Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Overview Rick Anderson Pat Demko

Published byΤασούλα Λούπης Modified over 5 years ago

Similar presentations

Presentation on theme: "An Overview Rick Anderson Pat Demko"— Presentation transcript:

1 An Overview Rick Anderson Pat Demko
SE Linux An Overview Rick Anderson Pat Demko

2 Origins NSA research Security enhanced Linux kernel
Implements Mandatory Access Control policies RBAC Type Enforcement Multi-level security

3 How the “Bomb was Dropped”
January 2001 the NSA introduces a “Security-Enhanced version” of the Linux 2.2 kernal. Open source code was introduced along with designing documentation!!! THE NSA DOES NOT DO THIS!!! “It’s like the Pope inviting everyone over to his place to watch a soccer game and have a few beers (Secure Electronics Transactions)”

4 What were the goals?? Not to be focused on just Crypto
Incorporate Crypto with MAC policies Increase policy flexibilities Separation of enforcement from policy decisions They want a crypto policy that is flexible Just like the system security policy is. Crypto isn’t always required, so let’s be flexible Look at the security context.

5 Architecture Overview
Not the standard, rather, it is included in the standard. (IBM.com) The Flask architecture Security policy is in a separate component of the OS Known as the Security Server Hybrid of Type Enforcement, RBAC and multilevel security (MLS)

6 Flask Architecture

7 Security Server Provides a SID only for LEGAL: User Role Type
MLS range “Legal” established by security policy configuration

8 Object Managers Consult SS to get an access decision
Based on a pair of labels Subject and object labels Object’s class Define a mechanism for assigning labels to their objects. No policy-specific logic in object managers.

9 SID Updates Runtime changes in security policy
SS updates SID mapping by canceling SID’s that are no longer authorized Permanent integer SID (PSID) is put with a file and mapped to a security label. Flask labels and controls file descriptions.

10 Privileges When a program is executed, privileges can change
Permissions could be removed from dangerous programs Roles, Roles, Roles!!!!

11 The Many faces of SID Associated with a file
Used in creation of a file This is different for when file is in use! Let’s us check the access to a file’s parent directory Type/Domain distinction??? NOPE A domain is a type…but is associated with a process So, you can separate permissions for a process

12 Roles Defined in the configuration
Each process has a role associated with it System_r role User_r role

13 Summary Policy configuration goals: Control raw access to data
Protect integrity of kernel and software Protecting a process from running malicious code Confining damages Protect Admin role from entry without authentication

14 Final Remarks What is not expressly permitted is FORBIDDEN!!
Exactly what we want in a security system- No Gray areas

15 Sources http://www.nsa.gov/selinux

Download ppt "An Overview Rick Anderson Pat Demko"

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Similar presentations

Ads by Google