COVER STORY RSBAC

Architecture of Rule Set Based Access Control (RSBAC) Security Architecture

inux security holes typically occur Integrating multiple security models simultaneously in the kernel and in Server programs and S bit tools. LThe best approach would be to detailed logs of any access:The free Rule Set Based Access Control avoid mistakes and update programs immediately if a bug occurs. This is not (RSBAC) security System offers customized protection for a wide range always possible, the next best thing is to of requirements. BY AMON OTT restrict potential damage, and this is where access control systems such as RSBAC come into play [1]. If an attacker exploits the security holes in servers or s bit tools, access to the system should be restricted to a minimum. In this case, even a successful compromise will cause only limited damage, and protective mechanisms can be implemented directly in the operating system kernel. The standard Linux kernel prevents access to various resources such as files, directories or system configurations, but unfortunately the standard mechanisms are fraught with weaknesses: •Poor granularity Ro

• Discretionary access control visipix.com nald Raefle , • An all-powerful root user Linux access controls only offer the standard privileges read, write and execute; additionally they only allow distinct privileges to be defined for the owner of a file, the members of a group and all others. Restrictions typically do account used to run that process. kernel a while back, allow a program not apply to the root user. The Thus, an attacker, if fortunate, can launched by root to drop some granularity of these privileges is thus manipulate any files belonging to the privileges, but this is left up to the insufficient for many tasks. compromised account with the gained program itself. access privileges. Linux Privileges – not enough The all-powerful system administrator, Architectural Requirements The owner of a file can do what she root, is the most dangerous of the issues The main aim for the developers of pleases with that file, this is commonly mentioned so far. Many activities RSBAC was to produce a flexible and referred to as DAC, or discretionary are restricted to the root user, from effective access control system as an access control. If an attacker has administrative tasks to simple actions. add-on for existing Linux mechanisms. compromised a process, the attacker’s Thus most service are originally To achieve this goal, the system must activities assume the privileges of the launched with root privileges and have fulfill a number of requirements: superuser access to the whole system, It must provide the underlying Amon Ott is a self-employed com- without ever actually needing these platform to allow the developer to puter scientist and the author of extensive privileges. program access control models quickly the RSBAC system.

HOR What is worse is the fact that many and simply. This permits a clear T His mainstay is bespoke develop- services need to be run with root distinction between components that ment and Linux firewalls,preferably privileges (or to be able to assume root make decisions, and components that with RSBAC. He is also working on privileges at any time) to allow them to enforce them. his doctorate,which he hopes to THE AU change to any user account. The POSIX The enforcement components act complete shortly. capabilities introduced to the Linux independently of the components that

