2011 ride up Vermont route 100

June 20, 2011 ~ flihp ~ Leave a comment

My vacation last week was spent on the road riding with a few buddies. The highlight was definitely the ride out to Bike Week. We spent the night in Wilminton VT, rode up route 100 to 17, then back down to 89 then on to Alton Bay … with a stop at the Broken Spoke Saloon first naturally.

Here’s the route. In the less than perfect weather it took us about 12 hours including stops but it was worth every muscle ache and every minute in the saddle.

Understanding Multi-Level Security part 2

June 8, 2011 ~ flihp ~ 3 Comments

In my last post I gave a brief description of the two governing principles of Multi-Level security. I then used a short-hand version of a logical framework from Chin and Older to explain how a reference monitor may use such a logic to make access control decisions.

In this post I go one step further to look at the MLS component of SELinux policy. I’ll relate the MLS constraints from SELinux to the logical framework from Chin and Older and show how I’ve used their syntax to help debug SELinux denials (AVC denied) in my own policy writing.

SELinux

The type enforcement (TE) model implemented in SELinux is very different from that of the MLS model. TE is a completely different approach to confining subjects and objects. Interesting enough though, to remain relevant in the government space (i.e. to get Common Critieria certified at the EAL4 level against the LSPP), SELinux was extended with the mechanisms necessary to implement an MLS policy. A significant portion of this work was done by TCS and is documented in a brief white-paper [1].

This paper describes the changes to the SELinux implementation in the kernel that were necessary, but assumes the reader is intimately familiar with government security policy. To fill that gap I’ve taken the logical rules from Chin and Older described previously and used them to explain the constraints that implement the MLS policy in SELinux.

SELinux Constraints

WE’ll start with a brief description of the SELinux constraint syntax. The interested reader I’ll refer the to the base constraint file in the SELinux source tree: $SELINUX_SRC/policy/constraints. In short, constraints allow for the policy author to define additional rules that must be satisfied beyond the SELinux type enforcement policy.

Let’s start with a simple example:

constrain dir_file_class_set { create relabelto relabelfrom } 
(
	u1 == u2
	or t1 == can_change_object_identity
);

The first keyword is constrain which simply identifies the constraint. Next comes a set of object types, followed by a set of permissions. When making an access control decision the security server will look at the requested permission and the object type and if they both are members of these sets the constraint will be evaluated. The constraint itself is a simple set of logical expressions. The parameters available for use in these expressions are the user, role and type component of the labels of both subject and object in the request. Components of the subject label are suffixed with 1, objects with 2.

In the expression above we see that the constraint requires that for a file or directory to be created or relabeled the user component of the subject and object labels cannot change (thus they must be equal or ==).
ASIDE: This constraint may seem like a mundane detail but it’s actually quite significant. Historically UNIX operating systems allowed users with sufficient privileges to change their identity to that of another user to perform administrative tasks. This constraint says that SELinux will never allow the user to change their identity (in the SELinux context) making attribution possible.

Examining the constraint further we see there is a loop hole that allows a subject with a specific type attribute (can_change_object_identity in this case) to change the user identity on a file or directory. Loop holes like this are unfortunate but are required for real systems to function.

MLS Constraints

The rules for MLS Constraints are the same as standard constraints. The only differences are:

subject and object labels available for use have the additional MLS label components
new operators which allow for the comparison of sensitivity labels

The MLS components of the SELinux labels come in two parts: the low clearance and the high clearance. These are pretty self explanatory as they represent the lowest possible clearance for a principle and the highest clearance the principle may access.
The new operators are:

eq: two MLS label components are equal
dom: one MLS label component dominates another
domby; same as dom but reversed
incomp: two MLS label components are incomparable

I’ll explain the important operators as well as an essential MLS property with an example:

mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
	(( l1 dom l2 ) or
	 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
	 ( t1 == mlsfileread ) or
	 ( t2 == mlstrustedobject ));

This rule constraints read operations on a rather large set of object types. The first line of the statement is the expected simple security property: the low clearance of the subject must dominate the low clearance of the object. Simply put this allows subjects to read at or below their lowest clearance.

