Comments about Trusted Operating Systems

Karl MacMillan has written a detailed response to my article comparing the MLS policies of Trusted Extensions and SELinux. Although I don't agree with many of his assertions, I think this is a healthy discussion. I've posted comments on his blog, but I have one other point to make here.

Despite the fact that my article was about the MLS policies in TX and SELinux, Mr. MacMillan generally played down MLS as a viable security technology. He states:

The problem, in my view, is that the separation offered by MLS systems is more severe than most commercial customers can tolerate and there is no secure way to relax those restrictions. That is where type enforcement really shines. It is possible to clearly and securely specify how information can flow to allow limited flow of data in certain circumstances through specific, trusted processes. The inflexibility of MLS doesn’t offer this: process are either confined by the policy or are trusted to circumvent it in coarse-grained ways. Relaxing the policy to make it useful essentially destroys any security benefit.

I disagree that relaxing the MLS policy destroys any security benefit. In Trusted Extensions, the MLS policy for labeled zones is always enforced, even for privileged processes. The policy can be relaxed to permit specific trusted processes to request that individual files are upgraded or downgraded, but such relabeling is still subject to review by TCB processes in the global zone. Multilevel ports can be configured for use by trusted processes, but they are still constrained to communicate at specific levels.

Type Enforcement has a lot of potential, but MLS, as implemented in Trusted Extensions, provides unique advantages. I am pleased to see a growing awareness in the secure OS community.

Comments:

Hey Glenn, is it possible to launch processes from one zone to run in a different zone? Ideally we'd want to do this from one labeled zone whose label will dominate the zone where we'd like to launch the process... but if necessary we could do it from the global zone.

Thanks for any insight.

Curt

P.S. I work for Rob Peabody on the CDS program here at NG

Posted by Curt Vogue on April 06, 2009 at 02:42 AM PDT #

It is not possible for a process in a labeled zone to launch a process in other zone. Only an all-privileged global zone process can do this. So you need to provide a trusted path facility to proxy the request into the global zone.

This technique is already used in a few places. The GNOME panel and the Trusted Path menu provide a cross-zone parent-child pipe for communication with the global zone. Similarly, the labeld service with a rendezvous file in /var/tsol/doors acts as proxy for relabeling.

It is possible to send a message on a named pipe from a lower to higher level zone. The message could request execution at the higher level.

Posted by Glenn Faden on September 26, 2009 at 07:51 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks