Mandatory Access Control for Linux Clustered Servers
Miroslaw Zakrzewski Open Systems Lab Ericsson Research 8400 Decarie Blvd Town of Mont Royal, Quebec Canada H4P 2N2 [email protected]
Abstract may introduce degradation in the performance, an increase in administration, and some annoy- In today’s world, the use of computers and net- ance for the user. works is growing and the vision of a single We are implementing cluster-aware access infrastructure for voice and data is becoming control mechanisms in the Linux kernel. We a reality. However, with different technolo- expect that our work will help position Linux gies and services using the same networking as a secure operating system for clustered infrastructure, the realization of this vision re- servers. quires higher levels of security to be imple- mented in computer systems. Current secu- rity solutions do not address all of the security 1 Introduction challenges facing today’s computer systems, including clustered platforms, in one compre- hensive and coherent fashion. The security of computing systems could be enforced on different levels of the computing This paper presents the previous work done in environment such as hardware, operating sys- the area of access control and then focus on tem, application and network level. The pri- new mechanisms for clustered Linux servers mary subject from the security prospective is as part of the research project at the Ericsson the operating system level, being a fundamen- Open Systems Lab. In this paper, we address tal piece of the security of every computer sys- the design and implementation of a framework tem, and a critical point of failure for the entire for the mandatory access control in the dis- system. Currently implemented security mech- tributed security infrastructure (DSI). The on- anisms of operating systems are based on user going work is mainly based on the Flask archi- privileges and are inadequate to protect against tecture and the Linux Security Module (LSM) the various kinds of attacks in today’s com- framework with a focus on Linux clustered plex environments. To address these problems, servers. The paper also addresses the effects security in operating systems has long been a of the cluster security on the performance of well-researched topic, which formulated vari- the distributed system, since enforcing security ous security models and policies. Ottawa Linux Symposium 2002 619
Various research results have shown that There exist many security solutions for clus- mandatory security provided by the operat- tered servers ranging from external solutions, ing system is essential for the security of the such as firewalls, to internal solutions such as whole system [3]; furthermore, they proved integrity checking software. However, there is that mandatory access control mechanisms are no solution dedicated for clusters. The most very efficient in supporting complex relation- commonly used security approach is to pack- ships between different entities in the comput- age several existing solutions. Nevertheless, ing environment. the integration and management of these dif- ferent packages is very complex, and often re- Several attempts were made to reach a very se- sults in the absence of interoperability between cure platform. For instance, The FLASK ar- different security mechanisms. Additional dif- chitecture [5,12] (on which SE Linux [17] is ficulties are also raised when integrating these based) was created as an attempt to serve as many packages, such as the ease of system a generic architecture for the mandatory ac- maintenance and upgrade, and the difficulty of cess control. An important design goal was keeping up with numerous security patches and to provide flexible support for security poli- upgrades. cies. The FLASK architecture achieved the goal by separating the security policy from the Carrier class clusters have very tight re- enforcement mechanism and by having secu- strictions on performance and response time. rity checks transparent to the applications. An- Therefore, much pressure is put on the system other attempt from SE Linux was to prototype designer while designing security solutions. In the access control in the Linux kernel. fact, many security solutions cannot be used due to their high resource consumption. However, the existing solutions, including Flask and SE Linux, do not address the access In a distributed environment, subjects and re- control in distributed environments. One such sources can be located anywhere on the net- environment is computer cluster. In our con- work so the relations between them are more text, a cluster is defined as a collection of inter- complex. connected stand-alone computers working to- gether to solve a problem as a single computer. In this paper, we present the preliminary results The cluster can appear as a single system to developing the Linux security module (LSM) users and applications. Since from the logical that links all the nodes of the cluster in a trans- point of view we can see a cluster as a single parent fashion; the Linux security module is entity, we should apply this definition to the also referred to as the distributed security mod- cluster security as well and treat the subjects ule. The security module enforces the secu- and resources as if they were located on one rity checking on a node between subjects and virtual machine. resources belonging to the same or different nodes of the cluster. The distributed security Even though new security approaches, such as module is a part of the distributed security in- FLASK, address the problem of mandatory ac- frastructure (DSI) and cannot be used without cess control between subjects and resources it. The DSI decides about the security policy belonging to the same processing node, they and defines mechanisms that control the mod- are still missing the mandatory, finer-grained ule. In the next section, a brief description of security checks between the subjects and re- the distribution security infrastructure is intro- sources belonging to different nodes. duced. Ottawa Linux Symposium 2002 620
Secondary� Node 1� Node 2� Node 3� Security Context� Primary � Repository� Security Policy� Key Repository� Security � Proc123� Proc978� Proc222� Server Node� Security Context� Security Manager� Key Management�
SS� SM� SM� SM�
Kernel�
Auditing � Access Control � Authentication � Integrity � Secure Communication Channel� Service� Service� Service� Service�
Inside the Cluster� Data Traffic� �
SS�Security Server� Figure 2: DSI Services Security � and� Security Manager� O&M/IDS� SM� Authenticated�
Outside the Cluster� Encrypted � Communications� � eration and management, and intrusion detec- tion systems from outside the cluster. It is the Figure 1: Distributed Architecture of DSI central security authority for all the security components in the system. It is responsible for the distributed security policy. It also de- 2 Distributed Security Infrastruc- fines the dynamic security environment of the ture whole cluster by broadcasting changes in the distributed policy to all security managers.
