[5] Web HTTP [6] / / [7] Linux OS TOMOYO Linux OS DAC: Discretionary Access Control MAC: Mandatory Access Control 2 [8] DAC ident

Size: px

Start display at page:

Download "[5] Web HTTP [6] / / [7] Linux OS TOMOYO Linux OS DAC: Discretionary Access Control MAC: Mandatory Access Control 2 [8] DAC ident"

ときかつもと
7 years ago
Views:

1 1,2, 1,a) , Linux TOMOYO Linux TOMOYO Linux SELinux Mandatory Access Control Method Based on Application Execution State Toshiharu Harada 1,2, 1,a) Tetsuo Handa 3 Masaki Hashimoto 1 Hidehiko Tanaka 1 Received: December 2, 2011, Accepted: June 1, 2012 Abstract: Existing access control methods grant access requests based on the combinations of applications as subject and files as objects. Therefore intents of applications and the possible effects caused by granting the access requests have not been taken into consideration. In this paper, we propose a new access control method based on application history and intents. With our access control method, system administrators can reduce the risks caused by malicious access attempts and wrong operations. In this paper, the concept and implementation design will be explained as well as the brief evaluation report of TOMOYO Linux, our implementation of the new access control method to Linux. Keywords: Mandatory Access control, Labeled Security, TOMOYO Linux, SELinux 1. 1 Institute of Information Security, Yokohama, Kanagawa , Japan 2 NTT NTT DATA CORPORATION, Koto, Tokyo , Japan 3 NTT NTT DATA INTELLILINK CORPORATION, Tokyo, , Japan 1 NTT Presently with NTT DATA INTELLILINK CORPORA- TION a) dgs085101@iisec.ac.jp [3], [4] c 2012 Information Processing Society of Japan 2130

2 [5] Web HTTP [6] / / [7] Linux OS TOMOYO Linux OS DAC: Discretionary Access Control MAC: Mandatory Access Control 2 [8] DAC identity-based access control MAC MAC rule-based access control MAC 1983 TCSEC Trusted Computing Systems Evaluation Criteria [9] MAC Labeled Security TCSEC MAC MAC 2006 MAC pathname-based MAC *1 Linux SELinux [10], [11], [12] SMACK [13] TOMOYO Linux [1], [2] AppArmor [14] 4 MAC SELinux SMACK MAC TOMOYO Linux AppArmor MAC Subject Object *1 c 2012 Information Processing Society of Japan 2131

3 OS Linux execve OS MAC Linux seccomp [15] FreeBSD Capsicum [16] seccomp prctl(pr_set_seccomp, 1); read() write() exit() sigreturn() 4 seccomp Capsicum seccomp Capsicum 2.2 DAC DAC [17] MAC DAC MAC MAC 2 1 Web Apache.htaccess Web index.txt MAC.htaccess index.txt Web Apache *2 2 SSH /usr/sbin/sshd -o Banner /etc/shadow /etc/shadow 1 2 MAC 2 Apache sshd 2.3 *2 Fedora15 /var/www/html.htaccess c 2012 Information Processing Society of Japan 2132

4 SSH (i) (ii) ( iii ) (i) (ii) Linux SSH Web Apache CGI 1 Linux 1 Fedora 15 *3 3 /bin/bash 1 3 /sbin/init Linux /bin/bash 3 1 /etc/rc.d/init.d/sshd sshd /bin/bash 2 /sbin/agetty /bin/login /bin/bash 3 2 /bin/bash su switch user /bin/bash Linux 3 /bin/bash SSH *3 c 2012 Information Processing Society of Japan 2133

5 Table 1 1 Linux Examples of program execution history (Linux). 1 SSH bash /sbin/init /etc/rc.d/init.d/sshd /usr/sbin/sshd /usr/sbin/sshd /bin/bash 2 bash /sbin/init /sbin/agetty /bin/login /bin/bash 3 su bash /sbin/init /sbin/agetty /bin/login /bin/bash /bin/su /bin/bash 3.2 /etc/nologin.htaccess MAC MAC 4. Linux TOMOYO Linux TOMOYO Linux Linux MAC TOMOYO Linux Linux TOMOYO Linux TOMOYO Linux SourceForge.jp *4 Linux TOMOYO Linux 4.1 Linux id TOMOYO Linux *4 c 2012 Information Processing Society of Japan 2134

