Implementing Trusted Extensions Kevin Mayo

CTO

Global Government

Sun Microsystems

What is Solaris Trusted Extensions?

• An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects

• A set of additional software packages added to a standard Solaris 10 system.

• A set of label-aware services which implement multilevel security

• A secure design to meet the Government set of security standards

Digital Certificates Everywhere

Secure Execution*

User Rights Management

Process Rights Management

Cryptographic Framework

IPFilter

Kerberos Single Sign On

Secure By Default

Solaris 10 Security

Secure S10 Foundation

* Coming in future update

Network Protection • IP Filter firewall

> Sun supported stateful firewall

> Allows selective access to ports based on IP addr.

> Compatible/manageable like open source IPF

• TCP Wrappers

> Limit access to TCP/UDP service by domain name

• Limiting Networking Services

> Reduced Networking MetaCluster – Ultra small Solaris

> Generic Limited Networking Service Profile

> Will be enhanced in Solaris 10 update to include better 'out-of-the-box' security, full function desktop and no exposed network svcs

Cryptographic Framework

● Extensible cryptographic interfaces.

> A common kernel and user-land framework for providing and using cryptographic functionality.

> A common interface for cryptographic functions whether completed in hardware or software.

> Extensible framework for vendors to provide custom functionality.

● By default, supports major algorithms.

> Encryption: AES, RC4, DES, 3DES, RSA

> Hashing: MD5, SHA-1

> MAC: DES MAC, MD5 HMAC, SHA-1 HMAC

> Optimized for both SPARC, Intel and AMD

Remote Access and Auditing

• Solaris Secure Shell

> Standards-based encrypted remote access

• Kerberos Single Sign On

> Standards-based enterprise single sign on

> Optional encryption of NFSv3 and NFSv4 file shares

• IPSec/IKE

> Transparently encrypted communications

• Auditing of activities

> Audit records for all activities track users and roles

> Output in XML format for parsing and analyzing

> Centralized auditing and per-container audits

User Access and Rights

• User Rights Management

> Roles defined with specific commands and authorizations they can perform

> Users associated with roles. All audit logs record specific user and what role they were in at the time

> Roles and non-logins can be used for system services

• Password Management

> New password capabilities prevent easily guessed or re-used passwords and provide account lockout

> Pluggable Authentication Modules for expansion

Zones Example

• Highly secure

• Invisible to each other

• Very efficient

• No performance penalty

• Separated file systems

• 8,000 per OS instance

• Resource mgmt globally and per container

File Integrity and Secure Execution

• BART – Basic Audit and Reporting Tool

> Checksums compared periodically against known good list of files that customer generates

> Can be used with Sun-supplied Fingerprint Database

• Solaris Secure Execution*

> Almost all applications are signed in Solaris 10

> Sys-admins can manually verify them today

> Future update will verify integrity at load time

>Customers can sign their own files, or 3rd party

>Can customize EXACTLY which apps can be run on whole system, preventing ANY unauthorized app from running