2.1 DSI Characteristics Security managers enforce security at each node of the cluster. They are responsible for As part of a carrier class Linux cluster, DSI [6] locally enforcing changes in the security en- must comply with carrier class requirements vironment. Security managers only exchange such as reliability, scalability, and high avail- security information with the security server. ability. Furthermore, DSI supports the follow- ing requirements: coherent framework, pro- The secure communication channel provides cess level approach, pre-emptive security, dy- encrypted and authenticated communications namic security policy, transparent key manage- between the security agents. All communica- ment, and minimal impact on performance. tions between the security server and the out- side of the cluster take place through the secure communication channel. 2.2 DSI Architecture The DSI architecture at each node is based on DSI has two types of components: the man- a set of loosely coupled services (Figure 2). agement components and service components. Each service, upon its creation, sends a pres- DSI management components define a thin ence announcement to the local security man- layer of components that includes a security ager, which registers these services and pro- server, security managers, and a security com- vides their access mechanisms to the internal munication channel (Figure1). The service modules. components define a flexible layer, which can be modified or updated by adding, replacing, There are two types of services: security ser- or removing services according to the needs. vices (access control, authentication, integra- tion, auditing) and security service providers The security server is the central point of man- (for example secure key management) that run agement in DSI, the entry point for secure op- at user level and provide services to security Ottawa Linux Symposium 2002 621 managers. Subject� Access Request� 3 Cluster Access Control Access Control� Decision = function(Subject,Resource)� 3.1 General Discussion
In general, the Access Control Service (ACS) Resource� can be seen as a layer (software, hardware) that � enforces the security policy as a two-parameter function. It relies on the notions of subject (or Figure 3: Access Control access request initiator), resource (or target), environment, decision, and enforcement. properly authenticated. One of the important A subject could be a program or process and a characteristics of the access control for clus- resource can be a file or a communication re- ters is that it allows verifying the access control source. The same process can be a subject in privileges even when subjects and resources one access control operation and a resource in are located on different nodes in the cluster. another. The ACS that runs on the cluster processors is An access control could be interpreted as a ma- comprised of two parts: trix where one axis is the list of all possible subjects and the other is the list of all possible resources. The entries in the matrix define the 1. A kernel-space part: This part is respon- permissions. Even for reasonable-sized sys- sible for implementing both the enforce- tems the matrix gets complicated, very fast so ment and the decision-making tasks of there is a need to reduce its complexity. In access control. These two responsibili- order to do this, the term class is introduced. ties are separated. The kernel-space part Class groups the subjects and resources, which maintains an internal representation of the have the same permission and create only one information upon which it bases its de- entry for them in the matrix. cisions. This information (security pol- icy) is supplied by the security server and When a Subject tries to access a Resource (Fig- stored in the local memory for fast access ure 3), the access request is intercepted by the (hash table). On Linux, the kernel-space access control layer and based on the subject’s part is implemented as a Linux Security rights, the access either is granted or not. The Module (LSM). access control of an operation system is usually added in the system call layer (Linux). This is 2. A user-space part: This part has many ideal for the operating system because it makes responsibilities. It takes the informa- the access control transparent for the applica- tion from the Distributed Security Policy tions, and more secure because it’s located in and from the Security Context Repository, one of the lowest software layers, in addition combines them together, and feeds them it’s fast because it’s embedded into the opera- to the kernel space part in an easily us- tion system. able form. It also takes care of propagat- ing back alarms from the kernel space part The ACS assumes that the subjects have been to the security manger, which will feed Ottawa Linux Symposium 2002 622
them to the Auditing and Logging Service and if necessary propagate to the security server through SCC. CLUSTER� S� Both parts, kernel-space and user-space, are Node� started and monitored by the local Security S� Manager (SM) on each node. The SM also in- R� troduces them to other services and subsystems R� R� of the DSI infrastructure with which they need to interact. � The ACS aims to provide fine-grained access control (at the system call level). It respects Figure 4: Cluster Access Control the minimization principles of least privilege to limit the propagation and damage caused by eventual security breaches. As such, it pro- the cluster vides defense in depth. • Cluster Remote Access: Both subject and The ACS that is running on a processor must resource are located on different nodes in- make as little assumptions as possible about side the same cluster other processors, including whether they have been compromised. For that reason, an ACS • Cluster Outside Access: Subject is located instance is always the one making access de- on a node inside cluster and resource is cisions about resources that are local to its outside the cluster or Subject is located processor. For the initial design of the ACS, outside the cluster and resource on a node only grant/deny decision will be considered. inside the cluster. Other more involved decisions would involve • No Cluster Access: Both subject and re- rate limiting and total usage limiting. Actions source are outside the cluster other than access control decision, such as in- terposition and active reactions, are not imple- mented either. The above classification allows us to reduce the complexity of the cluster access control 3.2 Cluster Access Types by classifying the various access approaches. First, we analyze the Cluster Local Access and The distributed environments allow that the ac- next we will move to the Cluster Remote Ac- tors of ACS (subject and resource) can be lo- cess. The Cluster Outside Access and No Clus- cated anywhere in the cyber space. ter Access are out of the scope of this paper.
Based on their mutual location in the cluster 3.3 Distributed Access Control Architecture (Figure 4), and to reduce the complexity when analyzing access control, we can distinguish Finding an efficient solution to the cluster the following types of the access control: mandatory access control is a complex task. There are many factors involved in defining • Cluster Local Access: Both subject and the access rights because the subjects and re- resource are located on the same node in sources can be located on different nodes in the Ottawa Linux Symposium 2002 623
SnIDx� An important part of the distributed system is
Security� the network, which spans the nodes of the clus- Server� ter. To apply the access control functions in the cluster, there must be a way to pass the security SnID1� SnID2� parameters between the nodes in a transparent
Subject 1� Subject 2� fashion. In our research, we try to find the ap- (Process)� (Process)� SID� SID� propriate architecture for this problem as well.
SnID�, SID� Resource� Resource� Our prototype is based on a cluster of (Comm.)� (Comm.)�
Resource� SID� Linux machines and the implementation of the (File)� SID� SID� � mandatory access control will by exercised in the Linux kernel. By implementing the manda- Figure 5: Distributed Access Control tory access control inside the kernel, we can achieve security transparency in the system.