6 1 Fig. 1 Defining program execution history. 1 /bin/bash Linux 1 Linux /bin/bash /bin/date Linux UNIX OS fork() execve() 1 /bin/bash fork() execve() /bin/date /bin/date /bin/bash execve() TOMOYO Linux TOMOYO Linux <kernel> <kernel> <kernel> Linux /sbin/init <kernel> /sbin/init /bin/bash <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash 1 1 TOMOYO Linux 2 Fedora 15 TOMOYO Linux c 2012 Information Processing Society of Japan 2135

7 2 Fedora 15 Fig. 2 Domain transition example (Fedora 15). 4.2 Linux i 4.3 MAC [18], [19] 2.6 Linux Linux Security Modules [20] LSM LSM LSM LSM TOMOYO Linux LSM 4.4 TOMOYO Linux TOMOYO Linux c 2012 Information Processing Society of Japan 2136

8 2 Table 2 TOMOYO Linux TOMOYO Linux wild card patterns. \* / 0 \@ /. 0 \? / 1 \$ 1 10 \ \X 1 16 \x 16 1 \A 1 \a 1 \- /\{dir\}/ 1 dir/ file rename execute /tmp ID Web TOMOYO Linux 2 TOMOYO Linux 2 file rename 2 TOMOYO Linux Web * TOMOYO Linux *5 index.html <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd /usr/bin/passwd <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd /usr/bin/passwd TOMOYO Linux 3 1 /sbin/init /sbin/agetty /bin/login /bin/bash passwd 3 /usr/bin/passwd exec.argv[0] passwd exec.argv[] exec.argc=1 TOMOYO Linux /usr/bin/passwd 4 10 /bin/bash 4 3 /usr/bin/passwd /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd passwd /etc/shadow /etc/nshadow /etc/shadow ID ID c 2012 Information Processing Society of Japan 2137

9 1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash 2 3 file execute /usr/bin/passwd exec.realpath="/usr/bin/passwd" exec.argv[0]="passwd" 4 file read/write /dev/tty 5 file read /etc/passwd 6 file read /etc/profile 7 file read /home/harada/.bash_profile 8 file read /home/harada/.bashrc 9 file read /etc/bashrc 10 file write /dev/null 3 /bin/bash Fig. 3 Policy of /bin/bash domain. 1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd 2 3 file read /etc/passwd 4 file read /etc/shadow 5 file write /etc/.pwd.lock 6 file read /dev/urandom 7 file create /etc/nshadow file write /etc/nshadow 9 file chown/chgrp /etc/nshadow 0 10 file chmod /etc/nshadow file rename /etc/nshadow /etc/shadow 4 /usr/bin/passwd Fig. 4 Policy of /usr/bin/passwd domain. MAC (i) file rename /etc/mtab.tmp /etc/mtab /etc/mtab.tmp /etc/mtab file create /var/lock/subsys/crond 0644 /var/lock/subsys/crond 0644 file chmod /dev/mem 0644 /dev/mem 0644 file execute /bin/ls /bin/ls (ii) =!= file symlink /dev/cdrom symlink.target="hdc" hdc /dev/cdrom file execute /bin/bash task.uid= ID /bin/bash file read /tmp/file001.tmp task.uid=path1.uid ID /tmp/file001.tmp ID file execute /usr/bin/ssh exec.realpath= "/usr/bin/ssh" exec.argv[0]="ssh" ssh /usr/bin/ssh /usr/bin/ssh file execute /bin/bash exec.realpath= "/bin/bash" exec.argv[0]="-bash" task.uid!=0 task.euid!=0 -bash /bin/bash ID ID c 2012 Information Processing Society of Japan 2138

10 0 root /bin/bash 4.5 TOMOYO Linux /etc/ccs/domain_policy.conf root emacs TOMOYO Linux emacs / TOMOYO Linux CUI Character User Interface 2 TOMOYO Linux Web * TOMOYO Linux *7 TOMOYO Linux disabled learning permissive enforcing 4 3 TOMOYO Linux (i) learning (ii) *6 *7 3 TOMOYO Linux Table 3 TOMOYO Linux mode. disabled learning permissive enforcing ( iii ) permissive (iv) enforcing enforcing Web 2 c 2012 Information Processing Society of Japan 2139

