Applicability of Low Water-Mark Mandatory Access Control Security in Linux-Based Advanced Networked Consumer Electronics

Authors: Jinhon K. Guo, Stephen Johnson, David Braun, Il-Pyung Park (Panasonic Information and Networking Technologies Laboratory)

Abstract

Linux is an open source operating system that is rapidly gaining popularity in consumer electronic devices, especially in digital audio and video devices. However, with its success in the market, there is a greater need for security. In this paper, we present a Trojan attack scenario that compromises the security of a Linux-based networked appliance. Then, we demonstrate how a simple Low Water-Mark Mandatory Access Control (LOMAC) module can protect the system against such attacks. However, LOMAC implements this Access Control by interposition at the kernel’s system call interface and uses implicit attribute mapping to map security attributes to files, which is invasive. We present a LOMAC implementation as a Linux Security Module (LSM), a new framework for providing standard interfaces to loadable security modules for the Linux kernel.

Annotations

LOMAC was originally designed on an older linux kernel [2.2] to provide Mandatory Access Control to protect Linux-based networked appliances from attacks, such as trojans via email. The original idea was to interpose on all of the relevant system calls since this was a trivial task to do before the 2.6 kernel. However, there are trade-offs to doing this and a lot more complexity is added.

This paper, not by the original designer of LOMAC (Fraser), migrates the software over to the Linux Security Module (LSM) Framework. "The module, then, is able to make a decision whether to grant or deny the access. It is a generic, simple, less invasive efficient solution to mandatory access control modules."

The basic ideas stay the same in LOMAC with either version. The system running LOMAC is protected by dividing up all of the processes into different levels of integrity, high and low. For example: If a high level process accesses a low integrity object it is now longer allowed to access high integrity objects. IN essence the process becomes jailed.

Ran tests with a trojan that carries root privileges, however when the trojan attempts to read the low integrity level email the Trojan is demoted and is no longer able to write back to the system area.

Pros/Cons of LSM: "LSM provides us with enough hooks to mediate all these original system calls without patching the kernel." (VERY IMPORTANT!) "However, it does not provide us with enough "post" system call hooks to do monitoring after a system call successfully completed." (This explains the reason for such calls as SOCKET_POST_CREATE and SOCKET_POST_ACCEPT in the LSM framework)

Fun Fact: The original author, on his website, is proud that LOMAC was listed as one of the main modules to disable on a system when attempting to install a rootkit, in particular the Kis rootkit. [http://alum.wpi.edu/~tfraser/Software/LOMAC/index.html]

Related Work

• Fraser, "LOMAC: MAC You Can Live With," FreeNIX? Track, 2001 USENIX Annual Technical Conference [http://alum.wpi.edu/~tfraser/Papers/timothy-fraser-2001-1.pdf].
• Fraser, "LOMAC: Low Water-Mark Integrity Protection for COTS Environments," 2000 IEEE Symposium on Security and Privacy [http://alum.wpi.edu/~tfraser/Papers/timothy-fraser-2000-1.pdf].

-- AndrewBlaich - 20 Jun 2007