Date: Mon, 17 Jul 2017 22:42:33 +0200 From: Martin Beran <martin@mber.cz> To: freebsd-hackers@freebsd.org Subject: mac_sofi: a proof of concept MAC module Message-ID: <c12f4b21-ca87-c958-349d-475d51d61d88@mber.cz>
next in thread | raw e-mail | index | archive | help
Hello, I created an initial proof-of-concept implementation of a new Mandatory Access Control kernel module. It is called SOFI (Subjects and Objects with Floating Integrity). Source code is at https://github.com/martin-beran/mac_sofi. It is written and tested on FreeBSD 10.3, but it should be usable on newer releases too. The SOFI security model combines access control by ACLs and capabilities with automatic modification of process and data integrity according to data flow. Each subject (usually a process that executes an operation, for example, a system call) and object (a target of the operation, for example, a file being accessed) has its integrity value, which is a set of atomic integrity attributes. A subject or an object can be either a reader or a writer for a particular operation, depending on the direction of information flow between them. First, the subject's integrity is compared to the object's ACL in order to decide whether the operation should be allowed or denied. If allowed, the reader's integrity (subject in read, object in write) is modified to the lower bound (intersection) of reader's and writers's integrities. Then the operation is performed. The main idea is that accessing low-integrity data (a file downloaded from an untrusted source) makes a process untrusted and prevents its further access to high-integrity data (reading a file with personal information or changing an executable file). To be practical, integrity reduction of readers can be controlled by a testing function, which can prevent removing some integrity attributes from a reader. For example, a downloaded installation image file is assigned a low integrity. But if a checker program, which has high integrity, reads the file and verifies its digital signature, the program's integrity is not degraded, so it can pass the image to an installer as high-integrity data. There is also an integrity granting function, which can add some integrity attributes from a writer to a reader. It is essentially similar to the set-uid bit on executables. More technical description of the SOFI algorithm is contained in the mac_sofi.h header file. The implementation is an initial proof-of-concept. It demonstrates basic principles of the SOFI model, but only file open, access check, read, and write operations, as well as MAC label manipulation entry points of the MAC framework are implemented. The internal data structures are inefficient due to my unfortunate initial decision to combine a fixed-size integrity and some variable-size data into a single MAC label structure. It is my first attempt to create a nontrivial kernel module, so I expect bugs related to locking and memory management. There are also many open correctness-related questions, especially regarding memory-mapped data, multithreading, and blocking read operations. I would appreciate any comments on both the SOFI model and on my implementation. -- Martin Beran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c12f4b21-ca87-c958-349d-475d51d61d88>