36 February 2003 www.linux-magazine.com RSBAC COVER STORY

decision facility of the ADF. This Subject function requests individual decisions 1 from all active decision modules. The modules read attributes from data Access 6 request If access is denied: error message (and cancel) Linux Kernel structures (4) and reach a decision: 3 Request decision 7 Notify permitted, not defined, or denied. AEF ADF The central function collates the 5 Answer: Granted or not granted RC individual decisions, and returns a 0 Confirm collective decision (5). The ADF is 2 AUTH q read 9 restrictive in this respect; if a single System values Update Access ACL module returns a negative reply, the ADF 4 8 , will deny access. Actions are only System values Data structures Access to data structures permitted if all the modules agree that they should be permitted. Object In the case of a negative decision, the system call is halted and returns an Figure 1: A subject’s access to an object is monitored by the Access Enforcement Facility (AEF).The Access access error to the process (6). In the Decision Facility (ADF) decides whether to permit or deny access case of positive decisions, the AEF forks to the system call itself. If the call is make decisions. New decision models of access types (request types) that are successful, the AEF sends a message to can use the underlying infrastructure. applied to the object types. this effect to the ADF (7). A large number of tried and trusted Table 2 lists a selection of access types, The central messaging function of the security models exist for various tasks, some of which are used in our practical ADF is responsible for passing the and combinations of these models example later. The entire list is available message to the appropriate module sometimes make sense, depending on in the documentation from [1]. The basic functions. The module functions retrieve the situation. The underlying frame- building blocks of the RSBAC systems the current attributes from the data work should thus support multiple are shown in Figure 1. The enforcement structures (8), update them (9) and security models simultaneously and in- component, or Access Control Enforce- confirm that the call has been completed dependently, allowing the administrator ment Facility, AEF, mainly comprises correctly (10). to choose the most suitable model for enhancements of existing system If a new object was created by the current assignment. No matter what functions. the system call, the message from model is in use, activities and any These enhancements require the the AEF to the ADF will contain the decisions taken need to be logged, and decision making element, or Access type and ID for the new object. The the logs must be protected from Control Decision Facility, ADF, to decision modules then create the attempted manipulation. reach a decision before any access, and attributes of the object. After confirming, The original RSBAC system designed so possible compromise is permitted. the system function passes the requested fulfills nearly all these criteria. Over the If the ADF refuses access, the AEF will course of the last five years the range of return an “access denied” error to Table 1: Target Types functions and monitored objects has the subject. The decision facility and Name Description increased dramatically, allowing RSBAC the data structures used are mostly FILE Also includes special device and to monitor networks. The main elements independent of the kernel version. Only UNIX network files if they are of the original have been tested during AEF requires one or two changes to handled as files this time and the developers see no existing kernel functions. This DIR Directory reason to revise them. component was produced by enhancing FIFO Pipe with name entry in file system existing syscalls. SYMLINK Symbolic link Inner Values IPCInter Process Communication object We need to explain a few terms, in order Components co-operating on System V basis to describe the internal architecture, so Access control involves a number of SCD System Control Data – global bear with us. From the access control steps. The subject (the process) calls a system settings and objects such perspective a subject attempts to invoke system function to request access to an as host names or time a specific type of access to an object. On object (1). An extension of this function USER User object mainly serves the purpose of managing attribute a Linux system, the following occurs: a (the AEF) reads some system values, assignments process (the subject) attempts to read such as the process ID, the type, and PROCESS Process object for receiving signals (access type) a file (object). ID of the target object (2), before calling or reading process statuses The various object types are cate- the decision facility, ADF; and handing NETDEV Network device gorized by target type on an RSBAC on the information it has collected and NETTEMP Network template system (see Table 1 for an overview). the type of access (3). The request is NETOBJ Network object – normally sockets RSBAC also distinguishes a large number originally addressed to the central

www.linux-magazine.com February 2003 37 COVER STORY RSBAC

Figure 2: Admins can use network templates to assign access privileges to Figure 3:The main administration menu provides the RSBAC user with a network address and port ranges. In our example, the ports on all the hosts straightforward configuration interface, with simple control over all of the in the IP network 192.168.200.0/24 have been selected Decision Module functions data (11) and control back to the a “CREATE” request for the target specific structures provide storage invoking process. directory, creates the file and informs facilities in this case. the decision facility of the new object. The data storage component takes care A Practical Example Otherwise a “TRUNCATE” request is of the thankless task of list management, A practical example is useful to our issued for the file, the open function thus reducing the load on the data understanding of the theoretical path. truncates the file to zero, and reports the storage components; this involves When a process wants to open a file success of the operation. disk storage, SMP locking (for multi- for read and write access, it uses After this preparatory work, the syscall processor systems), and similar tasks. “sys_open()” with appropriate para- generates a “READ_WRITE_OPEN” It stores the majority of this data in meters. The parameters might specify request and opens the file. The ADF a generic list system that allows any that “sys_open()” should create the file if learns that the file has been opened number of generic one or two-tiered it does not already exist, or possibly and updates the file’s attributes. This list systems (lists of sublists), with truncates the file to zero length if the file provides the process with a descriptor so indices and data fields of any size to be exists. that the process can go on running. easily registered. If the ADF rejects one of the following The decision facilities register their decisive questions, the system call Data Storage Structures lists on RSBAC initialization or when terminates and issues an “access denied” As already mentioned, so-called binding a file system. Only a few of the message. The first thing “sys_open()” attributes, which are assigned to every lists are implemented differently due to needs to do, is to resolve the filename, user, process, and object are the basis specific conditions. to discover the inode. for each access decision. Attribute An auxiliary function, whose RSBAC management is the task of the general Persistent Data extension sends a “SEARCH” request to data storage facilities. Additional model If necessary generic lists can provide the ADF for every folder touched, takes specific data, such as groups or access persistent data storage, that is the data care of this. If the file does not exist, the matrixes that cannot be organized within stored in the lists will survive a reboot or extension of the open function generates generic structures, also exist. Model deregistration. To achieve this, the