The second line allows a subject to read an object if it’s highest clearance dominates that of the object AND it’s type is that of ‘mlsfilereadtoclr’ which is short hand for ‘mls file read to clearance’. This is a special set of subjects that are allowed to read to their highest clearance if they’re operating with a ranged label. Most processes will run with only one MLS label so this constraint will rarely come into play except for processes like init.

The remainig two lines are again, types that allow for loop holes. A process with this type would be considered a “trusted process” in the literature which basically means it’s a process allowed to violate the security model. We’d prefer to have none of these if possible but they exist for a number of reasons. These could be poorly coded software that can’t be fixed by those who care about these things because they’re proprietary or they’re simply processes that must violate MLS to perform their task.

Evaluating MLS Constraints in the logic

Using the logic presented in my previous post to reason through an access control decision based on the above SELinux constraints requires we have a way to evaluate expressions using the operators from the constraint language. I’ll address them in the order they’re presented above:

eq: equality

Testing the equality of two sensitivity levels is straightforward. Using the $slev$ operator we get the sensitivity of a principle and then compare the two using a simple comparison of the strings from our partial ordering. If our reference monitor is optimized it may map the strings to integers (as is the case with SELinux) for a faster comparison but the principle holds.

dom: dominance

This operator is well developed by Chin and Older in their $le_{s}$ operator and was the subject of my previous post.

domby: variation on dominance

This is simply the reverse of the dominance rule and I think it’s included as syntactic sugar.

incomp: incomparable

This operator is only valid when considering the category component of an MLS label and is deferred for future discussion of the Multi-Category Security (MCS) policy.

Now that the operators are sorted out we can use the constraint in an access control decision. I’m using short hand just to keep this post from turning into a book so the logicians among your may groan a bit …
First we must state the partial ordering for secrecy lables in our system. These should be familiar by now:

$ Unclassified le_{s} Secret le_{s} Top Secret $

Next we define a subject and an object in our system and assign them both secrecy levels:

$ slev (O) == Unclassified \ slev (S) == Secret $

Now that we’ve defined an Unclassified object and a Secret subject we can revisit the simple security property and the additional rules from the SELinux MLS constraint. I’m going to make up some functions and operators out of thin air so brace yourselves:

$ (slev_{l}(S) le_{s} slev _{l}(O_{l})) cup \ (type (S) == mlsfilereadtoclr) cap \ (slev_{h}(S) le_{s} slev_{l}(O)) cup \ (type (S) == mlsreadfile) cup \ (type (O) == mlstrustedobject) supset read $

First I’ve augmented the $slev$ function such that it can deal with principles having a high and low sensitivity level. I’ve done so by adding a subscript of ‘l’ for the low sensitivity and an ‘h’ for the high sensitivity.

Second I’ve added another function similar to $slev$ called $type$ . Like $slev$ it allows us to access a component of the security label for a principle. Instead of the classification however it returns the type component of the SELinux label. For the sake of completeness lets give our subject and object types:

$ type (S) == type_a \ type (O) == type_b $

Now to it’s just a matter of putting it all together. First from the type and sensitivity assignments for our subject ‘S’ and object ‘O’ we can replace instances of $slev$ and $type$ . I’ve only defined one sensitivity label for each object so both low and high labels are the same.

$ ((Secret le_{s} Unclassified) cup \ ((type_a == mlsfilereadtoclr) cap \ (Secret le_{s} Unclassified)) cup \ (type_a == mlsreadfile) cup \ (type_b == mlstrustedobject) supset read $

Since neither neither subject or object we’re considering have the types listed in this constraint we can quickly mark those comparisons as failing. Further we can simplify terms that have become ‘false’ and we get:

$ ((Secret le_{s} Unclassified) supset read $

In this simple case we’ve reduced the constraint to the simple security property. Further using the partial ordering we’ve defined we can see that Secret dominates Unclassified and our read request should be allowed by the reference monitor.

Conclusion

This very brief exercise shows the application of a relatively new logical framework to the analysis of a specific SELinux MLS constraint. I’ve found this type of reasoning extremely useful in debugging MLS policy as the available tools (audittoallow) provide no useful information about denials caused by constraints. The exercise performed in this post is equally applicable to any other MLS constraint from the reference policy so if you’re interested give it a try with the constraint for common write operations on files and prove the ★-property.

