• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

CBOSS: Transfer of Existing Security Technology

A number of useful security technologies exist but are not well-known or well-distributed in mainline software projects. This initiative will complete, port, and distribute a number of existing security technologies to increase their effect on the security of Open Source systems.

This initiative will complete, port, and distribute the following technologies.

Enhanced File System Extended Attributes

FreeBSD's access control mechanisms offer limited expressibility for discretionary policies, and fail to take into account the requirement for mandatory policies, such as Multi-Level Security (MLS), Type-Enforcement (TE) and Biba protection models. Work to improve the set of available security policies in FreeBSD is underway; however, many of these policies require the ability to persistently store new security labels with file system objects. In the upcoming FreeBSD 5.0 release, rudimentary support for Extended Attributes was introduced to support the TrustedBSD Project, permitting the association of arbitrary labels with file system objects [WAT00]. However, the current implementation has poor performance and failure-mode properties, and requires manual configuration. To achieve wide deployment and use, it is necessary to reimplement the existing software as an integral part of the file system implementation, which will allow higher performance, as well as improving resistance to corruption and inconsistency by integrating with the Soft Updates model. A new implementation will also permit low administrative overhead in the deployment of Extended Attributes and associated features. We will continue to participate in existing efforts to develop portable cross-platform Extended Attribute interfaces, as well as support efforts in the OpenBSD and Darwin communities to port FreeBSD Extended Attributes to their platforms. This work is performed in partnership with Kirk McKusick and Poul-Henning Kamp of the FreeBSD Project.

LOMAC/FreeBSD

We will port the existing NAI Labs' LOMAC software to FreeBSD and, with the cooperation of FreeBSD developers, integrate it into the base FreeBSD operating system distribution. LOMAC is a loadable kernel module presently available for Linux kernels that provides Low Water-Mark system integrity protection in a form that is highly-compatible and easy to use [BIB77, FRA00]. Due to its extreme simplicity, LOMAC requires no configuration regardless of the users, servers, or other software present on the system. The port will provide FreeBSD administrators with access to LOMAC/FreeBSD within 6 months of funding (by December 2001), allowing them to harden their currently-deployed and future systems against malicious code and remote users. We will take advantage of the opportunity presented by the port to strengthen the separation between the kernel-dependent and -independent parts of the LOMAC architecture, thereby encouraging future ports to other free UNIX kernels such as Net- and OpenBSD, to commercial UNIX kernels such as Solaris, and to emerging general access control frameworks such as Poligraph. To this end, we will also investigate the requirements for LOMAC support in Poligraph.

Network Stack Hardening

Since the development of the BSD network stack, a new class of network-based "Denial of Service" (DoS) attacks has proliferated. These dramatically increase the vulnerability of common network services to relatively elementary and highly scriptable attacks. Recognition of this has resulted in a gradual "hardening" effort for network protocols and (over time) implementations. However, not all of these techniques have successfully migrated to the FreeBSD operating system, including the implementation of TCP SYN Cookies [BER] and TCP Endpoint Congestion Notification (ECN) [FLO99]. Adopting the SYN cookie technique as an extension to the current SYN cache technique will allow the FreeBSD IP stack to resist higher volume TCP SYN floods, a common host-based attack technique. Implementing TCP ECN will allow the FreeBSD IP stack to adapt to variable congestion network conditions, allowing improved performance in the face of network-based flood attacks. Another area where security improvement in FreeBSD network stack behavior is possible is the IP Firewall module (IPFW). As techniques for IP filtering have matured with the development of source address filtering, stateful inspection, and new network and protocol services, the FreeBSD IPFW implementation has lagged behind. This was recently demonstrated by a failure of IPFW when handling the recently deployed ECE flag on TCP packets, resulting in incorrect rule matches [FSO01]. The code has never undergone a rigorous code exploration and testing process, which would likely reveal oversights, incorrect handling of newer protocols, and areas for performance improvement. This work is performed in partnership with Jonathan Lemon of the FreeBSD Project.

PAM Authentication

A vital component to end-host security is the ability to authenticate users of the system so as to assign appropriate system credentials to their processes. In hard-coded authentication environments, the cost of introducing a new authentication scheme is very expensive: every program that makes use of authentication must be modified. This problem is addressed on many modern UNIX systems through the use of Pluggable Authentication Modules (PAM), which also provides a number of other services, such as login session management, authorization, and accounting [OSF95]. The FreeBSD operating system partially implements the PAM service for authentication, but does not use it in all applications, nor does it make use of PAM services other than authentication. This lack of integration has resulted in difficulty in consistently managing the system, as well as hindering development and use of stronger authentication types, such as hardware. It has also hindered the deployment of new security models that rely on PAM's ability to offer pluggable session management services. Correcting these weaknesses, as well as introducing support for new authentication mechanisms, is a high priority in improving the security of the FreeBSD, as corrections will permit the easier deployment of strong authentication technology and new security models. This work is performed in partnership with Eivind Eklund of the FreeBSD Project.

Cryptographic Protection of Swap and File Systems

With the increased availability of mobile computing hardware, the opportunities for theft and loss of physical storage media have been greatly magnified, putting persistently stored data at risk. Typically, two types of data are written in a manner that leaves them vulnerable if physical security to storage devices is compromised: data written implicitly as part of the virtual memory swapping service, and data written explicitly via the file system. As both of these types of data may contain sensitive information, such as cryptographic keying material, preserving secrecy after theft of hardware is extremely important. Cryptographic techniques can be employed to protect against data theft by employing encryption over data (either selectively or universally) written to persistent storage. Existing techniques for introducing these features have high development and usability costs, as they require direct integration of cryptographic services into the file system. An alternative technique introduces these services at the device layer by permitting the "stacking" of transform layers over devices. For file systems, this limits the granularity of protection, but allows for rapid development while handling physical compromise cases well. Such a framework could also be used to support secure erasure, media format adaptation, and fault tolerance. This work is performed in partnership with Poul-Henning Kamp of the FreeBSD Project.

SELinux/MLS

The National Security Agency (NSA) has developed a Security-Enhanced Linux (SELinux) prototype that incorporates a flexible Mandatory Access Control architecture into the Linux kernel [LOS00, SMA00]. In the architecture, the security policy logic is encapsulated within a separate component of the operating system called the security server with a general interface for obtaining security policy decisions. An example security server is provided with the prototype that primarily supports Type Enforcement (TE) [BOE85] and a limited form of Role-Based Access Control (RBAC) [FER92]. Although the SELinux architecture is capable of supporting both the BLP [BEL73] and Biba [BIB77] policy models, the BLP model has not been configured for use, and the Biba model has not been implemented at all. Consequently, SELinux does not provide policy or application compatibility with existing efforts [MOR, SCH] to implement TCSEC-, LSPP-, and POSIX.1e-style MAC [DOD85, NSA99, IEEE97]. Furthermore, SELinux cannot be effectively evaluated against the criteria of the LSPP. These areas constitute gaps that may hamper the acceptance of SELinux. This task will fill these gaps in the NSA implementation by (1) implementing and configuring complete BLP and Biba policy models for the SELinux example security server, and (2) Implementing a POSIX.1e MAC library for applications on SELinux, permitting portable MAC-aware applications to operate correctly on SELinux.

Note: funding has not yet been provided for this task.

contactiiso@SPARTA.com