[5] Web HTTP [6] [7] 2 3 4 Linux OS TOMOYO Linux 5 6 7 2. OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identi

1,2,a) 3,b) 1,c) 1,d) 2011 12 2, 2012 6 4 Linux TOMOYO Linux[1][2] Mandatory Access Control Method Based on Application Execution State Toshiharu Harada 1,2,a) Tetsuo Handa 3,b) Masaki Hashimoto 1,c) Hidehiko Tanaka 1,d) Received: December 2, 2011, Accepted: June 4, 2012 Abstract: Existing access control methods grant access requests based on the combinations of applications as subject and files as objects. Therefore intents of applications and the possible effects caused by granting the access requests have not been taken into consideration. In this paper, we propose a new access control method based on application history and intents. With our access control method, system administrators can reduce the risks caused by malicious access attempts and wrong operations. In this paper, the concept and implementation design will be explained as well as the brief evaluation report of TOMOYO Linux, our implementation of the new access control method to Linux. 1. 1 INSTITUTE of INFORMATION SECURITY 2 NTT NTT DATA CORPORATION 3 NTT NTT DATA INTELLILINK CORPORATION a) dgs085101@iisec.ac.jp b) penguin-kernel@i-love.sakura.ne.jp c) hashimoto@iisec.ac.jp d) tanaka@iisec.ac.jp [3][4] c 2012 Information Processing Society of Japan 1

[5] Web HTTP [6] [7] 2 3 4 Linux OS TOMOYO Linux 5 6 7 2. OS 2.1 (DAC: Discretionary Access Control) (MAC: Mandatory Access Control) 2 [8] DAC (identity-based access control) MAC MAC (rule-based access control) MAC 1983 TCSEC (Trusted Computing Systems Evaluation Criteria)[9] MAC(Labeled Security) TCSEC MAC MAC 2006 MAC(pathname-based MAC) *1 Linux SELinux[10][11][12] SMACK[13], TOMOYO Linux, AppArmor[14] 4 MAC SELinux SMACK MAC TOMOYO Linux AppArmor MAC Subject Object *1 http://lwn.net/articles/277833/ c 2012 Information Processing Society of Japan 2

OS Linux execve OS MAC Linux seccomp[15], FreeBSD Capsicum[16] seccomp prctl(pr_set_seccomp, 1); read(), write(), exit(), sigreturn() 4 seccomp Capsicum seccomp Capsicum 2.2 DAC DAC [17] MAC DAC MAC MAC Web Apache.htaccess Web index.txt MAC.htaccess index.txt Web Apache *2 SSH /usr/sbin/sshd -o Banner /etc/shadow /etc/shadow MAC Apache sshd 2.3 2.2 *2 Fedora15 /var/www/html.htaccess c 2012 Information Processing Society of Japan 3

SSH ( i ) ( ii ) ( iii ) (i)(ii) 3. 2 3.1 Linux SSH Web Apache CGI 1 Linux Fedora 15 *3 3 /bin/bash 1 3 /sbin/init Linux /bin/bash 3 1 /etc/rc.d/init.d/sshd sshd /bin/bash 2 /sbin/agetty /bin/login /bin/bash 3 2 /bin/bash su(switch user) /bin/bash Linux 3 /bin/bash SSH 3.2 *3 c 2012 Information Processing Society of Japan 4

Table 1 1 (Linux) Examples of Program Execution History (Linux). 1 SSH bash /sbin/init /etc/rc.d/init.d/sshd /usr/sbin/sshd /usr/sbin/sshd /bin/bash 2 bash /sbin/init /sbin/agetty /bin/login /bin/bash 3 su bash /sbin/init /sbin/agetty /bin/login /bin/bash /bin/su /bin/bash /etc/nologin,.htaccess MAC MAC 4. Linux TOMOYO Linux TOMOYO Linux Linux MAC TOMOYO Linux Linux TOMOYO Linux 1.8.3 TOMOYO Linux SourceForge.jp *4 Linux 2.6.30 TOMOYO Linux 4.1 Linux id 4.1.1 TOMOYO Linux 1 /bin/bash *4 http://tomoyo.sourceforge.jp/ c 2012 Information Processing Society of Japan 5

