The main goal of my master thesis was to change and implement the "Generalized Framework for Access Control" (GFAC) in a living Unix-System, using a proposal by L. J. La Padula. The GFAC divides the functionality of access control systems into several independent components, thus increasing flexibility and decreasing the number of possible errors.
The achievable flexibility is mostly expressed by the possibility of integrating several independent security models, the rule sets, into one configurable and extensible access control system. This is done by separating the model independent enforcement of security and safety from the model dependent decision mechanisms. Despite the integration all rule sets, each representing a consistent security model, keep unchanged.
All security and safety evaluation is based on the areas confidentiality, integrity, availability and privacy. While the older, US-american evaluation criteria TCSEC ("Orange Book") are restricted to confidentiality, the European ITSEC contain eight headings from the areas confidentiality, integrity and availability to evaluate the functionality of security mechanisms. Additionally, ITSEC addresses the level of trust to be placed in the effectiveness of a given functionality profile and in the correctness of its implementation.
To cover the forth area, privacy, I added two headings: protection of personal data (privacy) each of users and other people. The first is already covered by the currently developed, internationally harmonized Common Criteria.
Out of the five security models chosen for my thesis two, Functional Control and Security Information Modification, are simple, role based example models. While the classical Mandatory Access Control by Bell and La Padula is, like TCSEC, concentrating on confidentiality, the Clark-Wilson Integrity Model aims mainly at integrity as a base for business.
The fifth model, which was not proposed by La Padula, is Simone Fischer-Hübner's Privacy Model. Its first time adaption into a real system and implementation is another important goal of my thesis. This model was specially designed to meet privacy requirements, but it also covers confidentiality and integrity as essential parts of privacy.
Since extensive logging of all user activity is useful for all security models, but dangerous for user privacy, I decided to maintain pseudonyms for all users and provide pseudonymic logging only. Nevertheless user profiles can still lead to exact user identification.
The adaption into Linux followed not only those general goals, but also some minor, mostly system specific ones. For instance, each rule set, encapsulated into a module, should care for its own protection and be able to be switched on or off at runtime under its own control. All mechanisms should be independent from the underlying file system and as secure, extensible, flexible, stable and efficient as possible. Thus a maximum of availability and a minimum of effort for changes could be gained.
The access control, context and authorization information defined in the GFAC were put into one component, the Data Structures. Access control information is kept in attributes bound to subjects, that is users and processes, and to objects, that is files, directories and interprocess communication channels. The context contains all other, mostly model dependant information that is used by the decision rules, like tasks or user groups. All access to the Data Structures component is done via defined access functions.
As all accesses in a Unix system to mass storage or other system parts from process level require system calls to the system kernel, enforcement of access control can only be done by extensions to all relevant system calls. Here these extensions merely call the decision component and enforce the decision returned by either performing the original system call functionality or returning an error to the calling process. After successful execution the decision component is notified, so that all decision modules can adjust their attributes accordingly, and control is returned to the process.
Parameters to the decision and the notification function are the request, describing the desired type of functionality, the identification of the calling process and, if possible, the id of the target of access, a subject or object. For notification a second, newly created target can be given. Based on these parameters the decision modules get all access control and context information from the Data Structures component they need and build a decision or adjust the data on notification. The central dispatcher function combines the single results to a final decision that is returned to the enforcement code.
Extending an existing system with given security models leads to some practical problems, e. g. programs sometimes do not conform to model assumptions or objects come in and out of the scope of a model. As an example the necessary setting of current security levels of processes for the Bell-La Padula model had to be automated, because it was not cared for in the original system programs. In Linux, process memory areas can be fully accessed by their owning process, but in the reference system Multics they are controlled like files. Thus the *-property had to be enforced with extra input and output control based on additional min-max process attributes, because data could be buffered in memory.
Altogether I added 15 system calls for general and model dependent changes of system state. Of course these are access controlled as well. They are called by several command line administration tools.
Coding was done in the programming language C, because most of the kernel was written in it. All my additions to the original kernel can be configured by the usual configuration programs, giving the choice of decision modules, switchability, network access control, etc. If they are all disabled, the result is an unchanged Linux kernel of version 2.0.30.
The Clark-Wilson Integrity Model has not yet been fully implemented, but will probably be later.
An informal security evaluation with all models enabled and using the extended ITSEC headings shows a considerable enhancement in identification, authentification and audit analysing and a strong enhancement in access control, auditing, integrity and privacy for both users and other people.
Because of the unchanged underlying structure of Unix there are nevertheless still some smaller weaknesses in identification and authentification, object reuse, reliability of service, security of data transfer and privacy of user data. E. g. the protection of authentication data and the security of data transfer are still depending on proper administration, users can be identified via audit profiles and deleted data is not physically deleted. In the next step of security optimization these areas will have to be addressed.
The main weakness of my implementation is the lack of proofability of correctness due to size and structure of the monolithic Linux kernel. This weakness could only be reduced by extensive tests.
Having a reasonable amount of logging the impact on performance is hardly noticable. Unfortunately I had no way of measuring the difference on my test system.
Altogether my goals were reached and a usable Linux system with a high functionality of security was developed. Still I found some conceptional weaknesses in the chosen security models as well as in the underlying system, mostly affecting the level of trust in the implementation. In the ongoing project those will be specially addressed.
Back to RSBAC - Back to Documentation
03-Dec-01, -ao