Encrypted File Systems • Loopback-based

> One physical file on disk, contents encrypted

> Mounted as file system via loopback

> No application modification required

> Works with NFS & local file sharing

> Early update of Solaris 10

• ZFS Module for Encryption

> ZFS offers modular structure for enhancements

> Would encrypt a full ZFS file system on disk

> No application modification required

> All other aspects of management preserved

> Sometime after ZFS is released in Solaris update

Solaris 10 Privileges “contract_event” Request reliable delivery of events “contract_observer” Observe contract events for other users "cpc_cpu” Access to per-CPU perf counters "dtrace_kernel" DTrace kernel tracing "dtrace_proc" DTrace process-level tracing "dtrace_user" DTrace user-level tracing "file_chown" Change file's owner/group IDs "file_chown_self" Give away (chown) files "file_dac_execute" Override file's execute perms "file_dac_read" Override file's read perms "file_dac_search" Override dir's search perms "file_dac_write" Override (non-root) file's write perms "file_link_any" Create hard links to diff uid files "file_owner" Non-owner can do misc owner ops "file_setid" Set uid/gid (non-root) to diff id "ipc_dac_read" Override read on IPC, Shared Mem perms "ipc_dac_write" Override write on IPC, Shared Mem perms "ipc_owner" Override set perms/owner on IPC "net_icmpaccess" Send/Receive ICMP packets "net_privaddr" Bind to privilege port (<1023+extras) "net_rawaccess” Raw access to IP "proc_audit” Generate audit records "proc_chroot” Change root (chroot) "proc_clock_highres" Allow use of hi-res timers "proc_exec" Allow use of execve() "proc_fork" Allow use of fork*() calls "proc_info" Examine /proc of other processes

"proc_lock_memory" Lock pages in physical memory "proc_owner" See/modify other process states "proc_priocntl" Increase priority/sched class "proc_session" Signal/trace other session process "proc_setid" Set process UID "proc_taskid" Assign new task ID “proc_zone” Signal/trace processes in other zones “sys_acct” Manage accounting system (acct) “sys_admin System admin tasks (node/domain name) "sys_audit" Control audit system "sys_config" Manage swap "sys_devices" Override device restricts (exclusive) "sys_ipc_config" Increase IPC queue "sys_linkdir" Link/unlink directories "sys_mount" Filesystem admin (mount,quota) "sys_net_config" Config net interfaces,routes,stack "sys_nfs" Bind NFS ports and use syscalls "sys_res_config" Admin processor sets, res pools "sys_resource" Modify res limits (rlimit) "sys_suser_compat" 3rd party modules use of suser "sys_time" Change system time Interesting Some interesting privileges Basic Non-root privileges Removed Not available in Zones

Kerberos and Secure Shell ● Kerberos Enhancements

● MIT Kerberos 1.3.2 Refresh

● KDC Incremental Propagation

● Migration Tools

● Kerberized network clients (telnet, rcmds, etc.)

● Interoperability Fixes

● Secure Shell Enhancements

● OpenSSH 3.6p2 Refresh

● GSS-API Support

● Keyboard “Break” Sequence Support

● X11 Forwarding “on” by default

● ARCfour, AES CTR mode Encryption Support

● /etc/default/login Synchronization

● SSH2 Rekeying, Service Side Keepalives, etc...

Auditing

• Solaris Auditing > Updated to support output to SYSLOG

Oct 29 01:52:56 lennox audit: [ID 225229 audit.notice] su ok session 3285174027 by root as root:root from lennox text success for user sys

> Updated to support translation to XML (praudit -x) <record version="2" event="su" host="lennox" iso8601="2004-10-29 01:52:56.862 -04:00">

<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="234" sid="3285174027" tid="0 0 lennox"/>

<text>success for user sys</text>

<return errval="success" retval="0"/>

</record>

• What do I need to know? > SYSLOG is not a guaranteed protocol

> Subset of audited events can be sent via SYSLOG

> Using SYSLOG events can be sent off-host.

> Beta XML Audit Parser available (unsupported)

Access Management • Account Access

> Users versus Roles

>Leverage 'roles' for service and shared accounts!

> Non-Login versus Locked Accounts

>New passwd(1) options to manage

> Account Lockout (Global or per-User)

>“Three strikes” requires administrator to unlock.

• File system Object Access

> Unix Permissions and ACLs

>Same as previous Solaris releases

> New mount option - “noexec”

>Useful for file systems containing only data.

User Rights Management

• Decompose superuser into less powerful roles based on job requirements.

• Assign rights to roles; and roles to users.

• Audit user actions.

• In Solaris 8, 9, 10

• In Trusted Solaris & Trusted Extensions

• Centralized mgmt.

R R

U U U

Rights

S

User/Password Management

• Password Complexity Checks

> Login Name, White Space

> Minimum Alpha, Non-Alpha, Upper, Lower, (Consecutive) Repeats, Special, Digits, etc.