Linux 1 Linux /bin/bash /bin/date Linux UNIX OS fork() execve() 1 /bin/bash fork() execve() /bin/date /bin/date /bin/bash execve() 4.1.2 TOMOYO Linux TOMOYO Linux <kernel> <kernel> <kernel> Linux /sbin/init <kernel> /sbin/init /bin/bash <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash TOMOYO Linux 2 Fedora 15 TOMOYO Linux 4.2 Linux i 4.3 MAC [18][19] 2.6 Linux Linux Security Modules[20] LSM LSM c 2012 Information Processing Society of Japan 6

1 Fig. 1 Defining Program Execution History. 2 (Fedora 15) Fig. 2 Domain Transition Example (Fedora 15). c 2012 Information Processing Society of Japan 7

LSM LSM TOMOYO Linux LSM 4.4 TOMOYO Linux TOMOYO Linux file rename, execute /tmp ID Web TOMOYO Linux 2 TOMOYO Linux 2 file rename 2 TOMOYO Linux Web *5 *5 http://tomoyo.sourceforge.jp/1.8/ policy-specification/index.html 2 TOMOYO Linux Table 2 TOMOYO Linux wild card patterns. \* / 0 \@ /. 0 \? / 1 \$ 1 10 \+ 10 1 \X 1 16 \x 16 1 \A 1 \a 1 \- /\{dir\}/ 1 dir/ 4.4.1 TOMOYO Linux <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash) /usr/bin/passwd /usr/bin/passwd <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd /usr/bin/passwd TOMOYO Linux 3 1 /sbin/init /sbin/agetty /bin/login /bin/bash passwd 3 /usr/bin/passwd exec.argv[0] passwd exec.argv[] exec.argc=1 TOMOYO Linux c 2012 Information Processing Society of Japan 8

1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash 2 3 file execute /usr/bin/passwd exec.realpath="/usr/bin/passwd" exec.argv[0]="passwd" 4 file read/write /dev/tty 5 file read /etc/passwd 6 file read /etc/profile 7 file read /home/harada/.bash_profile 8 file read /home/harada/.bashrc 9 file read /etc/bashrc 10 file write /dev/null 3 /bin/bash Fig. 3 Policy of /bin/bash Domain. /usr/bin/passwd 4 10 /bin/bash 4 3 /usr/bin/passwd /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd passwd /etc/shadow /etc/nshadow /etc/shadow 7 9 10 ID ID MAC 4.4.2 ( i ) file rename /etc/mtab.tmp /etc/mtab /etc/mtab.tmp /etc/mtab file create /var/lock/subsys/crond 0644 /var/lock/subsys/crond 0644 file chmod /dev/mem 0644 /dev/mem 0644 file execute /bin/ls /bin/ls ( ii ) =!= file symlink /dev/cdrom symlink.target="hdc" hdc /dev/cdrom file execute /bin/bash task.uid=500-1000 ID 500 1000 /bin/bash file read /tmp/file001.tmp task.uid=path1.uid ID /tmp/file001.tmp ID file execute /usr/bin/ssh exec.realpath="/usr/bin/ssh" exec.argv[0]="ssh" ssh /usr/bin/ssh /usr/bin/ssh file execute /bin/bash exec.realpath="/bin/bash" exec.argv[0]="-bash" task.uid!=0 task.euid!=0 -bash /bin/bash ID ID 0 root /bin/bash 4.5 TOMOYO Linux 4.5.1 /etc/ccs/domain_policy.conf c 2012 Information Processing Society of Japan 9

