Security-Enhanced Darwin: Porting Selinux to Mac OS X Christopher Vance Todd C
Total Page:16
File Type:pdf, Size:1020Kb
Security-Enhanced Darwin: Porting SELinux to Mac OS X Christopher Vance Todd C. Miller Robert Dekelbaum Andrew Reisse SPARTA, Inc. SPARTA, Inc. SPARTA, Inc. SPARTA, Inc. Abstract hide some of the system complexity, Apple has added a layer of simpler security APIs to manage Keychain Security-Enhanced Darwin (SEDarwin) is a port of Services, secure network communication, provide access control elements derived from the National Se- certificate and trust services, and manage Authorization curity Agency’s Security Enhanced Linux (SELinux) Services. Integral to this model, the Authorization to Darwin, the Open Source core of Apple’s Mac OS Services APIs communicate with a user space Security X operating system. Mac OS X combines both Open Server to determine whether operations and accesses Source and proprietary technologies into a widely-used, are permitted. production-quality UNIX-based workstation. Because Darwin is available under an Open Source license, it One of the shortcomings of Apple’s security architec- is possible to add mandatory access controls while still ture is the lack of consistent, centralized access control. maintaining compatibility with the large base of user While there are discretionary access control (DAC) space applications, proprietary graphical components, checks for BSD components, Mach port rights for the and programming frameworks. While it was straight- Mach subsystem, ACLs and Kauth controls for file forward to port many of the SELinux components, Dar- access, and Security Services for user space services, win’s unique architecture meant significant new engi- there is no overarching design or single configuration neering was necessary in order to provide SELinux-style point. Each component is configured and operates access controls consistently across the entire system. separately. The TrustedBSD Mandatory Access Control This paper describes the component technologies in Dar- (MAC) Framework was added to Darwin to address win, the areas of significant new development, and pro- this by adding access controls consistently throughout vides comparisons to SELinux. the kernel and by providing APIs for user space pol- 1 Introduction icy decisions. This Framework makes it possible to implement a single access control policy that provides Apple’s Mac OS X provides a number of security protection for login sessions, processes, files, pipes, mechanisms, comprising both user space and kernel network communication, System V and POSIX IPC, components[1]. The operating system kernel includes and Mach IPC. support for: • UNIX-style discretionary access control checks: With the addition of the TrustedBSD MAC Frame- based on user and group identifiers. work, a full suite of kernel security mechanisms • Mach port rights: besides controlling interprocess becomes available. Since the MAC Framework was communication (IPC) channels, Mach port rights designed to be orthogonal to existing security mecha- can protect tasks, threads, memory ranges, proces- nisms, it does not replace any vendor access controls or sors, and other devices. grant privilege beyond what the base system permits. By • Audit support: generated audit logs use Sun’s Basic design, the MAC Framework can only further restrict Security Module (BSM) token stream format. system access. The MAC Framework is similar in • BSD-style process accounting: records system ac- concept and construction to the Linux Security Modules counting information for all processes. (LSM) Framework. Each extends the base operating • Encrypted virtual memory: AES algorithm used to system security architecture by allowing pluggable encrypt virtual memory pages when stored on disk. security modules to further constrain applications. • Access Control Lists (ACLs): per-file fine-grained permission model implemented using extended at- With the addition of the MAC Framework, SELinux tributes. technologies can be incorporated to achieve consistent • Kauth: Apple’s own in-kernel flexible, extensible access control coverage. Apple’s Mac OS X operating security architecture for securing file access. system uses a unique blending of component technolo- In addition to the kernel security components, Mac gies that substantially distinguishes it from FreeBSD, OS X provides a flexible user space security model. To Linux, Solaris, and other UNIX-like operating systems. Draft: 2007/01/22 11:35 Page: 1 This architecture led to many challenges when porting Application Environments User the SELinux technologies. Environment Common Services This paper will discuss Apple’s architecture, the ap- plication of the TrustedBSD MAC Framework to this Darwin XNU Kernel BSD Subsystem Mach Subsystem Kernel architecture, the significant technical