Table 2: Request Types Name Object Types Description BIND NETDEV,NETOBJ Bind network addresses CLOSE FILE,DIR,FIFO,DEV,IPC,NETOBJ Close a file descriptor CONNECT NETOBJ Open connection to remote node CREATE DIR (where),IPC,NETTEMP,NETOBJ Create object DELETE FILE,DIR,FIFO,IPC,NETTEMP Delete object EXECUTE FILE Execute file NET_SHUTDOWN NETOBJ Close connection channel READ DIR,SYMLINK,IPC,NETTEMP Read from object (optionally FILE,FIFO,DEV,NETOBJ) READ_WRITE_OPEN FILE,FIFO,DEV,IPC Open for reading and writing RECEIVE NETOBJ Receive data from remote node SEARCH DIR,SYMLINK Name resolution SEND NETOBJ Send data to remote node Figure 4: RSBAC needs to be enabled in the Linux kernel. A configuration TRUNCATE FILE Change length of file menu is available for basic settings

38 February 2003 www.linux-magazine.com RSBAC COVER STORY

“rsbacd” kernel daemon periodically facilities to generate temporary entries or RSBAC will not store the attributes saves any lists tagged as changed in privileges. Persistent values are marked separately for each network end node, or special protected directories on the hard with a value of “0”. Generic lists are for each connection, but collectively in a disk, where they are read by the data implemented as double linked, sorted template. The end nodes of the network storage facility on re-registering the list. lists that allow you to register both (that is the source or target of data A registration parameter specifies what descriptive and comparative functions transmission) inherit their values from partition these files can be stored on to for optimized access. the most suitable template (that is the allow targeted binding of any of the file If a function of this type has not been template with the lowest descriptor). system objects. registered, simple “memcmp()” based This allows the ADF to reach a decision Modules can optionally supply a memory comparison is used. [2] provides for “CONNECT” type access by reference default value when registering a list. a more detailed description of the list to the template attributes of the source If a list element goes missing at a later management interfaces and parameters. or target address by simply looking up date, the data storage facility will also the template. supply this value. For optimization Rule Templates purposes, any persistent elements con- Network connections are fairly Administration taining default values are deleted. ephemeral in most cases; data packets Templates allow you to specify that a If a value changes, the data storage are often transmitted individually and specific user should only be allowed facility reinstates the element. In the independently. That makes it particularly access to the local network via the case of two-tiered lists, sublists are difficult to assign attributes to them, as Internet Protocol TCP, or that a browser generated or deleted as required. This administrative overheads would be can only access the HTTP proxy port procedure keeps the length of the lists to punitive. RSBAC provides network on your firewall. There is no need to a minimum and thus reduces the access templates for this task. They describe configure each individual connection. times needed. multiple network end nodes based on As RSBAC stores all of these settings Every list element is assigned a time various criteria, such as the protocol in the kernel or in protected files, limit when it is created or updated, and family, connection type, network administrative tasks mean initiating is removed once this period expires. This protocol or port number. Figure 2 shows system calls or accessing the “/proc” file characteristic is used by some decision an example of how they are defined. system. This allows the kernel to