• Password History (0 – 26 passwords)

• Banned Password List (Dictionary)

• What do I need to understand?

> Complexity checks apply to everyone - but 'root'

> Password history is 'files' only.

> Password aging is 'files', NIS+ and LDAP only.

Solaris Secure Execution

• Verifies integrity of the executable portion of almost all applications, drivers, modules

• Customers can sign their own or 3rd party applications – no changes needed

• Manual verification in Solaris 10 03/05 > $ elfsign verify -e /usr/bin/login

> elfsign: verification of /usr/bin/login passed.

• Automatic run-time verification in update

> User selectable rules for checking

> Prevents modified or unsigned code from running

> Customized systems can now be signed and secured

Solaris System Auditing

• Audits all system events

• Records actual userid and what role and application issued which system calls, command line or data access

• Captures complete command line and environment variables for later analysis

• Audit compliance is required by Common Criteria Controlled Access Protection Profile

• Same audit system used in Solaris 8, 9, 10

> Solaris 9 & 10 offer XML output & selective filtering of system read-only activities

> Solaris 10 offers syslog channel for audit logs

Who Needs more?

The World is Changing!

What TX is NOT

• It is NOT Trusted Solaris 8 ported to Solaris 10

> It will NOT run Trusted Solaris 8 applications

• It is NOT a new operating system nor a new kernel

> Works with all Solaris patches

> Patches for TX added pkgs through normal patch site

• It does not have additional “commercial” security features over and about standard Solaris

• It is NOT limited to SPARC processors

> Runs on SPARC, x86, x64

• Closed and proprietary

Adds labeled security to Solaris 10

Multi-level networking, printing

Multi-level GUI

Leverages User & Process RM

Uses Containers

Compatible with all Solaris apps

Target of CAPP, RBACPP, LSPP @ EAL 4+

Trusted Extensions

Multi-Level Labeled Security

Trusted Extensions in a Nutshell

• Every object has a label associated with it

> Files, windows, printers, devices, network packets, network interfaces, processes, etc...

• Accessing or sharing data is controlled by the objects' label relationship to each other

> Lower label objects do not see higher label objects

• Administrators utilize Roles for duty separation

> Security admin, user admin, backup, restore, etc...

• Programs/processes are granted privileges rather than full superuser access

• Strong independent certification of security

Goals and Benefits

• Runs all Solaris applications

> It's still Solaris, with Containers

> It's still Solaris, just with extended security policy

> It's still Solaris, same kernel

> It's still Solaris, all Solaris patches work

• Runs all infrastructure software

> Backup, Web, middle-ware, dev tools, etc.

> Database, file systems, devices/drivers, etc.

• Preserve and transition

> CDE User interface, single and multi-level JDS/GNOME

> Solaris Mgmt. Cnsle with LDAP naming service

What are Label-Aware Services?

• Services which are trusted to protect multilevel information according to predefined policy

• Trusted Extensions Label-aware service include:

> Labeled Desktops

> Labeled Printing

> Labeled Networking

> Labeled Filesystems

> Label Configuration and Translation

> System Management Tools

> Device Allocation

Mandatory Access Control and Security Labels

Non-hierarchical Commercial

Hierarchy

• Users cleared at multiple security levels can work on them simultaneously

• Compartmentalization of information is possible with Security labels and MAC thus facilitating server virtualization

Solaris 10 or Trusted Extensions

Exec Mgmt

VP & above

Directors

All Employees

Trusted Extens.

Internet Top Secret

Secret

Confidential

Unclassified

Trusted Extens.

Government Hierarchy

Net Inc. Music Online

Daisy's Florists

Strong Enforcement!

