Virtualization in Multilevel Security Environments Dr. Christoph Schuba [email protected] http://blogs.sun.com/schuba 1 Agenda • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow - 2 - Agenda • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow - 3 - Virtualization Technologies • Type 1 - Hypervisor-based virtualization > xVM - style (think XEN) > Logical Domains (LDOM) - firmware-style, Sparc CMT • OS virtualization > Containers (aka Zones), both x64 and Sparc • Type 2 - Hypervisor-based virtualization • Desktop and network virtualization > Sunray, VDI, Crossbow, ... • Combinations! - 4 - Server Virtualization Categories Hard Partitions Virtual Machines OS Virtualization Resource Mgmt. App OS Server Multiple OS Single OS > Very High RAS > Ability to live migrate > Very scalable and low > Very scalable and low an OS overhead overhead > Very Scalable > Ability to run different > Single OS to manage > Single OS to manage > Mature Technology OS versions and types > Cleanly divides system > Fine grained resource > Ability to run different > De-couples OS and and application management OS versions HW versions administration > Fine grained resource management - 5 - Virtualization Virtualization is the idea to introduce an abstraction layer that decouples previously adjacent layers to deliver greater resource utilization and flexibility. • Layers? > application, operating system, network, storage, file system, memory, resources, etc. - 6 - A Word About the Software • Solaris vs. OpenSolaris > Initially Developer Focus, soon Enterprise > Free > Open Source > Superior prototyping Environment for Security Research – virtualization technologies, – process privileges, – fault and service management, – open storage, especially ZFS – cryptographic framework, etc. • Type-2 Hypervisor VirtualBox - 7 - Multilevel Architecture • Layered architecture Need-to- Internal know Use Public implements: > Mandatory access control Global Zone > Hierarchical labels Solaris Kernel > Principle of least privilege SPARC, x86 or x64 Hardware > Trusted path Local or Sun Ray display > Role-based access - 8 - Solaris Trusted Extensions • All objects are labeled, based on sensitivity • Access governed by label hierarchal relationship Commercial Hierarchy Government Hierarchy Executive Non-Hierarchical Management Top Secret VP and Above Secret Directors Daisy's Confidential Net Inc. Music Online Florists All Employees Solaris 10 with or w/out Classified Trusted Extensions Trusted Extensions Trusted Extensions Mandatory Access Control & Security Labels - 9 - What's Solaris Trusted Extensions? • A redesign of the Trusted Solaris product using a layered architecture. • An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects • A set of software packages integrated into the standard Solaris 10 system. • A set of label-aware services which implement multilevel security - 10 - What are Label-Aware Services? • Services which are trusted to protect multilevel information according to predefined policy • Trusted Extensions Label-aware service include: > Labeled Desktops > Labeled Printing > Labeled Networking > Labeled Filesystems > Label Configuration and Translation > System Management Tools > Device Allocation - 11 - Trusted Extensions in a Nutshell • Every object has a label associated with it > Files, windows, printers, devices, network packets, network interfaces, processes, etc... • Accessing or sharing data is controlled by the objects' label relationship to each other > 'Secret' objects do not see 'Top Secret' objects • Administrators utilize Roles for duty separation > Security admin, user admin, installation, etc... • Processes use privileges rather than root access • Strong independent certification of security - 12 - Trusted Solaris History • 1990, SunOS MLS 1.0 > Conformed to TCSEC (1985 Orange Book) • 1992, SunOS CMW 1.0 > Compartmented-mode workstation requirements > Release 1.2 ITSEC certified for FB1 E3, 1995 • 1996, Trusted Solaris 2.5 > ITSEC certified for FB1 E3, 1998 • 1999, Trusted Solaris 7 • 2000, Trusted Solaris 8 > Common Criteria: CAPP, RBACPP, LSPP at EAL4+ • 2008, Solaris 10 Trusted Extensions > Common Criteria: CAPP, RBACPP, LSPP at EAL4+ - 13 - Solaris™ Trusted Extensions Trusted Solaris 8 Trusted Extensions Label- Label- Trusted Trusted Trusted Trusted Aware Aware Networking Desktop Networking Desktop Services Services Modified Process Trusted's Process Containment TCP/IP Containment Privileges TCP/IP [Labels] Privileges [Zones] Solaris 10* ●Benefits: ● Software