Up next is the MCS policy …

References

1 Chad Hanson, SELinux and MLS: Putting the Pieces Together, TCS

Icon 7614 shocks arrive damaged

May 31, 2011 ~ flihp ~ Leave a comment

After trying a set of KYBs from a Kawasaki ZRX and finding them too big to fit under my Predator exhaust I started looking for a set of shocks with a lower profile. I found these Icon 7614s on the NewThruxton.com. They don’t have all of the adjustments that the KYBs do but they definitely look thin enough to fit under my exhaust and they’re a lot lighter weight.

They arrived two weeks ago but I’ve been traveling for work and just got around to putting them on today. In the photo above they look great but when I unboxed them I noticed some damage on the springs. The damage is super obvious up close. I can only speculate how they were damaged but it probably happened before they were assembled because the rest of the shock body is perfect. But the plastic coating on the springs on both shocks is scratched down to the metal in a few spots. Here’s what I’m talking about:

The damage looks like they rubbed up against something. The reflection of the lights makes it a bit difficult to see at first but I’ve rotated the shock to the left a bit to offset the reflection. I’ve marked up the place where the plastic coating was stripped down to the metal underneath and provided a good close-up. Looking further down the spring you’ll see other places where the plastic was stripped away and there are a few where it’s gone through to the metal.

What a pain. I was really excited to get these on. Even worse than having to go through returning them is that I probably won’t have them on my bike for my upcoming ride up route 100 through Vermont. Not much I can do now but try to get NewThruxton.com to take them back. Not happy.

UPDATE: Added better photo.

Kawasaki ZRX KYB shocks on ’04 Thruxton

May 30, 2011 ~ flihp ~ 2 Comments

I spent some time recently searching for a new set of shocks for my Thruxton. I’ve made a number of performance upgrades but I’ve kept the stock shocks in place even though they’re pretty crappy. There’s a lot of options for this upgrade so hopefully my experience will be useful to someone out there weighting the same decisions.

First a shot of the stock shocks before I removed them. Notice the corrosion showing on the bottom. Luckily it was from the bolt, not the mount.

First I tried used set taken of KYBs taken from a Kawasaki ZRX 1100. These are a pretty common upgrade for Thruxtons even though the ZRX is much heavier. In the end the reports I’ve read indicated the ride was nice if a bit stiff.

The shocks were the right size but the bottom bushings that came in the shocks were the wrong size. Not a hard fix since the stock shock bushing were easy enough to knock out with a mallet and socket. After fitting these in the KYBs they were easy enough to mount on the bike now that I’ve got a lift. Here’s a shot of the bushings taken from the stock shocks, and the KYBs mounted. Check out the super nice dress-up bolts I got from Joker Machines too.

They look really slick but unfortunately I couldn’t keep them. The coils on the KYB shocks are significantly wider than the stock Thruxton shocks. This came into play when I tried to fit my exhaust back on as the final step. I’ve got a set of Predators from British Customs and these cans are just too wide to fit over the ZRX shocks. Damn.

I really like these shocks and I thought about getting a new exhaust to fit over them. Then I remembered how I love the sound from the Predators so I’m still searching. I picked up a set of Icons and I’ll post about that disaster next.

Understanding Multi-Level Security Part 1

May 23, 2011 ~ flihp ~ 1 Comment

In my last post I introduced a topic I’ve been working on over the past year. That post provided a description of the problem and it’s importance, but didn’t get into the details behind the technologies used in the solution I’ve worked up. This post is the first of several to come that will fill in these details.

Purpose

I’ve been having a hard time sorting out the best way to present the relatively complex topic of computer security policy and it’s application to my specific project. My first few attempts to write this up resulted in some very convoluted ramblings.

It seemed like I was starting in the middle and missing all the background. Hoping to fix this I’m starting from the beginning with a quick explanation of the security policy that’s at the core of my project: military security policies and their implementation in SELinux.

To explain this I’m using a logical framework put forward by Chin and Older in their recent book [1]. I took a class with Dr. Chin this past fall and was particularly impressed with the contents of the book and the clear, concise syntax they developed.

Classifications

Everyone who’s seen a good spy movie has heard references to military security policy. I think it’s safe to day that every James Bond or Jason Bourne movie made a few references to Unclassified, Secret or Top Secret data. These are typically referred to as classifications or sensitivity levels in the literature. Everyone who’s seen these movies understands what the policy is, but few people have a solid grasp on the mathematical rules that govern access control systems implementing this policy.