advertisement COVER STORY RSBAC

designate users who are permitted to configuration of most modules, but is a system for the Linux kernel. Its change specific settings. And this is normal user like everyone else, apart clear and modular structure ensure RSBAC’s solution to the major issue of from that. that the authors could keep track the all-powerful root user: If the A support module called “AUTH” on development activities. RSBAC configuration files were stored in normal was introduced to help out with user ID has become quite popular in Europe files, users with write access to management, which is a critical issue. where the system is in widespread use. these files would then automatically “AUTH” allows you to define the user Conservative estimates suggest that have administrative privileges. RSBAC IDs that specific programs and processes RSBAC is in use on several hundred allows multiple administrators to have can assume. A process can only assume production systems. ■ different privileges. an ID that “AUTH” allows it to assume, any others are prohibited. Installation Self-Control A number of RSBAC administration Before you can install RSBAC,you first need With only a few exceptions, each tools are available. They facilitate many to download the sources from the home decision module is responsible for its administrative tasks and provide user page.They comprise three parts:a tar own attributes. Models with scientific interfaces for the RSBAC system calls. archive contains modules that are backgrounds, such as RC and ACL (see Menus provide for easier use – see independent of the kernel version. A version insert “Decision Modules in RSBAC”) in Figure 3 for an example of the main dependent kernel patch is additionally particular, support the delegation of “rsbac_menu” menu. RSBAC is probably required.There is also a tar archive with administrative tasks to multiple users. the oldest and – judged by its codebase administration tools.The RSBAC patch Root still has special rights in the default most extensive – free access control mainly comprises the initialization calls and adds system calls for AEF tasks. As an Decision Modules in RSBAC alternative,you can also download pre-com- piled kernel sources as a bzip2 tar archive. The current,stable RSBAC version 1.2.1 comprises the following decision modules and rules,some The kernels supplied by most distributions of which are used to implement more complex security models. have mostly been through wide ranging MAC – Mandatory Access Control,Bell-La Padula. modifications,and this often leads to issues. FC – Functional Control:This simple role model allows access to security information for security In this case,you may have to resort to the officers only and allows only administrators to access system information. original kernel,available from ftp://ftp. kernel.org/pub/linux/kernels or a mirror site. SIM – Security Information Modification:Only security officers are allowed to modify data tagged as security information. After expanding the tar archive in the main directory for your kernel sources,and apply- PM – Privacy Model:A data protection model devised by Simone Fischer-Hübner to implement ing the patches,follow normal procedure to European data protection guidelines. configure,compile and install the kernel. MS – Malware Scan:Checks files for malevolent software during read and execute access.Version The additional “Rule Set Based Access 1.2.1 contains only a scanner prototype, the pre-release version 1.2.2-pre1 uses a professional virus Control”menu shown in Figure 4 comprises protection software by F-Prot. Support for additional scanners is planned. a number of submenus with a wide range of FF – File Flags:Global attributes apply to files and directories,“execute_only”,“no_execute”, options,with help texts for each option. “read_only”,“append_only”,for example. Default values are OK for most applications. RC – Role Compatibility:This powerful role model was designed specifically with Linux servers in When you reboot, the “rsbac_auth_enable_ mind. It defines roles for users and programs,and types for all kinds of objects. Access privileges login”kernel parameter allows the login for each type can be specified for every role.The model also allows a schema for a strict delegation program to switch to any user ID in order of administrative tasks to multiple roles,and defines time limits for access and administrative to permit users to log on.The “rsbac_ privileges. softmode”parameter is useful for initial AUTH – Authentication Enforcement:This module governs “CHANGE_OWNER”requests tests,as it merely logs decisions without for processes and thus any “setuid()”calls. Processes and programs can only access user IDs enforcing them. specifically allowed to them. After successfully launching the system, ACL – Access Control Lists:An access control list is assigned for each object, to define the you can go on to expand the support tools permissible access types for various subjects. Subjects are defined as user IDs,RC roles,and ACL and follow the usual steps,“./configure groups. If an object does not have an entry for a specific subject,it will inherit the rights assigned && make && make install”to compile and to a superordinate object,for example a directory.An inherited rights mask is available to filter install them. If the RSBAC kernel sources inheritance,allowing any rights assigned to be filtered out for all subjects.The ACL model also are not available in “/usr/src/linux”,you defines superordinate default ACLs,individual group management for every user,and time limits might like to try the configure parameter for any rights and group memberships assigned. “--with-kerneldir”. CAP – Linux Capabilities:Allows you to assign minimum and maximum Linux capabilities (delegated root privileges) to any user and program.Thus server programs can run as normal user accounts,or root programs can be executed with restricted privileges. INFO JAIL – Process Jails:This module introduces a new system call “rsbac_jail()”,which is funda- [1] RSBAC home page:http://www.rsbac.org mentally an extension of the FreeBSD jail. Programs launched within the jail are captured in [2] Interface to the generic list system: a chroot environment with restricted administrative and network privileges. http://www.rsbac.org/lists.htm

40 February 2003 www.linux-magazine.com