Mandatory Access Control for Carrier-Grade Linux Clusters (as part - - PowerPoint PPT Presentation

Rev PA1 2002-05-22 1

Ericsson Canada

Mandatory Access Control for Carrier-Grade Linux Clusters

(as part of the DSI project)

Miroslaw.Zakrzewski@Ericsson.ca Ericsson Research Canada Open System Lab Montréal – Canada http://www.risq.ericsson.ca

Rev PA1 2002-05-22 2

Ericsson Canada

The purpose of the presentation is to explain about ongoing implementation

• f a Distributed Security Module that

provides Mandatory Access Control within a Linux Cluster.

Rev PA1 2002-05-22 3

Ericsson Canada

Outline

• Introduction
• DSI Characteristics
• Access Control - General Architecture
• Distributed Security Module
• Security Distribution in DSM
• Demo Architecture (Local and Remote Access)
• Challenges

Rev PA1 2002-05-22 4

Ericsson Canada

Introduction (1/5)

Subject Access Control

Decision = function(Subject,Resource)

Resource Access Request

Rev PA1 2002-05-22 5

Ericsson Canada

Introduction (2/5)

• Discretionary Access Control

– Ordinary users involved in the security policy definition – Access decisions based on user identity and

• wnership

– Two category of users : – completely trusted administrators (root) – Completely untrusted ordinary user

Rev PA1 2002-05-22 6

Ericsson Canada

Introduction (3/5)

• Mandatory Access Control

– policy definition and assignment of security attributes is controlled by a system security administrator – access decisions are based on labels that contain a variety of security-relevant information (every subject and object in the system is labelled)

Rev PA1 2002-05-22 7

Ericsson Canada

Introduction (4/5)

• Cluster: A collection of interconnected stand-alone

computers working together to solve a problem as a single computing entity

Rev PA1 2002-05-22 8

Ericsson Canada

Introduction (5/5)

Node R S R R S CLUSTER

• Access Control and Clusters

Rev PA1 2002-05-22 9

Ericsson Canada

Cluster Access Types

• Cluster Local Access

– subject and resource on the same node inside the cluster

• Cluster Remote Access

– subject and resource on different nodes inside the cluster

• Cluster Outside Access

– subject inside cluster, resource outside cluster – subject outside cluster, resource inside cluster

• No Cluster Access

– both subject and resource outside cluster

Rev PA1 2002-05-22 10

Ericsson Canada

DSI Characteristics

(please see paper on DSI)

• Process Level Approach

– Controlling Single Process

• Pre-emptive Security

– Run-time changes of security attributes – Security can be modified without stopping the system

• Minimal Impact

– Performance – Transparency

• Distributed

– Clusters

Rev PA1 2002-05-22 11

Ericsson Canada

Access Control – General Architecture (1/2)

SnID1 SnIDx

Security Server

Resource (File)

SnID2

Subject 1 (Process) Subject 2 (Process) Resource (Comm.) Resource (Comm.)

SnID, SID

SID SID SID SID SID

Rev PA1 2002-05-22 12

Ericsson Canada

Access Control – General Architecture (2/2)

User Mode Process SM Access Control DSP

Security Policy

Kernel Mode

DSIlsmACS.o (LSM)

Legend: SM Security Manager DSP Distributed Security Policy LSM Linux Security Module DIR DSP Internal Representation

System Calls Interface

DIR

Rev PA1 2002-05-22 13

Ericsson Canada

Distributed Security Module

• DSM is implemented in Kernel Space.

– Performance – Transparency

• DSM uses LSM Framework.

(please see paper on LSM)

– Pre-emptive security – Process Level Approach

• DSM uses IP Options.

