docComplete Mediation: Knowing Where to Hook `em
download 
Report Transcription
Complete Mediation: Knowing Where to Hook `em
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Complete Mediation: Knowing Where to Hook ‘em Joshua Schiffman Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Classic Question(s) • What is a reference monitor? • What guarantees does it provide? ‣ Tamper-proof ‣ Simple enough to verify ‣ Complete mediation • What kind of policies can be enforced? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2 Protection • What objects in an OS need protection? ‣ Data files ‣ Programs ‣ Devices • How can we protect them? ‣ Who do we permit / allow Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3 Security in Linux • Linux Security Modules (LSM) ‣ Reference monitor (policy) ‣ Hooks (interface) • Clean separation of policy and kernel code ‣ Modular ‣ Extensible • What LSMs exist? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4 Hooks • Hooks provide the upcalls to the security module ‣ Mediate authorization of sensitive operations • We need complete mediation to be sure the reference monitor is not circumvented • How can we be sure the hooks are everywhere we need them? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5 Verification • Vali ‣ Path inconsistencies • CQUAL ‣ Taint analysis ‣ Requires set of conceptual operations on resource • Can we do better than verifying? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6 Automagic • Hook placement is a largely manual process ‣ Verification tools show hooks are missing • We would like to place these hooks automatically ‣ Correctly ‣ Completely • Placement Criteria? ‣ Conceptual Operations ‣ Code that invokes those operations Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7 Conceptual Operations • Functions that query the policy DB before permitting security sensitive operations • What are they? ‣ Encoded in the policy implementation (Hook functions) ‣ SELinux uses the Access Vector ‣ Form a Call Graph of hooks • Recursion? • What about arbitrary LSMs? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8 Kernel Analysis • Where are the hooks needed? Where kernel functions perform Conceptual Operations ‣ • How do we know what ops a function uses? • Idioms Requires domain knowledge of the code ‣ • Manual again… Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9 Idioms • How can we map the operation(s) to the functions? • Try to minimize the false positives ‣ An iterative process • False negatives rely on code experience Conceptual Operation False Positive False Negative Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10 Limitations • Other than Idioms? • Finer granularity? • Not all operations are analyzed Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11