Another functionality of the access control is cluster. To simplify the relationships, we can to be able to generate alarms in case of intru- handle the access control in two levels: sion detection. When the security module de- tects the intrusion, an alarm notification will be 1. Local when subject and resource are lo- passed to the security manager and later to the cated on the same node, and security server. Based on the severity of the 2. Remote when subject and resource are lo- alarm, the security server will take an action. cated on different nodes. An example of the action will be a change of the security node ID, loading a new security policy, or declaring a node compromised and For local access control, the access rights are disconnecting it from the cluster. In the most the functions of the security IDs of the subject severe case, the security server may ask ACS (SSID) and the resource (TSID). This is based to block all accesses except the security path on the FLASK architecture: of the security manager. Access = Function (SSID, TSID)
The FLASK architecture can serve as a solu- 4 DSI Security Module tion for the single node processing. When the nodes are presented as a cluster, security solu- Our security enforcement software for Linux tions become more complicated. In this case, is built as a Linux module and works in the we extend the FLASK architecture to the clus- kernel space. We based our development on ter remote access model. One of the new pa- the Linux Security Module (LSM) infrastruc- rameters is the security node ID (SnID) (Fig- ture (security hooks) introduced in the Linux ure 5), which defines the node in terms of the kernel. security. Access rights are no more just the function of the subject and target security ID’s, LSM framework does not supply any addi- but as well, the function of the security node tional security in the Linux kernel. It only ID. provides the infrastructure to support the se- curity development as Linux modules. The Access = Function LSM kernel patch adds security fields to ker- (SSnID,SSID,TSnID,TSID) nel data structures and inserts calls (called Ottawa Linux Symposium 2002 624
hooks) at special points in the kernel code the security node ID is sent to the cluster node, to perform a module specific access con- all the security checks are disabled on this trol. LSM adds methods for registering and node. un-registering security modules, and a gen- eral security system call that allows the com- DSM takes security decisions based on the se- munication between user programs and the curity policy decided by the security server and LSM for security aware applications. Each the security identifiers (SID) assigned to each LSM hook is a function pointer in a global subject and resource. Security Identifiers are structure called security_ops. Because non-persistent and are meaningful only on the the hooks are embedded in the kernel and local node. The security server provides func- are called even before a security module tionality for converting a SID to its correspond- is installed, this structure is initialized to a ing security context. All the entities for which set of functions provided by a dummy se- security is being enforced are divided into se- curity module. These functions are just curity classes. A security class is a distinct type placeholders for more useful security mech- of resource with a distinct set of legal opera- anisms that can be loaded as a Linux mod- tions, for example, a process, a file, etc. register_security ule. A method is in- When a security decision must be taken, the troduced to allow a security module to set its security IDs of a subject and a resource are own security functions (to overlay the dummy extracted from their kernel representations and unregister_security functions). An will be used for the security access decision. method is used to return to the dummy func- For efficiency, the security policy is repre- tions. sented in the kernel memory. The LSM methods are organized into two cat- egories: 4.1 Labels
• Hooks to handle the security fields As already mentioned, all the subjects and re- • Hooks to perform access control sources must be labeled. Since the security module can be loaded run-time, we distinguish two modes of subjects labeling. Before the We started the development with the kernel module is loaded there are no labels attached 2.4.17 [13] and the appropriate security patch to any subject or resource in the system. At (lsm-full-2002_01_15-2.4.17.patch the module initialization time, all the running [15]). The DSM module cannot act alone and tasks are scanned and the labels are attached to rely on the services supplied by DSI. DSM them. When a new process is created after the only enforces the access control but the policy security module is loaded, the security hooks is decided by the DSI security server. The are used to do the labeling. security server is responsible for giving the security policy to the security module. The Because Linux stores the process descriptor security server (SS) is responsible to supply and the Kernel Mode process stack in a sin- the security node ID to each node of the cluster gle 8KB memory area, we can use this fact and as well. Sending the security node ID to the avoid allocating memory for labeling the sub- node of the cluster means that the node is part jects (Figure 6). The other labels are attached of the cluster from the security point of view to the resources run-time, which implies that and it can start the security operation. Before the module checks if the label is there. If the Ottawa Linux Symposium 2002 625
NSID = Function (SnID, SID)