– Distribution

Rev PA1 2002-05-22 14

Ericsson Canada

Linux Security Module Framework (LSM)

(Used by Distributed Security Module)

• Patch to Linux Kernel by WireX (based on NSA prototype)
• Security Hooks - points the kernel to allow the control of

nearly every system operation

– 140 hooks – 29 classes

• Flexible:

– Easy to add user defined security implementations

• Function pointers in terms of programming

Rev PA1 2002-05-22 15

Ericsson Canada

LSM Installation for Kernel 2.4.17

http://lsm.immunix.org

get lsm-full-2002_01_15 patch for kernel 2.4.17 gunzip lsm-full-2002_01_15-2.4.17.patch.gz cd /usr/src/linux patch –p1 < /home/lmcmzak/lsm-full-2002_01_15-2.4.17.patch rebuild the kernel

Rev PA1 2002-05-22 16

Ericsson Canada

LSM Framework

• New Code

<linux/security> <include/linux/security.h>

• New Global

struct security_operations *security_ops; /* pointer to all security operation in the kernel */ struct security_operations dummy_security_ops; /* set of dummy functions */

Rev PA1 2002-05-22 17

Ericsson Canada

LSM Framework

• Function to Register and UnRegister Security Operation

to the Kernel

int register_security (struct security_operations *ops); int unregister_security (struct security_operations *ops);

Rev PA1 2002-05-22 18

Ericsson Canada

Linux Access Control

System Calls Interface Object (File) User Mode Subject (Process) Kernel Mode System Call

Rev PA1 2002-05-22 19

Ericsson Canada

Linux Access Control and LSM Framework

System Calls Interface Dummy Module

Object (File) User Mode Subject (Process) Kernel Mode

System Call Function Call

Rev PA1 2002-05-22 20

Ericsson Canada

Linux Access Control and DSM

User Mode Kernel Mode

System Calls Interface Distributed Security Module Object (File) TSec

A = f(SSec,TSec,Class)

Subject (Process)

SSec System Call Function Call

Rev PA1 2002-05-22 21

Ericsson Canada

Labels in DSM

– Objects attached to Linux structures – Example : task label (object attached to task structure struct task_struct <linux/sched.h>)

struct task_struct { . void *security; . }

Rev PA1 2002-05-22 22

Ericsson Canada

Task Security Label Format in DSM

typedef struct { int sid; ... ... void *task; } task_security_t;

Rev PA1 2002-05-22 23

Ericsson Canada

Task Label in relation to task structure in DSM

Struct Task_Struct

security

task_security_t task Kernel Stack

8 Kb block

Rev PA1 2002-05-22 24

Ericsson Canada

Task Label Attachment in DSM

• All running tasks are labelled when the security module is

loaded ( sid is set to default value )

• After the security module is loaded the tasks are labelled

using security hooks (two step process) :

– Fork : sid of parent – Exec : sid can be modified based on the sid stored in the image (SID is embedded in the ELF format)

Rev PA1 2002-05-22 25

Ericsson Canada

Security System Calls in DSM

• Set Node ID
• Change Task SID
• Set Policy
• Check Alarms

Rev PA1 2002-05-22 26

Ericsson Canada

Security Distribution

• Security Information transfer

– IP level (first) – IP header modification – Kernel hooks for IP traffic handling – Security information (SID, SnID) transfer as an option in IP header – Implementation based on Selopt implementation for SELinux by James Morris

• IP Options

– Commercial Internet Protocol Security Option (CIPSO) – Federal Information Processing Standard (FIPS) - 188

Rev PA1 2002-05-22 27

Ericsson Canada

Security Distribution

• Network Labels

– Labels used when performing remote access (subject and resource on different nodes) – Security Node ID (SnID) and Security ID (SID) of the subject are added to the IP message – On the receiving side these two information are extracted and used to build the network security ID (NSID) NSID = Function ( SnID, SID) – NSID is used as a local label for access control decisions

Rev PA1 2002-05-22 28

Ericsson Canada

Security Distribution

• Network Buffer Label

– Socket Buffer (<linux/skbuff.h>) – object to contain network packets in kernel

struct sk_buff { . void *lsm_security; . }

Rev PA1 2002-05-22 29

Ericsson Canada

Network Labels

• sk_buff Security Label Format

typedef struct { int sid; . . . struct sk_buff *sk_buff; } sk_buff_security_t;