It really is as simple as it seams though and easy to explain in the context of subjects (generally people or computer processes acting on their behalf) and objects (either physical or electronic). There are two governing principles [2]:

the simple security property: a subject operating at a given sensitivity level can read objects at the same level or below
the ★-property: a subject operating at a given sensitivity level can write to objects at the same level or higher

A computer system that implements these two rules is said to implement a multi-level security (MLS) policy.

Inherent in these two rules is a partial ordering among classification labels. Chin and Older describe this ordering by first defining a function that produces the sensitivity of a principle or object: $slev (X)$ . For a given object O that is classified Secret we would say:

$ slev (O) = Secret $

They also define an operator: $le_{s}$ that describes the relationship between two sensitivity levels. Going back to the sensitivity levels we’re so familiar with we would say:

$ Unclass le_{s} Secret le_{s} TopSecret $

Simply put a TopSecret principle is more sensitive than (or dominates) a Secret principle, which dominates an $Unclass$ principle. Combining these two operators we can now describe these relationships in an access control scenario.

The Simple Security Property

Getting back to the security properties for military data we can use the above syntax to describe the system. The simple security property requires that a subject operating at a given security level can read objects at the same level or below. We’d such a situation as:

$ (slev (O) le_{s} slev (S)) supset read $

Above we assume the ‘O’ and ‘S’ are an object and a subject in our system respectively. By the definition of $slev ()$ we know it returns the sensitivity level of its parameter so let’s say that object O is classified Secret and subject S is classified Top Secret. We could then say:

$ (S le_{s} TS) supset read $

Knowing that $S le_{s} TS$ is true by the ordering we’ve defined and our knowledge of logical implication (modus ponens WHAT!) we can deduce $read$ from this for future use in our logical framework and we take this to mean a read operation would be granted. Chin and Older provide a more rigorous approach but for our purposes the short hand I’m using is sufficient (because I say so).

The ★-Property

The ★-property requires that the sensitivity level of a subject is lower than or equal to that of the object for a write access to be permitted. We’d represent this as:

$ (slev (S) le_{s} slev (O)) supset write $

If ‘S’ and ‘O’ are the same subject and object as in the previous example the values of $slev (S)$ and $slev (O)$ will again be top secret and secret respectively. Thus:

$ TS le_{s} S supset write $

Using the same partial ordering defined previously we can see that the first part of the implication here is false. This time from our knowledge of logical implication we can’t say anything about the term on the right (the $write$ statement), so we cannot say a write would be granted. It would then be denied by any sane access control implementation. Again I’m using short hand.

Conclusion

This brief introduction was an attempt to frame basic MLS constructs in a simple logic developed by Chin and Older. Alone this post won’t mean much to most people but it’s intended as a foundation. In my next post I’ll introduce SELinux constraints, MLS constraints and use the logic from this post to illustrate how a reference monitor would evaluate constraints in an access control decision.

References

1 Chin, Shiu-Kai and Older, Susan. Access Control, Security and Trust CRC Press, 2011.
2 Bell, David Elliott and LaPadula, Leonard J. Secure Computer Systems: A Mathematical Model, MITRE Corporation, 1973.
3 Chad Hanson, SELinux and MLS: Putting the Pieces Together, TCS

Thruxton ignition relocation

May 15, 2011 ~ flihp ~ Leave a comment

The weather’s starting to get nice and since I don’t have a garage to work in over the winter, I had to wait for nice weather to work on my Thruxton … in my driveway. Joker Machine makes some really nice bolt-ons and they’re pretty spendy so over the winter I picked up a few when I had a buck or two kicking around. A few days back when it finally hit 65 degrees outside I put on my ignition relocation kit.

The ignition location is a common complaint from Thruxton owners. It’s located on the headlight mount which is a bit odd, but really I’ve become used to it by now:

The relocation kit uses two bolts on the front of the frame as the anchor for the new bracket:

Removing the ignition is simple but it does require removing the headlight bracket to access the screws holding it in place:

After removing the ignition the fun begins. You can’t simply attach the new bracket with the existing cable. There just isn’t enough of it.