1 <kernel> /sbin/init /sbin/agetty /bin/login /bin/bash /usr/bin/passwd 2 3 file read /etc/passwd 4 file read /etc/shadow 5 file write /etc/.pwd.lock 6 file read /dev/urandom 7 file create /etc/nshadow 0666 8 file write /etc/nshadow 9 file chown/chgrp /etc/nshadow 0 10 file chmod /etc/nshadow 00 11 file rename /etc/nshadow /etc/shadow 4 /usr/bin/passwd Fig. 4 Policy of /usr/bin/passwd Domain. root emacs TOMOYO Linux emacs / TOMOYO Linux CUI (Character User Interface) 2 TOMOYO Linux Web *6 4.5.2 TOMOYO Linux *7 TOMOYO Linux disabled, learning, permissive, enforcing 4 3 TOMOYO Linux *6 http://tomoyo.sourceforge.jp/1.8/man-pages/index. html *7 http://tomoyo.sourceforge.jp/about.html 3 TOMOYO Linux Table 3 TOMOYO Linux mode. disabled learning permissive enforcing ( i ) learning ( ii ) ( iii )permissive ( iv )enforcing enforcing c 2012 Information Processing Society of Japan 10

Web 2 4.5.3 enforcing TO- MOYO Linux TOMOYO Linux OS /etc/ccs/domain_policy.conf MAC TOMOYO Linux MAC MAC MAC 5. TOMOYO Linux 5.1 ( i ) ( ii ) MAC ( iii ) MAC SELinux 4 ( iv )Role-Based Access Control Role-Based Access Control Model[21] (RBAC) Identity-Based Access Control Model 3 /bin/su /bin/su [22] ID ID root Linux/UNIX root ID ID c 2012 Information Processing Society of Japan 11

5.2 MAC SELinux 2007 TOMOYO Linux 5.2.1 SELinux Web [23]. SELinux *8 5.2.2 2007 NPO OS WG OS Web TOMOYO Linux Apache Web Web CGI CGI Apache TOMOYO Linux Linux *8 * 9 *10 5.3 TOMOYO Linux 5.3.1 UNIX LMBench[24] LMBench OS TOMOYO Linux TOMOYO Linux TOMOYO Linux LMBench LMBench 4 LMBench Web * 11 TOMOYO Linux 5 TOMOYO Linux 6 5, 6 Func. LMBench Base TOMOYO Linux (µsec)tomoyo TOMOYO Linux MAC (µsec)diff TOMOYO Base (µsec)overhead Overhead = T OMOY O Base Base 100 Overhead 100 TOMOYO Linux 100% 2 5 TOMOYO Linux ±5%TO- MOYO Linux LMBench *9 http://www.jnsa.org/result/2007/tech/secos/ *10 *11 http://www.bitmover.com/lmbench/ c 2012 Information Processing Society of Japan 12

5 LMBench Table 5 Result of LMBench (not hooked). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) null syscall 0.274 0.269 0.0-1.82 null I/O 0.4365 0.418 0.0-4.24 Select on 100 tcp fd s 7.0815 7.1455 0.1 0.90 Signal handler installation 0.552 0.56 0.0 1.45 2p/0K ctxsw 10.97 10.665-0.3-2.78 2p/16K ctxsw 11.26 11.07-0.2-1.69 2p/64K ctxsw 14.21 14.39 0.2 1.27 8p/16K ctxsw 12.22 11.755-0.5-3.81 8p/64K ctxsw 14.035 14.095 0.1 0.43 16p/16K ctxsw 12.185 12.04-0.1-1.19 16p/64K ctxsw 14.135 14.225 0.1 0.64 Pipe 38.3 36.73-1.6-4.10 AF UNIX 24.47 24.28-0.2-0.78 Mmap 2341.55 2375.1 33.5 1.43 Page Fault 2.52829 2.58089 0.1 2.08 Select on 100 fd s 3.254 3.35045 0.1 2.96 6 LMBench Table 6 Result of LMBench (hooked by TOMOYO). Func. Base (µsec) TOMOYO (µsec) Diff (µsec) Overhead (%) Simple stat 3.12 7.1145 4.0 128.03 Simple open/close 5.037 9.5065 4.5 88.73 Signal handler overhead 3.8015 5.961 2.2 56.81 Process fork+exit 300.35 301.7 1.3 0.45 Process fork+execve 1001.95 1062.55 60.6 6.05 Process fork+/bin/sh -c 2226.1 2551.2 325.1 14.60 UDP 54.65 69.91 15.3 27.92 RPC/UDP 61.565 80.615 19.1 30.94 TCP 58.04 57.3-0.7-1.27 RPC/TCP 72.64 71.36-1.3-1.76 TCP/IP connection cost 65.8 72.4 6.6 10.03 0K File Create 25.32 41.035 15.7 62.07 0K File Delete 19.865 27.795 7.9 39.92 10K File Create 80.9 95.855 15.0 18.49 10K File Delete 41.075 50.33 9.3 22.53 c 2012 Information Processing Society of Japan 13

