TOMOYO Linux RBAC \$

16 .git \ Context-aware Access Control, (CAAC: Context-aware Access Control). Matthias Baldauf A survey on context-aware systems [26] Context-aware system CAAC context Web context [27] CAAC context CAAC CAAC Salvia[28] Salvia 2 OS LAN (ESSID) 6.2 [29] ( i ) OS /bin/sh MAC ( ii ) Linux ( iii ) 6.3 execve() execve() c 2012 Information Processing Society of Japan 16

Web context [27] CAAC context CAAC CAAC Salvia[28] Salvia 2 OS LAN (ESSID) 6.

17 Web Apache CGI (Common Gateway Interface) CGI execve() CGI mod_perl execve() Apache execve() CGI MAC 7. Linux TOMOYO Linux TOMOYO Linux MAC TOMOYO Linux TOMOYO Linux [1] TOMOYO Linux pp (2009). [2] Linux : 4 TOMOYO Linux Vol. 51, No. 10, pp (2010). [3] Peterson, D. S., Bishop, M. and Pandey, R.: Flexible Containment Mechanism for Executing Untrsted Code, 11th USENIX Security Symposium, pp (2002). [4] Vol. 20, No. 4, pp (2003). [5] Goldberg, I., Wagner, D., Thomas, R. and Brewer, E.: A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography-Volume 6, USENIX Association, pp. 1 1 (1996). [6] Barth, A., Jackson, C., Reis, C. and Team, T.: The security architecture of the Chromium browser (2008). [7] Loscocco, P. A., Smalley, S. D., Muckerbauer, P. A., Taylor, R. C., Turner, S. J. and Farrell, J. F.: The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, 21st National Information Systems Security Conference, Vol. 10, No. 2, pp (1989). [8] Bishop, M.: Computer Security: Art and Science [9] Tcsec, D.: Trusted computer system evaluation criteria, DoD STD, Vol. 83 (1983). [10] Peter Loscocco, N.: Integrating flexible support for security policies into the Linux operating system, Proceedings of the FREENIX Track 2001 USENIX annual technical conference, June 25-30, 2001, Boston, Massachusetts, USA, Citeseer, p. 29 (2001). [11] Loscocco, P. A. and Smalley, S. D.: Meeting Critical Security Objectives with Security-Enhanced Linux, Ottawa Linux Symposium (2001). [12] Smalley, S.: Configuring the SELinux policy, NAI Laboratories (2005). [13] Schaufler, C.: Smack in embedded computing, Proceedings of the 10th Linux Symposium (2008). [14] Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P. and Gligor, V.: Subdomain: Parsimonious server c 2012 Information Processing Society of Japan 17

: Flexible Containment Mechanism for Executing Untrsted Code, 11th USENIX Security Symposium, pp. 207 225 (2002). [4] Vol. 20, No. 4, pp. 55 72 (2003). [5] Goldberg, I., Wagner, D., Thomas, R.

18 security, Proceedings of the 14th USENIX conference on System administration, USENIX Association, pp (2000). [15] Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms, Proceedings of the 3rd ACM workshop on Scalable trusted computing, ACM, pp (2008). [16] Watson, R., Anderson, J., Laurie, B. and Kennaway, K.: Capsicum: practical capabilities for UNIX, USENIX Security (2010). [17] Ken, W.: Buffer Overflow Attacks and Their Countermeasures., Vol. 19, No. 1, pp (online), available from ( ). [18] Sandhu, R. and Samarati, P.: Access control: principle and practice, Communications Magazine, IEEE, Vol. 32, No. 9, pp (1994). [19] / SysGuard Vol. 43, No. 6, pp (2002). [20] Wright, C., Cowan, C., Smalley, S., Morris, J. and Kroah-Hartman, G.: Linux security modules: General security support for the Linux kernel (2003). [21] Sandhu, R., Coyne, E., Feinstein, H. and Youman, C.: Role-based access control models, Computer, Vol. 29, No. 2, pp (1996). [22] OS Vol. 11, pp (2005). [23] (2003). [24] McVoy, L. and Staelin, C.: lmbench: Portable tools for performance analysis, Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, Usenix Association, pp (1996). [25] LSM OS D Vol. J92-D, No. 7, pp (2009). [26] Baldauf, M., Dustdar, S. and Rosenberg, F.: A survey on context-aware systems, International Journal of Ad Hoc and Ubiquitous Computing, Vol. 2, No. 4, pp (2007). [27] Truong, H. and Dustdar, S.: A survey on context-aware web service systems, International Journal of Web Information Systems, Vol. 5, No. 1, pp (2009). [28] KAZUHISA, S., YOSHIMI, I., KOICHI, M. and EIJI, O.: An Adaptive Data Protection Method based on Contexts of Data Access in Privacy- Aware Operating System Salvia(Operating System),. Vol. 47, No. 3, pp (online), available from ( ). [29] Vol. 21, No. 6, pp (2004) NTT 2012 IEEE, ACM 2001 NTT NTT 2003 Linux IEEE ISS Parallel Inference Engine,, IEEE c 2012 Information Processing Society of Japan 18

, Anderson, J., Laurie, B. and Kennaway, K.: Capsicum: practical capabilities for UNIX, USENIX Security (2010). [17] Ken, W.: Buffer Overflow Attacks and Their Countermeasures., Vol. 19, No. 1, pp.

[5] Web HTTP [6] / / [7] Linux OS TOMOYO Linux OS DAC: Discretionary Access Control MAC: Mandatory Access Control 2 [8] DAC ident

[5] Web HTTP [6] / / [7] Linux OS TOMOYO Linux OS DAC: Discretionary Access Control MAC: Mandatory Access Control 2 [8] DAC ident 1,2, 1,a) 3 1 1 2011 12 2, 2012 6 1 Linux TOMOYO Linux TOMOYO Linux SELinux Mandatory Access Control Method Based on Application Execution State Toshiharu Harada 1,2, 1,a) Tetsuo Handa 3 Masaki Hashimoto