The ignition wires hook up to the main harness at a plug that’s housed in the headlight bucket. Actually just about everything that hooks up to the harness on the front end of the bike does so in the headlight bucket. So there are basically two options:

extend the ignition wires
cut into the harness and hope there’s enough wire in there to get the ignition to its new home

I went for the second option because I only needed a few extra inches of wire but it came at a cost: I couldn’t keep the connector between the ignition and the wiring harness in the headlight bucket. Here’s a shot of the harness with the cuts I had to make:

After that, wrap up the harness with electrical tape and stuff the connector up under the frame. Be sure to clean off the harness before you put the tape on it. Dirt makes tape pretty ineffective:

In the end it’ll look pretty cool:

The new location for the ignition isn’t any more convenient than the original if you ask me. Looks cool though.

Route from Syracuse to Laconia

May 10, 2011 ~ flihp ~ Leave a comment

It’s getting close bike week in Laconia NH and I’m planning out another route from Syracuse NY to the event (ending point is Alton Bay). Previously I’ve made a run straight across using major highways (boring and dangerous) and a much more fun route through Vermont down route 100. This year I’m planning to re-create the Vermont route but hopefully over two days.

First off here’s the route I took with an old room mate back in 2009. It’s as long as it looks. With a stop for lunch it took us about 10 hours.

This year I’m shooting for a stop in western Massachusetts at a buddy’s house. I figure this will cut the route in two and make for a much more enjoyable route through Vermont. In 2009 by the time we reached routes 17 and 100 in VT we were almost too tired to enjoy it. I’m really looking forward to the switch-backs on 17 when I’m not half dead.

Another Go at My Masters Project

May 8, 2011 ~ flihp ~ 2 Comments

About a year ago I started working on my masters project. The topic turned out to be … not interesting enough to hold my attention I guess. This ended up being for the best since shortly after losing interest in my first project I got picked up on a project at work that I managed to dual-purpose for both work and school. I’m at a point where all I need to do to graduate is write this work up.

This first post (with a new tag) is a brief introduction of what this work is and why you should care. Future posts on this topic will cover the technical background and an implementation, both a simulation and code targeted at a specific Xen-based platform.

SELinux and Virtualization

I’ve been playing with SELinux for a while now and more recently I’ve had the need to work with the Xen hypervisor. Specifically I’ve been tasked with getting an SELinux policy running in the management VM (a.k.a. dom0). Most people savvy on SELinux would simply use a Linux distro that supports SELinux out of the box as their dom0 like Debian, Fedora, CentOS / RedHat. This is a valid argument but a minimal Debian install has a root file system that’s about about a gigabyte in size and this was too big for our purposes.

The project was actually in full swing when I was tasked with SELinux integration and the team had already rolled their own dom0 using openembedded [1]. Getting SELinux up and running on an OE system was a pain but it’s done and that work isn’t all that interesting. What was interesting was implementing some policy and machinery to separate the instances of QEMU [2] that provide emulation for the HVM Windows guests [3].

SELinux does a great job of formalizing the interactions between processes. Any interactions that aren’t specified are prevented. I won’t go into a detailed explanation of the SELinux policy language [4] or Domain and Type Enforcement [5]. These are well documented elsewhere [6].

The Problem

What’s interesting is that on an SELinux system each process runs with a label defined by the label of it’s parent (the process that caused the execution) and the label on the programs binary file on disk. This means that a process performing multiple fork/exec calls on the same binary will produce child processes all with the same SELinux label. Under nearly all circumstances this is the desired effect. On our specific platform there is a case where this isn’t what we want.

As our platform is Xen, xend is the daemon responsible for managing VMs. When xend starts an HVM client it executes QEMU. This causes all QEMU instances running to have the same SELinux label. In SELinux speak we would say these QEMU instances are all running “in the same domain” which is equivalent to them all having the same permissions, or more precisely, the same access to system resources.

At this point understanding the separation goals of Xen is important. Where an OS kernel aims to keep running processes separate, Xen aims to keep running VMs separate. Having instances of QEMU operating on behalf of what are effectively untrusted client VMs all with the same SELinux label undermines this goal of separation.