11 4.5.3 enforcing TOMOYO Linux TOMOYO Linux OS /etc/ccs/domain_policy.conf MAC TOMOYO Linux MAC MAC MAC 5. TOMOYO Linux 5.1 (i) (ii) MAC ( iii ) MAC SELinux 4 (iv) Role-Based Access Control Role-Based Access Control Model [21] RBAC Identity-Based Access Control Model 3 /bin/su /bin/su [22] ID ID root root ID ID 5.2 MAC SELinux 2007 TOMOYO Linux SELinux Web [23] SELinux *8 *8 c 2012 Information Processing Society of Japan 2140

12 NPO OS WG OS Web TOMOYO Linux Apache Web Web CGI CGI Apache TOMOYO Linux Linux * 9,* TOMOYO Linux UNIX LMBench [24] LMBench OS TOMOYO Linux TOMOYO Linux TOMOYO Linux LMBench *9 *10 4 Table 4 Benchmark envrionment. specification/version CPU Core 2 Duo T GHz Memory 2GB OS Ubuntu x86 64 Kernel TOMOYO Linux 1.8.3p5 Benchmark tool LMBench 3.0-a9 LMBench 4 LMBench Web * 11 TOMOYO Linux 5 TOMOYO Linux Func. LMBench Base TOMOYO Linux µsec TOMOYO TOMOYO Linux MAC µsec Diff TOMOYO Base µsec Overhead Overhead = TOMOYO Base Base 100 Overhead 100 TOMOYO Linux 100% 2 5 TOMOYO Linux ±5%TOMOYO Linux LMBench 6 stat open/close signal handler 50%0K File Create 60% 10K File Create 18.49% 10 KB write TOMOYO fork fork exec 5%fork+/bin/sh -c /bin/sh exec *11 c 2012 Information Processing Society of Japan 2141

13 5 LMBench Table 5 Result of LMBench (not hooked). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) null syscall null I/O Select on 100 tcp fd s Signal handler installation p/0K ctxsw p/16K ctxsw p/64K ctxsw p/16K ctxsw p/64K ctxsw p/16K ctxsw p/64K ctxsw Pipe AF UNIX Mmap Page Fault Select on 100 fd s LMBench Table 6 Result of LMBench (hooked by TOMOYO). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) Simple stat Simple open/close Signal handler overhead Process fork+exit Process fork+execve Process fork+/bin/sh -c UDP RPC/UDP TCP RPC/TCP TCP/IP connection cost K File Create K File Delete K File Create K File Delete exec 2 LSM MAC OS LSM Performance Monitor LSMPMON [25] LSMPMON execve 2 c 2012 Information Processing Society of Japan 2142

14 2 100,000 /tmp/reexec /tmp/reexec 5 2 TOMOYO Linux TOMOYO Linux µsec 5 10, ,000 /dev/null 10,000 open /dev/null open 6 1 TOMOYO Linux TOMOYO Linux µsec 6 5 Fig. 5 Performace delay due to domain number increase. 6 Fig. 6 Performace delay due to ACL number increase. 10, Linux TOMOYO Linux 2, MAC (i) MAC MAC MAC (ii) DAC ( iii ) TCSEC 1983 MAC c 2012 Information Processing Society of Japan 2143

15 6.1.2 AppArmor TOMOYO Linux AppArmor MAC (i) TOMOYO Linux AppArmor AppArmor AppArmor * 12 TOMOYO Linux AppArmor (ii) AppArmor TOMOYO Linux TOMOYO Linux AppArmor Web ( iii ) AppArmor TOMOYO Linux AppArmor TOMOYO Linux RBAC \ * November/ html.git \ Context-aware Access Control CAAC: Context-aware Access Control Baldauf A survey on context-aware systems [26] Context-aware system CAAC context Web context [27] CAAC context CAAC CAAC Salvia [28] Salvia 2 OS LAN ESSID 6.2 [29] (i) c 2012 Information Processing Society of Japan 2144

16 OS /bin/sh MAC (ii) Linux ( iii ) 6.3 execve() execve() Web Apache CGI Common Gateway Interface CGI execve() CGI mod_perl execve() Apache execve() CGI MAC 7. Linux TOMOYO Linux TOMOYO Linux MAC TOMOYO Linux c 2012 Information Processing Society of Japan 2145