Kernel Stack� This function is specified by the security server in form of the conversion table. The receiving side looks up into the table by specifying SnID and SID and extract the Security Network ID. 8 Kb � Now the security network ID can be used as a task_security_t� block� task� local label to all the access controls. Struct�Task_�Struct� For instance, a client process tries to access a server’s process. The client node does not security� know what is the security of the server node, � so it can only perform access control checks based on the security attributes of the com- Figure 6: Task Label munications resources (sockets, network inter- face). The server node can perform access con- trol checks based on the security attributes of label is not attached, a new label will be cre- the client process, the source node, and the ated. server process. When a process attempts to ac- cept a connection or receive a packet, if the pol- icy prohibits the server process from receiving 4.2 Network Labels data from the client process, the connection or the packet is dropped and alarm is generated. Because the access in the cluster can be per- formed from a subject located on one node to 4.3 Implementation status the resource located on another, there is a need to control such accesses as well. We are in the process of building the work- When a process on one node makes an access ing prototype of the cluster security infrastruc- to a resource on another node, first the local ac- ture. The kernel module has been implemented cess to the communications resources (socket, where the subjects (tasks) have been labeled. network interface) is checked. When the lo- The local access to the communication objects cal access is granted then the message can be (sockets) has been implemented and we are sent to the remote location. In order to iden- currently working on the remote access imple- tify the sending subject, the Security Node ID mentation. (security node identifier) and the Security ID of the subject (security subject identifier) are In the current implementation, the security in- added to the message. For the purpose of this formation is added to the IP message after the exercise, we use the IP protocol for the security IP header as an option. There is no imple- information transfer. A new option is added mentation of the interface to other parts of after the IP header based on the hooks in the the distributed security architecture. The ac- IP protocol stack. On the receiving side, these tions of the security server are simulated by the two information (Security Node ID and Secu- user mode programs (load policy, load secu- rity SID) are extracted (based on the hooks in rity node ID). The alarms generated by the dis- the IP stack) and are used to build the network tributed security module are sent to the special security ID (NSID). user mode program as well. The current imple- Ottawa Linux Symposium 2002 626 mentation is not optimized for the performance calls. The test was performed 5 times and the and it is built in order to check the overall logic average was calculated. Later the average time of the cluster security. of the single loop (fork, wait) was calculated. UDP Local Access Testing 5 Performance Challenges The UDP Local Access test measures the time needed by a process to send a UDP message. Enforcing security does not come free; there This test sends 500,000 UDP messages in a is always a performance price to pay. At the loop. The test was performed 5 times and the same time, an over secured system is almost average was calculated. Later the average time unusable; therefore the security introduced to of the single loop (send) was calculated. The the system must be properly balanced. This sending process does not check if the message section discusses the impact of the security im- was sent outside the node; in addition, it does plementation on the overall performance of the not wait for the confirmation. In this case, it system. is not important whether the server has DSM We performed testing for three different kernel installed or not. configurations: the first testing was done with UDP Remote Access Testing kernel 2.4.17; the second was done with the same kernel and our security module loaded The UDP Remote Access test measures the plus the IP packet modification; the third was time needed by a process to send a UDP mes- done with the same kernel and the security sages and receive a UDP response from a module but without IP packet modification. server. The client process will send a new mes- These tests were executed on a Pentium III 650 sage after receiving the confirmation from the MHz Dell laptop with 265 MB RAM. server. It is important, in this case, that the server runs the DSM software for the permis- 5.1 Test Types sion to be checked on the receiving side. In this test, the second server is a Pentium II 300 MHz We performed three types of testing: process desktop with 128 MB RAM. This test sends creation with fork, UDP local access, and UDP and receives 100,000 UDP messages in a loop. remote access. The purpose of the testing was The test was performed 5 times and the aver- to get a preliminary performance evaluation of age was calculated. Later the average time of the security module, to answer the question of the single loop (send, recv) was calculated. how much performance we lose when adding extra security features. The UDP tests were 5.2 Test Results and Interpretation performed with and without IP packet modi- fication in order to see how much performance was lost during IP packet modification. In the Based on the testing performed, we present the following subsection, we explain the testing results in Table1 and 2. All numbers are in mi- procedure per testing type. croseconds. Process Creation Testing Process Creation Testing Results This test measures the time a process can fork a child that immediately exits. The parent pro- The average fork test with kernel 2.4.17 and the cess loops 100,000 performing fork and wait DSM module was completed in 167 microsec- Ottawa Linux Symposium 2002 627
