Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1
Systems and InternetInfrastructure Security
Network and Security Research CenterDepartment of Computer Science and EngineeringPennsylvania State University, University Park PA
Complete Mediation:Knowing Where to Hook ‘em
Joshua Schiffman
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2
Classic Question(s)
• What is a reference monitor?
• What guarantees does it provide?‣ Tamper-proof
‣ Simple enough to verify
‣ Complete mediation
• What kind of policies can be enforced?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3
Protection
• What objects in an OS need protection?‣ Data files
‣ Programs
‣ Devices
• How can we protect them?‣ Who do we permit / allow
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4
Security in Linux
• Linux Security Modules (LSM)‣ Reference monitor (policy)
‣ Hooks (interface)
• Clean separation of policy and kernel code‣ Modular
‣ Extensible
• What LSMs exist?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5
Hooks
• Hooks provide the upcalls to the security module‣ Mediate authorization of sensitive operations
• We need complete mediation to be sure thereference monitor is not circumvented
• How can we be sure thehooks are everywhere we needthem?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6
Verification
• Vali‣ Path inconsistencies
• CQUAL‣ Taint analysis
‣ Requires set of conceptualoperations on resource
• Can we do better than verifying?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7
Automagic
• Hook placement is a largely manual process‣ Verification tools show hooks are missing
• We would like to place these hooks automatically‣ Correctly
‣ Completely
• Placement Criteria?‣ Conceptual Operations
‣ Code that invokes those operations
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8
Conceptual Operations
• Functions that query the policy DB before permittingsecurity sensitive operations
• What are they?‣ Encoded in the policy implementation (Hook functions)
‣ SELinux uses the Access Vector
‣ Form a Call Graph of hooks• Recursion?
• What about arbitrary LSMs?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9
Kernel Analysis
• Where are the hooks needed?‣ Where kernel functions perform Conceptual Operations
• How do we know what ops a function uses?
• Idioms‣ Requires domain knowledge
of the code
• Manual again…
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10
Idioms
• How can we map the operation(s) to the functions?
• Try to minimize the false positives‣ An iterative process
• False negatives rely on code experience
False Positive
False Negative
Conceptual Operation
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11
Limitations
• Other than Idioms?
• Finer granularity?
• Not all operations are analyzed
Top Related