4 Table 4 Benchmark Envrionment. specification/version CPU Core 2 Duo T7200 2.0GHz Memory 2GB OS Ubuntu 10.04 x86 64 Kernel 2.6.32-39.86 TOMOYO Linux 1.8.3p5 Benchmark tool LMBench 3.0-a9 6 stat, open/close, signal handler 50%0K File Create 60% 10K File Create 18.49% 10KB write TOMOYO fork fork exec 5%fork+/bin/sh -c /bin/sh exec exec 2 LSM MAC OS LSM Performance Monitor (LSMPMON)[25] LSMPMON 5.3.2 execve 2 2 100000 /tmp/reexec /tmp/reexec 5 delay (microseconds) 0.4 "bench1.dat" 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 1 10 100 1000 10000 100000 number of domains (logscale) 5 Fig. 5 Performace delay due to domain number increase. 2 TOMOYO Linux TOMOYO Linux 0.00362µsec 5 10000 1 100000 /dev/null 10000 open /dev/null open 6 1 TOMOYO Linux TOMOYO Linux 0.0032µsec 6 10000 2005 Linux TOMOYO Linux 2000 c 2012 Information Processing Society of Japan 14

delay (microseconds) 1.6 "bench2.dat" 1.4 1.2 1 0.8 0.6 0.4 0.2 0 1 10 100 1000 10000 100000 number of acl definitions (logscale) 6 Fig. 6 Performace delay due to ACL number increase. 5 6 6. 6.1 6.1.1 MAC ( i ) MAC MAC MAC ( ii ) DAC ( iii ) TCSEC 1983 MAC 6.1.2 AppArmor TOMOYO Linux 2005 11 AppArmor 2006 1 MAC ( i ) TOMOYO Linux AppArmor AppArmor 2011 11 AppArmor * 12 TOMOYO Linux AppArmor ( ii ) AppArmor TOMOYO Linux TOMOYO Linux AppArmor Web ( iii )AppArmor TOMOYO Linux AppArmor TOMOYO Linux RBAC \ *12 https://lists.ubuntu.com/archives/apparmor/ 2011-November/001668.html c 2012 Information Processing Society of Japan 15

.git \- 6.1.3 Context-aware Access Control, (CAAC: Context-aware Access Control). Matthias Baldauf A survey on context-aware systems [26] Context-aware system CAAC context Web context [27] CAAC context CAAC CAAC Salvia[28] Salvia 2 OS LAN (ESSID) 6.2 [29] ( i ) OS /bin/sh MAC ( ii ) Linux ( iii ) 6.3 execve() execve() c 2012 Information Processing Society of Japan 16