onds, compared to 169 microseconds with ker- nel 2.4.17 without the DSM module. As a re- sult, we have a 1.2% increase as overhead. This is because the system had to perform a permis- sion check on the fork operation and to spend Linux Linux Overhead some extra time on labeling of the child pro- 2.4.17 2.4.17 % with DSM cess. Fork 167 169 +1.20% UDP Local Access Testing Results UDP Local Access 16.388 19.7 +20% In this case, the average overhead for the set- (Send Message) ting with DSM module against the setting with- UDP out the DSM module is 20%. This overhead Remote Access 133.44 173.88 +30% consists of performing permission check on the (Loopback) socket send message and sk_buff label at- tachment for each message sent plus the la- Table 1: Performance Analysis with IP packet beling of IP messages. When the IP packet modification modification is disabled (Table 2) the overhead drops to 4.2%. As we can see most of the over- head is related to IP packet modification. Only a small fraction of the overhead is caused by the security module. UDP Remote Access Testing Results
In this case, the average overhead for the set- ting with DSM module against the setting with- out the DSM module is 30%. The overhead consists of the following: Linux Linux Overhead 2.4.17 2.4.17 % with DSM • Performing a permission check on the UDP send socket side, Local Access 16.388 17.084 +4.2% (Send Message) • Attaching a label to sk_buff, UDP Remote Access 133.44 140.64 +5.4% • Attaching the security information to the (Loopback) IP message,
Table 2: Performance Analysis without IP • Retrieving the security information on the packet modification receive side,
• Attaching the network security ID to sk_buff,
• Performing the permission checking on sk_buff, Ottawa Linux Symposium 2002 628
• Performing the security checking on the 6 Conclusion socket, and, 6.1 Lessons learned
One of our objectives was to prototype a dis- • Repeating all the above operations on the tributed security module for Linux clusters. return message. During the process, we acquired a lot of com- petence in the area of Linux kernel internals, which allowed us to set up the task security structure without memory allocation. When the IP packet modification is disabled (Table 2), the overhead drops to 5.4%. As we It is always important to divide complex prob- can see most of the overhead is related to IP lems into smaller parts in order to simplify the packet modification. Only a small fraction of solution. In our case, we approached the prob- the overhead is caused by the security module. lem of distributed access control in the way that we tried to answer three important questions:
5.3 Discussion 1. How to perform the local access control?
2. How to perform the remote access con- trol? One of the most frequently asked questions is how adding security mechanisms will affect 3. How to transfer the security information the performance of the system. Based on the from one node to another in a transparent testing results (Table 1), the percentage over- way? head for some operations, such as the UDP re- mote access, is considerable. The simple test, While building the first prototype, we managed like fork, has relatively small overhead because to crash the kernel many times. We realized there is only one security check. Neverthe- that the swapper task (task 0) is not on the less, some more complicated tests, like loop- for_each_task list and has to be handled back, have high overhead because the security separately. is checked in many points on the way of the traveling message. As it is shown in Table 2, One of the lessons was that the system could the most of the overhead is added by the IP not be over secured because it becomes unus- packet modification. able. By loading a very strict policy, we were not able to interact with the operating system These results must be regarded as an upper case up to the point where we had to reboot the sys- of the performance because no single security tem. operation has been optimized. Nevertheless, the results demonstrated the challenges facing 6.2 Final remarks the development of efficient distributed secu- rity. We were able to achieve our first goal of build- We believe that after optimizing the implemen- ing the framework of the mandatory access tation, we will decrease the percentage over- control for Linux cluster. The security checks head significantly. can be performed on the subjects and resources Ottawa Linux Symposium 2002 629 located on the same (local access) and different security as a function of the received connec- nodes (remote access) of the cluster. tion (traffic) from the clients with different se- curity ID’s. When a server accesses resources We tested the framework with buffer overflow on the local node the access control does not attacks and it proved that the current solution know whether the access is a local access or could guard against these types of attacks. is performed on behalf of a remote client. In We continue to work implementing the new this case, there must be a change of the server functionality in DSM for Linux clusters. In access rights based on the clients connected to addition, we are in the process on building a it. benchmarking environment (Security Evalua- In the current implementation, the security in- tion Lab) that is capable of testing the perfor- formation sent on the network is not protected; mance and the resistance of the system against they can be sniffed and used in possible at- various possible attacks such as denial of ser- tacks. Our next objective is to securely trans- vice attacks. mit this information without any performance The distributed security module (DSM) is an degradation. integral part of the distributed security infras- The security information is attached as options tructure (DSI). It relies on the services of DSI to the IP packet. Because the IP protocol is and provides access control services to DSI. relatively high level, there is a need to imple- The development of DSM and DSI are ongo- ment this feature on lower levels of the network ing at full speed. stack.