portability ● Patch compatibility ● Shorter release window ● More familiar - 14 - Integration of Trusted Extensions • Leveraging Solaris functionality: > Process & User Rights Management, auditing, zones > Make use of existing Solaris kernel enhancements • Elimination of patch redundancy: > All Solaris patches apply, hence available sooner > No lag in hardware platform availability • Extend Solaris Application Guarantee • Full hardware and software support > File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.) > Processors (SPARC, x86, AMD64) > Infrastructure (Cluster, Grid, Directory, etc.) - 15 - Labeled Zones in Trusted Extensions • Each zone provides a security boundary > Unique sensitivity label per zone > Labels are implied by process zone IDs > Processes and data are isolated by label • No object is writable by more than one zone > Mount policy prevents writing down or reading up > Network policy requires endpoint label equality (default) • Information sharing between zones is based on label relationships - 16 - Solaris Kernel Services • Multilevel Networking Need-to- Internal Public know Use • Filesystem mount policy Global Zone • Containment (zones) Solaris Kernel > Processes SPARC, x86 or x64 Hardware > Devices Local or Sun Ray display > Resource Pools - 17 - Multilevel Services • Label Policy Administration Need-to- Internal Public know Use • Name Services • Labeled Printing Global Zone • File relabeling Solaris Kernel • Device Allocation SPARC, x86 or x64 Hardware • Labeled Windows Local or Sun Ray display • Single Sign-on - 18 - Single Level Applications • Application Launchers Need-to- Internal Public know Use • Windows XP Remote Desktop Global Zone • Mozilla Solaris Kernel • StarOffice • CDE or Java SPARC, x86 or x64 Hardware Local or Sun Ray display Desktop System - 19 - Agenda • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow - 20 - Filesystem MAC policies • Labels derived from a filesystem owner's label • Mount policy is always enforced > No reading-up – Read-write mounts require label equality in labeled zones > Reading-down – Read-only mounts require dominance by client – Can be restricted via zone's limit set and network label range > Writing-up – Cannot write-up to regular files – Limited write-up to label-aware services (via TCP and doors) > Writing-down – Restricted to privileged label-aware global zone services - 21 - Labeled Filesystems Global Zone / • Read-only zone usr access to lower- need-to-know internal public level directories root root root Need to know Internal Zone Public Zone • Supports all Zone export export export filesystem types • Both local and NFS filesystems • Administered y h c r a r ADMIN_HIGH Legend e via Global Zone i NEED TO KNOW H Subdirectory l INTERNAL USE ONLY e b PUBLIC a Loopback Mount L ADMIN_LOW - 22 - Labeled Filesystems Global Zone / • Read-only zone usr access to lower- need-to-know internal public level directories root root root Need to know Internal Zone Public Zone • Supports all Zone export usr export usr export usr filesystem types • Both local and NFS filesystems • Administered y h c r a r ADMIN_HIGH Legend e via Global Zone i NEED TO KNOW H Subdirectory l INTERNAL USE ONLY e b PUBLIC a Loopback Mount L ADMIN_LOW - 23 - Labeled Filesystems Global Zone / • Read-only zone usr access to lower- need-to-know internal public level directories root root root Need to know Internal Zone Public Zone • Supports all Zone export zone usr export usr export usr filesystem types internal • Both local and NFS filesystems export • Administered y h c r a r ADMIN_HIGH Legend e via Global Zone i NEED TO KNOW H Subdirectory l INTERNAL USE ONLY e b PUBLIC a Loopback Mount L ADMIN_LOW - 24 - Labeled Filesystems Global Zone / • Read-only zone usr access to lower- need-to-know internal public level directories root root root Need to know Internal Zone Public Zone • Supports all Zone export zone usr export zone usr export usr filesystem types internal public public • Both local and NFS filesystems export export export • Administered y h c r a r ADMIN_HIGH Legend e via Global Zone i NEED TO KNOW H Subdirectory l INTERNAL USE ONLY e b PUBLIC a Loopback Mount L ADMIN_LOW - 25 - NFS Support for Zones • NFS clients: > Each zone has its own automounter > Kernel enforces MAC policy for NFS mounts • NFS servers: > Per-zone sharing policy set in global zone > Kernel enforces MAC policy for NFS requests • The global zone administrator can export filesystems from labeled zones > Each export must be a single-level