Web Apache CGI (Common Gateway Interface) CGI execve() CGI mod_perl execve() Apache execve() CGI MAC 7. Linux TOMOYO Linux TOMOYO Linux MAC TOMOYO Linux TOMOYO Linux 2011 8 [1] TOMOYO Linux pp. 101 110 (2009). [2] Linux : 4 TOMOYO Linux Vol. 51, No. 10, pp. 1276 1283 (2010). [3] Peterson, D. S., Bishop, M. and Pandey, R.: Flexible Containment Mechanism for Executing Untrsted Code, 11th USENIX Security Symposium, pp. 207 225 (2002). [4] Vol. 20, No. 4, pp. 55 72 (2003). [5] Goldberg, I., Wagner, D., Thomas, R. and Brewer, E.: A secure environment for untrusted helper applications confining the Wily Hacker, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography-Volume 6, USENIX Association, pp. 1 1 (1996). [6] Barth, A., Jackson, C., Reis, C. and Team, T.: The security architecture of the Chromium browser (2008). [7] Loscocco, P. A., Smalley, S. D., Muckerbauer, P. A., Taylor, R. C., Turner, S. J. and Farrell, J. F.: The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, 21st National Information Systems Security Conference, Vol. 10, No. 2, pp. 303 314 (1989). [8] Bishop, M.: Computer Security: Art and Science. 2003. [9] Tcsec, D.: Trusted computer system evaluation criteria, DoD 5200.28-STD, Vol. 83 (1983). [10] Peter Loscocco, N.: Integrating flexible support for security policies into the Linux operating system, Proceedings of the FREENIX Track 2001 USENIX annual technical conference, June 25-30, 2001, Boston, Massachusetts, USA, Citeseer, p. 29 (2001). [11] Loscocco, P. A. and Smalley, S. D.: Meeting Critical Security Objectives with Security-Enhanced Linux, Ottawa Linux Symposium (2001). [12] Smalley, S.: Configuring the SELinux policy, NAI Laboratories (2005). [13] Schaufler, C.: Smack in embedded computing, Proceedings of the 10th Linux Symposium (2008). [14] Cowan, C., Beattie, S., Kroah-Hartman, G., Pu, C., Wagle, P. and Gligor, V.: Subdomain: Parsimonious server c 2012 Information Processing Society of Japan 17

security, Proceedings of the 14th USENIX conference on System administration, USENIX Association, pp. 355 368 (2000). [15] Winter, J.: Trusted computing building blocks for embedded linux-based ARM trustzone platforms, Proceedings of the 3rd ACM workshop on Scalable trusted computing, ACM, pp. 21 30 (2008). [16] Watson, R., Anderson, J., Laurie, B. and Kennaway, K.: Capsicum: practical capabilities for UNIX, USENIX Security (2010). [17] Ken, W.: Buffer Overflow Attacks and Their Countermeasures., Vol. 19, No. 1, pp. 49 63 (online), available from http://ci.nii.ac.jp/naid/110003744115/en/ (2002-01- 15). [18] Sandhu, R. and Samarati, P.: Access control: principle and practice, Communications Magazine, IEEE, Vol. 32, No. 9, pp. 40 48 (1994). [19] / SysGuard Vol. 43, No. 6, pp. 1690 1701 (2002). [20] Wright, C., Cowan, C., Smalley, S., Morris, J. and Kroah-Hartman, G.: Linux security modules: General security support for the Linux kernel (2003). [21] Sandhu, R., Coyne, E., Feinstein, H. and Youman, C.: Role-based access control models, Computer, Vol. 29, No. 2, pp. 38 47 (1996). [22] OS Vol. 11, pp. 93 102 http://ci.nii.ac.jp/naid/110007117435/ (2005). [23] (2003). [24] McVoy, L. and Staelin, C.: lmbench: Portable tools for performance analysis, Proceedings of the 1996 annual conference on USENIX Annual Technical Conference, Usenix Association, pp. 23 23 (1996). [25] LSM OS D Vol. J92-D, No. 7, pp. 963 974 (2009). [26] Baldauf, M., Dustdar, S. and Rosenberg, F.: A survey on context-aware systems, International Journal of Ad Hoc and Ubiquitous Computing, Vol. 2, No. 4, pp. 263 277 (2007). [27] Truong, H. and Dustdar, S.: A survey on context-aware web service systems, International Journal of Web Information Systems, Vol. 5, No. 1, pp. 5 31 (2009). [28] KAZUHISA, S., YOSHIMI, I., KOICHI, M. and EIJI, O.: An Adaptive Data Protection Method based on Contexts of Data Access in Privacy- Aware Operating System Salvia(Operating System),. Vol. 47, No. 3, pp. 1 15 (online), available from http://ci.nii.ac.jp/naid/110004708857/en/ (2006-03-15). [29] Vol. 21, No. 6, pp. 482 493 (2004). 1985 2003 NTT 2012 IEEE, ACM 2001 NTT NTT 2003 Linux 2010 3 4 IEEE ISS 45 16 24 Parallel Inference Engine,, IEEE c 2012 Information Processing Society of Japan 18