Multilevel Architecture • Layered

architecture implements:

> mandatory access control

> hierarchical labels

> principle of least privilege

> trusted path

> role-based access

SPARC, x86 or x64 Hardware

Solaris Kernel

Multilevel Desktop Services

(Global Zone)

Local or Sun Ray display

Need-to-know

(local zone)

Internal Use (local zone)

Public (local zone)

Trusted Extensions Implementation

• Each zone has a label

> Labels are implied by process zone IDs

> Processes are isolated by label (and zone ID)

> Files in a zone assume that zone's label

• Global zone is unique

> Parent of all other zones

> Exempt from all labeling policies

>No user processes—just TCB

>Trusted path attribute is applied implicitly

> Provides services to other zones

• Common naming service to all zones

• Device allocation on a per-zone / per-label basis

Filesystem MAC policies • Labels derived from a filesystem owner's label

• Mount policy is always enforced

> No reading-up

> Read-write mounts require label equality in labeled zones

> Reading-down

> Read-only mounts require dominance by client

> Can be restricted via zone's limit set and network label range

> Writing-up

> Cannot write-up to regular files

> Limited write-up to label-aware services (via TCP and doors)

> Writing-down

> Restricted to privileged label-aware global zone services

NFS Support for Zones

• NFS clients:

> Each zone has its own automounter

> Kernel enforces MAC policy for NFS mounts

• NFS servers:

> Global zone administrators a share table per zone

> Kernel enforces MAC policy for NFS requests

• The global zone administrator can export filesystems from labeled zones

> Each export must be a single-level filesystem

> Zone's label automatically applied to each export

Networking: Option 1: Per-Zone IP addresses

• Each zone has a unique IP address

• Network Interface may be virtualized to share a single hardware NIC or use multiple NICs

Solaris Kernel

Multilevel Desktop Services

(Global Zone)

Need-to-know

Internal Use Public

1.2.3.10 1.2.4.10 1.2.5.10 1.2.6.10

Option 2: All-Zone IP addresses • All zones share

a single address

• Shared network Interface may be physical or logical

• Both per-zone and all-zone assignment strategies can be used concurrently

Solaris Kernel

Multilevel Desktop Services

(Global Zone)

Need-to-know

Internal Use Public

1.2.3.4 1.2.3.4 1.2.3.4 1.2.3.4

1.2.6.10

Multi-Level Desktop

• Trusted CDE standard

> Similar to Trusted Solaris 8

> Included in initial Common Criteria Evaluation

• Java Desktop System (GNOME)

> Single Level desktop

>Full accessibility requirements

>More modern look-and-feel to customers

> Multi-level desktop

>Included in initial release

>Test as part of the Common Criteria LSPP

Multilevel Session ● An authorized user can work at multiple sessions

concurrently.

● The user can be authorized to do cut-and-paste operations.

Security Policy Enforced

● System queries for upgrade/downgrade of information

● Seeing data isn't enough to allow you to change or move it

Trusted Java Desktop System

Trusted Java Desktop System Details Workplace switcher

Task switcher

Trusted stripe and Trusted Path menu

Trusted Extensions Privileges file_downgrade_sl file downgrade label file_upgrade_sl file upgrade label net_bindmlp bind to a multilevel port net_mac_aware required for NFS read-down sys_trans_label translate non-dominated labels win_colormap load custom pseudo-colors win_config set X server defaults win_dac_read read another user's X resources win_dac_write modify another user's X resources win_devices set keyboard and pointer policies win_dga write to framebuffer win_downgrade_sl downgrade label of X resources win_fontpath install custom fonts win_mac_read read hon-dominated X resources win_mac_write modify dominated X resources win_selection bypass trusted selection manager win_upgrade_sl upgrade label of X resources

The privilege limit set for zones will be configurable

Any of these privileges may be assigned to zones

Benefits of Trusted Extensions • Leveraging Solaris functionality:

> Process & User Rights Management, auditing, zones

> Make use of existing Solaris kernel enhancements

• Elimination of patch redundancy:

> All Solaris patches apply, hence available sooner

> No lag in hardware platform availability

• Extend Solaris Application Guarantee

• Full hardware and software support

> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)

> Processors (SPARC, x86, AMD64)

> Infrastructure (Cluster, Grid, Directory, etc.)