Rev PA1 2002-05-22 30

Ericsson Canada

Network Labels

• sk_buff Security Label Attachment (sending side)

– Security ID of sk_buff is taken from Security ID of the sending socket – Security Node ID is set up by the security server and is global in LSM module

Rev PA1 2002-05-22 31

Ericsson Canada

Network Labels

• Security Information in Network Message

– Message is modified on IP layer (adding options) – Security Node ID is taken from LSM module and attached to the message – Security ID is taken from sk_buff Security Label and attached to the message

Rev PA1 2002-05-22 32

Ericsson Canada

Network Labels

• sk_buff Security Label Attachment (receiving side)

– Extracting Security Node Id (SnID) and Security ID (SID) from the incoming message – Converting SnID and SID pair to Network Security ID (NID) based on the conversion table : NID = Fun(SnID,SID) – NID will be treated as a local label (local access control)

Rev PA1 2002-05-22 33

Ericsson Canada

Demo Architecture

SnID2 SnID1

Client (HTTP Client) Server (HTTP Server) Resource (Socket) Resource (Device) Resource (Device) Resource (Socket)

Hardware Hardware

Shell Shell

Rev PA1 2002-05-22 34

Ericsson Canada

Remote Access Control - Demo (sending side)

SnIDx

Client (HTTP Client) Rsource (Socket)

Shell (Process Start) Shell (SnID,Policy Loader) Shell (Alarm)

SID SID Security Check Point (Socket Create) (Socket Connect) (Socket Send) Security Check Point (Process Create) Resource (Inode) Resource (sk_buff) SID

SnIDx, SID

SID

Rev PA1 2002-05-22 35

Ericsson Canada

Remote Access Control - Demo (receiving side)

Security Check Point (Socket Create) (Socket Listen) (Socket Accept)

SnIDy`

Server (HTTP Server)

Resource (Socket) Shell (Process Start)

Shell (Alarm)

Shell (SnID,Policy Loader)

SID SID Security Check Point (Process Create)

Resource (Inode)

SSID

Resource (sk_buff)

NSID Security Check Point Based on SSID and NSID Where NSID=Fun(SnIDx,SID)

SnIDx, SID

Rev PA1 2002-05-22 36

Ericsson Canada

Challenges: Performance testing

• Test Types

– UDP Local Access (Send Message) – UDP Remote Access (Loopback)

• Results

– Performance with IP packet modification – Performance without IP packet modification – Buffer overflow

Rev PA1 2002-05-22 37

Ericsson Canada

Performance Test Results (1/2)

• Performance with IP packet modification

(all numbers are in microseconds) +30% 173.88 133.44 UDP Remote Access (Loopback) +20% 19.7 16.388 UDP Local Access (Send Message) % Overhead Linux 2.4.17 with DSM Linux 2.4.17

Rev PA1 2002-05-22 38

Ericsson Canada

Performance Test Results (2/2)

• Performance without IP packet modification

(all numbers are in microseconds) +5.4% 140.64 133.44 UDP Remote Access (Loopback) +4.2% 17.084 16.388 UDP Local Access (Send Message) % Overhead Linux 2.4.17 with DSM Linux 2.4.17

Rev PA1 2002-05-22 39

Ericsson Canada

Ongoing work

• Performance optimization
• Server resource access on behalf of a client
• Security information protection
• Security information transfer on lower levels of the protocol

stack

• Test the new cluster security against different types of

attacks

• Investigate the impact of the security information on the

resources outside the cluster

Rev PA1 2002-05-22 40

Ericsson Canada

References

All references are available from the paper.

Rev PA1 2002-05-22 41

Ericsson Canada

DEMO

Rev PA1 2002-05-22 42

Ericsson Canada

Questions?

http://www.risq.ericsson.ca

Miroslaw Zakrzewski

Ericsson Research – Corporate Unit Ericsson Canada Inc. 8400 Decarie Blvd Phone: 1.514.345.7900 x6458 Town of Mount Royal Fax: 1.514.345.6105 Quebec H4P 2N2 Email:Miroslaw.Zakrzewski@Ericsson.ca