17 TOMOYO Linux [1] TOMOYO Linux pp (2009). [2] Linux 4 TOMOYO Linux Vol.51, No.10, pp (2010). [3] Peterson, D.S., Bishop, M. and Pandey, R.: Flexible Containment Mechanism for Executing Untrsted Code, 11th USENIX Security Symposium, pp (2002). [4] Vol.20, No.4, pp (2003). [5] Goldberg, I., Wagner, D., Thomas, R. and Brewer, E.: A secure environment for untrusted helper applications confining the Wily Hacker, Proc. 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography-Volume 6, USENIX Association, p.1 (1996). [6] Barth, A., Jackson, C., Reis, C. and Team, T.: The security architecture of the Chromium browser (2008). [7] Loscocco, P.A., Smalley, S.D., Muckerbauer, P.A., Taylor, R.C., Turner, S.J. and Farrell, J.F.: The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, 21st National Information Systems Security Conference, Vol.10, No.2, pp (1989). [8] Bishop, M.: Computer Security: Art and Science (2003). [9] Tcsec, D.: Trusted computer system evaluation criteria, DoD STD, Vol.83 (1983). [10] Loscocco, N.P.: Integrating flexible support for security policies into the Linux operating system, Proc. FREENIX Track 2001 USENIX Annual Technical Conference, June 25-30, 2001, Boston, Massachusetts, USA, Citeseer, p.29 (2001). [11] Loscocco, P.A. and Smalley, S.D.: Meeting Critical Security Objectives with Security-Enhanced Linux, Ottawa Linux Symposium (2001). [12] Smalley, S.: Configuring the SELinux policy, NAI Laboratories (2005). [13] Schaufler, C.: Smack in embedded computing, Proc. 10th Linux Symposium (2008). [14] Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P. and Gligor, V.: Subdomain: Parsimonious server security, Proc. 14th USENIX Conference on System Administration, USENIX Association, pp (2000). [15] Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms, Proc. 3rd ACM Workshop on Scalable Trusted Computing, ACM, pp (2008). [16] Watson, R., Anderson, J., Laurie, B. and Kennaway, K.: Capsicum: practical capabilities for UNIX, USENIX Security (2010). [17] Ken, W.: Buffer Overflow Attacks and Their Countermeasures., Vol.19, No.1, pp (online), available from naid/ /en/ (accessed ). [18] Sandhu, R. and Samarati, P.: Access control: principle and practice, Communications Magazine, IEEE, Vol.32, No.9, pp (1994). [19] / SysGuard Vol.43, No.6, pp (2002). [20] Wright, C., Cowan, C., Smalley, S., Morris, J. and Kroah-Hartman, G.: Linux security modules: General security support for the Linux kernel (2003). [21] Sandhu, R., Coyne, E., Feinstein, H. and Youman, C.: Role-based access control models, Computer, Vol.29, No.2, pp (1996). [22] OS Vol.11, pp (2005) naid/ /. [23] (2003). [24] McVoy, L. and Staelin, C.: lmbench: Portable tools for performance analysis, Proc annual conference on USENIX Annual Technical Conference, Usenix Association, pp (1996). [25] LSM OS D Vol.J92-D, No.7, pp (2009). [26] Baldauf, M., Dustdar, S. and Rosenberg, F.: A survey on context-aware systems, International Journal of Ad Hoc and Ubiquitous Computing, Vol.2, No.4, pp (2007). [27] Truong, H. and Dustdar, S.: A survey on context-aware web service systems, International Journal of Web Information Systems, Vol.5, No.1, pp.5 31 (2009). [28] Suzuki, K., Ichiyanagi, Y., Mouri, K. and Okubo, E.: An Adaptive Data Protection Method based on Contexts of Data Access in Privacy-Aware Operating System Salvia (Operating System), Vol.47, No.3, pp.1 15 (online), available from (accessed ). [29] Vol.21, No.6, pp (2004). c 2012 Information Processing Society of Japan 2146

18 IEEE ACM 2001 NTT 2003 Linux IEEE ISS Parallel Inference Engine IEEE c 2012 Information Processing Society of Japan 2147

[5] Web HTTP [6] [7] 2 3 4 Linux OS TOMOYO Linux 5 6 7 2. OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identi

[5] Web HTTP [6] [7] 2 3 4 Linux OS TOMOYO Linux 5 6 7 2. OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identi 1,2,a) 3,b) 1,c) 1,d) 2011 12 2, 2012 6 4 Linux TOMOYO Linux[1][2] Mandatory Access Control Method Based on Application Execution State Toshiharu Harada 1,2,a) Tetsuo Handa 3,b) Masaki Hashimoto 1,c) Hidehiko