Separating QEMU Instances

The sVirt [7] project specifically addressed this problem with a prototype implementation some time back. Eventually this was integrated with libvirt so if you’re running libvirt[8] with the SELinux security driver[9] loaded then presumably you’ve got these protections in place. But again due to the embedded nature of our dom0 libvirt was way more software than we needed.

It became necessary to implement the basic sVirt design but integrated directly into our management stack. This isn’t a line-for-line re-implementation of the libvirt SELinux code though. I’ve made a number of changes that I will discuss in detail in the following posts though the design goals remain the same: keep instances of QEMU separate. The metric we’re using to judge the usefulness of this work is our answer to the question “what could a compromised QEMU instance access?”. If the answer to this is “all of the virtual hard disks on the system” then obviously we’ve failed. Instead we’re aiming to confine a QEMU instance to the resources it needs to function, like the virtual disks belonging to the VM it is providing services to.

Next Time

Now that the basic problem is laid out the next step is to cover some background.
In my next post I’ll cover the background necessary to understand the specific pieces of the SELinux policy that this work uses to achieve these goals: the MCS policy.

References

1 the Open Embedded project: http://www.openembedded.org/index.php/Main_Page
2 the QEMU project: http://wiki.qemu.org/Main_Page
3 Xen-HVM: http://en.wikipedia.org/wiki/QEMU#Xen-HVM
4 SELinux policy language: http://selinuxproject.org/page/PolicyLanguage
5 Practical Domain and Type Enforcement for UNIX: http://portal.acm.org/citation.cfm?id=882491.884237
6 SELinux By Example: http://www.informit.com/store/product.aspx?isbn=0131963694
7 sVirt Requirements Document: http://selinuxproject.org/page/Svirt_requirements_v1.0
8 The libvirt Project: http://libvirt.org/
9 libvirt SELinux Driver: http://libvirt.org/drvqemu.html#securitysvirt

oil companies love mondays

April 28, 2011 ~ flihp ~ 6 Comments

It’s been a million years since my last post. Standard excuses apply: day job has taken over my life. I am working on a technical post so expect that in the next few days. In the mean time, here’s an image that has come to define this crappy week:

Only an oil company can make a Monday worse that it usually is. $50 for a tank of gas? Jerks. The only thing worse than having to put on a work-appropriate shirt (I hate work-appropriate shirts!) and drive half way across the state to get to work is having to pay through the nose for the privilege.

Enough I say!

Great Jargon LOL

March 12, 2011 ~ flihp ~ Leave a comment

Something I do in my day job a lot is read. I read tons of documents from peer reviewed publications, a bit less from periodicals like IEEE S&P, ACM Communications etc, and finally I get sucked into reading some vendor white papers / marketing crap. The density and value of the information in these documents decreases in the order that I’ve listed them while the amount of useless jargon increases.

I write a tech-report or a proposal every once in a while myself and I’ve found that the things I read have a significant impact on how I write. Similarly I’ll get asked to “provide comments” on a document prepared by someone else from time to time. This may sound strange but in reading something written by one of my peers I get a glimpse of what they’ve been reading too,

This past week I was asked to give someone feedback on a paper that’s still in draft form. I had very few issues with this paper technically. It had some pretty crazy punctuation and there were gramatical errors but it’s just a draft so I made note of them in my comments.

Now I’m no Shakespeare. I’ve made the same mistakes that I was commenting on for this document and that’s why we ask other people to read these things before we send them out into the community … But there are some things that I cannot excuse.

Toward the end of the document the author was noticeably fatigued and he started using jargon. I was about to make a note of how this jargon was meaningless and that the sentence could stand on its own without said jargon when I started to feel bad. Was I being too harsh? Was I just tired and sick of reviewing this document on a Friday at 5:30 when all I really wanted to be on my way home? So I threw the jargonic phrase in question into Google to see if the internets thought this was jargon as well. The first hit from this search had me laughing for a good minute. Follow the link, it speaks for itself.

So I concluded this was jargon after all 🙂 I don’t want this post to be interpreted as some commentary on writing style or our use of the English language in professional writing. I don’t have anything new to add there. If you care about effective communication read Orwell. If you’ve read this blog before (hell if you’re reading this post) you likely know that my writing can be as crappy as the next guys … just do me a favor and stay away from the jargon. It’s what separates us engineers from the marketing department.