In the short term, we plan to implement inter- One of our next steps is to investigate the rela- faces between some services of DSI and DSM. tionships when a subject or a resource is out- One of the examples could be the interface be- side the cluster. Since we are at an early pro- tween the security manager on a node and the totype phase, the performance optimization is DSM. This interface will be used to load a new not done yet. Therefore, improving the perfor- policy and to pass a new node security node ID mance of the secure system is the next chal- downloaded by the security manage to a node. lenge. In addition, we plan to introduce the mecha- nisms to pass alarms from DSM to SM and Finally, we plan to test our security mech- later to SS. anisms built into the servers of the cluster through generating different types of attacks to verify how the new security mechanisms can 7 Future Work improve the overall system security.
We are in the early stage of the prototyping and in the first stage of building the mandatory ac- Acknowledgments cess control for Linux clusters. Our first goal is to prototype the framework of the distributed access control to check the logic of the dis- Ibrahim Haddad, Ericsson Research Canada, tributed access. for commenting and reviewing this paper. David Gordon, Ericsson Research Canada, for Based on the limited functionality (socket level contributing to the IP options implementation network access), we plan to exercise the server and buffer overflow exercise. Ottawa Linux Symposium 2002 630
References [10] D.P. Bovet, M. Cesati Understanding the Linux Kernel, O’Reilly, 2001, First Edition.
[11] Buffer Overflow, [1] A. Chitturi “Implementing Mandatory http://www.insecure.org/stf Network Security in a Policy-Flexible /smashstack.txt System,” Masters Thesis, University of Utah, June 1998. [12] Flask Architecture, http://www.cs.utah.edu/flux/fluke [2] P. Loscocco, S. Smallay “Integrating /html/flask.html Flexible Support for Security Policies into Linux Operating System” Technical Report, [13] Linux Kernel, NSA and NAI Labs, Oct 2000. http://www.kernel.org
[3] P. Loscocco, S. Smallay, P.A. [14] Linux Kernel Module Programming, Muckelbauer, R.C. Taylor, S.J. Turner, J.F. http://metalab.unc.edu/mdw/LDP Farrell “The Inevitability of Failure: The /lkmpg/mpg.html Flawed Assumption of Security in Modern [15] LSM Patches to Kernel, Computing Environments” In Proceeding of http://lsm.immunix.org the 21st National Information Systems Security Conference, Oct 1998. [16] Network Patch (selopt), http://www.intercode.com.au [4] P. Loscocco, S. Smallay “Meeting Critical /jmorris/selopt/old/ Security Objectives with Security Enhanced Linux” Technical Report, NSA and NAI Labs, [17] SELinux, http://www.nsa.org Oct 2000. /selinux [5] R. Spencer, P. Loscocco, S. Smallay, M. Hibler, D. Andersen, J. Lepreau “The Flask Glossary Architecture: System Support for Diverse Security Policies,” NSA, SCC, University of ACS Access Control Service Utah. DSI Distributed Security Architecture [6] M. Dagenais, I. Haddad, C. Levert, M. Pourzandi, M Zakrzewski “A New DSM Distributed Security Module Architecture for Security in Carrier Class Clusters,” Apr. 2002. LSM Linux Security Module
[7] G. Nutt Kernel Projects for Linux, Addison NSID Network Security ID Wesley Longman, 2001. SCC Secure Communication Channel [8] A. Rubini, J. Corbet Linux Device Drivers, SM Security Manager O’Reilly, 2001, Second Edition.
[9] M. Beck, H. Boehme, M. Dziadzka, U. SnID Security Node ID Kunitz, R. Magnus, D. Verworner Linux SS Security Server Kernel Internals, Addison Wesley Longman, 1998, Second Edition SSID Source Security ID Ottawa Linux Symposium 2002 631
SSnID Source Security Node ID
TSID Target Security ID
TSnID Target Security Node ID Proceedings of the Ottawa Linux Symposium
June 26th–29th, 2002 Ottawa, Ontario Canada Conference Organizers Andrew J. Hutton, Steamballoon, Inc. Stephanie Donovan, Linux Symposium C. Craig Ross, Linux Symposium
Proceedings Formatting Team John W. Lockhart, Wild Open Source, Inc.
Authors retain copyright to all submitted papers, but have granted unlimited redistribution rights to all as a condition of submission.