Benefits?

Assurance + Mainstream Unix

What is Common Criteria EAL?

● CC Evaluation Assurance Levels (EAL)

● EAL1 Functionally Tested

● EAL2 Structurally Tested

● EAL3 Methodically Tested and Verified

● EAL4 Methodically Designed, Tested and Verified

● EAL5 Semi-formally Designed and Tested

● EAL6 Semi-formally Verified Design and Tested

● EAL7 Formally Verified Design and Tested

● These are used to measure how well a protection profile has been tested

Common Criteria Certifications • Targets include : SPARC, x86/x64 based systems, full

networking, LDAP naming service, full GUI

• Solaris 10 3/05:

> CAPP, RBACPP @ EAL 4+

> Completed in December 2006

• Solaris 10 11/06:

> CAPP, RBACPP, LSPP @ EAL 4+

> Officially “In evaluation” as of June 2006

> Expected to complete by Summer 2007

• US-based upcoming requirements

> Basic, Single-Level Medium, Multilevel Medium

Some Common Customer Problems

• Allowing access to the coalition network from the national network, but not vice versa

• Erect a “Chinese wall” between investment and brokerage departments

• Prevent accidental disclosure of confidential information

• Data assurance – guarantee that a service does what it claims to do

• Meeting privacy laws e.g. healthcare

A Smarter Solution!

Desktop consolidation - SNAP

• Desktop consolidation

> Permits access to those networks for which the user is cleared or do not need to know about

> Denies transferring information from one network to the other, unless the user is authorised to upgrade or downgrade information

> Provides concurrent access to different classifications

• Based on configuration

> Can be used to prevent accidental disclosure (relabeling requires confirmation)

> Provides access to only those networks for which the user is cleared (Chinese wall)

Desktop Consolidation

Secure Net

Apps 1,2,3

Secure Net

Apps 1,2,3

Secure Net

Apps 1,2,3

Secure Net

Apps 1,2,3

Office #1

Office #1

Office #1

Secure Net A-Z

on One Terminal

RDP (or other protocol) server

RDP (or...) client on Sun Ray

Session Server

Web-browsing

• Allow web-access from one network to other networks, but not vice versa

• This can be done using a firewall, a well-configured “regular” Solaris with a web proxy, or some variation on this theme

• Using Trusted Extensions

> in high-assurance environments to improve confidence

> In any environment to provide additional controls (protect against misconfiguration)

Web-browsing

• Label-configuration has the different networks “disjoint”, so TX will permit no communication between them

National

network

Coalition Network 1

Coalition Network 2

Coalition Network 3

TX

Web-publishing

• In the same environment the customer wants to be able to publish documents to web-servers on the coalition networks

NATIONAL NETWORK

C1

C2

C3

Web-publishing

• Scripted (and thus easily updated)

> Document retrieval

> Document validation

> Document publishing

• Coded (but generic, so reusable)

> The communication code in the global zone daemon

> The relabeling and application invocation is scripted, so easily extended (but only by an admin, as it exists in the global zone which is inaccessible to “regular” users)

• Work in progress (but will be built this fiscal year)

Desktop sessions

TX

NATIONAL NETWORK

C1

C2

C3

> Users start an X server (e.g. Exceed) on their PC,

> They use Secure Shell to log-in on the TX system

> Once authenticated they get access to a text-based menu that allows them to select a “destination” host

TX as A Trusted Router

TX Trusted Router

Architecture Level 1

App Server

Browser CIPSO Port 80

RESTRICTED Zone

Proxy Server listening

on an MLP

PUBLIC

Browser

INTERNAL

NEEDTOKNOW

Browser

RESTRICTED

Browser

CIPSO

Port 80

CIPSO

CIPSO

Port 80

Port 80

Proxy Server

(Reverse) Port 8080

Proxy Filter gets

client label from TX

and adds to http header

Servlets get label

from http header

using getHeader()