development that Environment File Systems Virtual Memory was necessary to secure the Mach IPC and IOKit sub- Networking Tasks/Threads Posix IPC Scheduling Processes Mach IPC systems of Apple’s operating system, and the adaptation Unix DAC/ACLs of the SELinux components for use on the Apple system. Firmware Open Firmware & BootX or EFI 2 Background Hardware PowerPC or x86 2.1 Mac OS X Figure 1: Apple’s OS X Architecture Apple’s Mac OS X is a commercially available operat- ing system providing a graphical user interface on top of 2.2 DTOS a UNIX core. Darwin, the Open Source core of Mac OS The Distributed Trusted Operating System (DTOS) X, is composed of a variety of technologies, including project was an enhanced version of the Mach 3.0 facilities derived from the Mach 3.0 microkernel[2], microkernel that included a Mach security server to operating system services based on FreeBSD 5, high secure process management, file objects, the network performance networking facilities, and multiple inte- stack and Mach IPC. The project was a joint effort grated file systems. Like most UNIX systems, the by the National Security Agency (NSA) and Secure Darwin kernel is engineered for stability, reliability, Computing Corporation. This work developed a pro- and performance[3, 4]. Layered on top of the UNIX totype secure Mach microkernel that provided strong, core are a collection of graphics routines, a windowing flexible security controls with good performance and system, a user interface, and an application object application compatibility[5, 6]. The DTOS microkernel model, as shown in Figure 1. Together, these are the made enhancements to the Mach 3.0 design, the same components that help make Mac OS X a commercially version of Mach upon which Darwin is based. DTOS viable desktop system. used the Lites[7] Mach server as its BSD subsystem. Unlike the BSD kernel code in Darwin, Lites runs as a Apple makes the Darwin source code available under user-level single server; it is not kernel-resident as it is the Apple Public Source License, permitting third party in Darwin. inspection, modification, and extension of the operating system. This makes Darwin an attractive platform The DTOS security server utilized a Type for operating system research, since researchers have Enforcement[8] policy that was a precursor to the the complete source code without the burden of non- Type Enforcement used by FLASK (described be- disclosure restrictions. Through careful modification low). While the DTOS code was not directly used in of the Darwin core, operating system behavior can be SEDarwin, it was examined to help understand the changed while still allowing the higher level application complexities of introducing security into a Mach-based interfaces (Aqua, Quartz, Carbon, etc.) to function, operating system. The goals of SEDarwin and DTOS thereby preserving the user experience. It was especially are quite similar: develop a prototype that can be used to important to maintain compatibility with commercially demonstrate that strong, useful security features can be developed and supported applications such as Microsoft introduced into an operating system without sacrificing Office, Adobe Digital Imaging Software, professional- desirable features such as performance or utility. grade audio and video processing software, and licensed (DRM-enabled) multimedia playback that help 2.3 FLASK and SELinux distinguish Mac OS X from other UNIX-based systems. The Flux Advanced Security Kernel (FLASK) is an operating system security architecture that provides a Darwin’s kernel uses a Mach 3.0-derived core to man- flexible and fine-grained MAC architecture[9] using age processor resources (CPU and memory), handle a generalized form of Type Enforcement. It was scheduling, enforce memory protection, and implement developed as a security-enhanced version of the Fluke interprocess communication. Mach provides most of the microkernel-based operating system[10]. core OS services, including memory protection, preemp- tive multitasking, and advanced virtual memory. NSA’s Security-Enhanced Linux[11] (SELinux) is a Draft: 2007/01/22 11:35 Page: 2 version of the Linux kernel that includes a version of per-object allocated memory, or reference-counted the FLASK security server. Policy enforcement logic is structures. implemented using the interfaces provided by the LSM framework[11]. A wide range of security models can Security labels follow the existing allocation and be implemented as security servers without requiring usage cycles that the kernel uses to manage objects. changes to any other component of the system. The For most kernel objects, this life cycle consists of FLASK architectural abstractions of the security server allocation, initialization, use, and deallocation. While and access control vector cache are preserved in the the