Architecture Level 2 - HTML

JClientLabelFilter

JFileLabelFilter

JfilePEPFilter

(XACML)

JLabelhtml

PDPservice

(XACML)

JAX-RPC (Soap)

Client http

Static HTML

File

Obtains remote connection label

(direct or from http header)

Obtains HTML file label

(NEEDTOKNOW)

WSDL

policy.xml

Architecture Level 2 - Tearline

JClientLabelFilter

JLabelxml

(JAXP)

XALAN PEP Function

(XCML)

JAX-RPC

Client http

XML File

Obtains remote connection label

Apply XSLT to

XML file,

generates HTML

XSLT File

WSDL

XSD File

PDPservice

(XACML)

Under Development Web Service Example - [public]

Web Service Example - [confidential]

Web Service Example - [restricted]

Note level of detail

not available at

[public]

Other Large Network Architectures

SIMA – Secure Delivery of eGovernment Services

Mobile users

SUN Rays Personal Computer

Portal Server

Applications Sun eGov Applications

SSL over IPSEC

SSL + VoIP over IPSEC

SSL

Mobile phone

Internet SSL over IPSEC

SSL over IPSEC

SSL

Wireless

Large Government Networks

Recap

• Solaris with Trusted Extensions is

> Just another configuration of Solaris 10

> But one which has some extra policy enforcement capabilities (and courtesy of these is being evaluated against stricter Common Criteria protection profiles)

> Traditionally used as a desktop system, with Trusted CDE or Trusted JDS as a desktop environment

> Equally usable for a “suspenders-and-a-belt” approach to servers in any environment

> Where you can make a nice web proxy server, an application-access-controlling gateway, or a controlled publishing system (and much more) out of it...

Other References

• Other articles, url's:

> Desktop System Streamlines Analysis Work, SIGNAL, Henry S. Kenyon http://www.afcea.org/signal/articles/anmviewer.asp?a=427&z=39

> USS Mt. Whitney exercise

http://www.jfcom.mil/newslink/storyarchive/2004/pa062104.htm

> JEDI page describing DoDIIS Trusted Workstation (DTW) https://extranet.if.afrl.af.mil/jedi/

> Super-Secure Systems Gain in Private Sector, Investor's Business Daily, 10/12/04; Donna Howell http://www.investors.com/editorial/tech01.asp?v=10/12

References

• Desktop System Streamlines Analysis Work, SIGNAL, Henry S. Kenyon http://www.afcea.org/signal/articles/anmviewer.asp?a=427&z=39

• USS Mt. Whitney exercise

http://www.jfcom.mil/newslink/storyarchive/2004/pa062104.htm

• JEDI page describing DoDIIS Trusted Workstation (DTW) > https://extranet.if.afrl.af.mil/jedi/

> http://www.rl/tech/programs/afdi

• Super-Secure Systems Gain in Private Sector, Investor's Business Daily, 10/12/04; Donna Howell http://www.investors.com/editorial/tech01.asp?v=10/12

Related Information • Sun Security Home Page

– http://www.sun.com/security

• Solaris Patches & Finger Print Database – http://sunsolve.sun.com/

• Sun Security Coordination Team – http://sunsolve.sun.com/security

• Sun BluePrints for Security – http://www.sun.com/blueprints

● Developing a Security Policy

● Trust Modelling for Security Arch. Development

● Building Secure n-Tier Environments

● How Hackers Do It: Tricks, Tips and Techniques

Related Service Information

• Sun Consulting Security Services – http://www.sun.com/service/sunps/security

• Sun Education Security Services – http://suned.sun.com/US/catalog

• Sun Support Services > http://www.sun.com/service/support

• Network and Security Products – http://www.humanfirewall.org

kevin.mayo@sun.com