TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
8.4. PROCESS RIGHTS MANAGEMENT PRIVILEGES 109
The single, all-powerful UID 0 assigned to a root process has been replaced with at least 68 discrete privileges that can be individually assigned to processes using the Service Management Fa- cility SMF, Role-based Access Control RBAC, or a command-line program, such as ppriv1. Taken together, all defined privileges with the exception of the basic privileges compose the set of privileges that are traditionally associated with the root user. The basic privileges are privileges unprivileged processes were accustomed to having. The privilege implementation in Solaris extends the process credential with four privilege sets: • I, the inheritable set: The privileges inherited on exec. • P, the permitted set: The maximum set of privileges for the process. • E, the effective set: The privileges currently in effect. • L, the limit set: The upper bound of the privileges a process and its offspring can obtain. Changes to L take effect on the next exec. As shown in Figure 8.2, the sets I , P and E are typically identical to the basic set of privileges for unprivileged processes. The limit set is typically the full set of privileges. Permitted Inheritable Limit Effective Figure 8.2: The relationship among Solaris privilege sets.8.4.1 PRIVILEGE BRACKETING AND RELINQUISHING
The implementation of Solaris privileges empowers application developers to control how privileges are used within their programs. Using a technique called privilege bracketing, developers can write 110 CHAPTER 8. CASE STUDY: SOLARIS TRUSTED EXTENSIONS their programs such that they are only running with privileges when they are needed. Even more importantly, programs can not only enable or disable their privileges, but they can also drop any privileges granted to them assuming they will not be needed and even relinquish them so they can no longer be used when there is no longer a need for the privilege. Just as importantly, programs can also restrict which of their privileges can be passed along to their children e.g., programs that they execute. In the Solaris operating environment many setuid programs e.g., ping, traceroute, rmformat and system services e.g., nfsd, ftpd, mountd use these techniques. Each process has a Privilege Awareness State PAS that can take the value PA privilege- aware and NPA not privilege-aware. PAS is a transitional mechanism that allows a choice between full compatibility with the old superuser model and completely ignoring the effective UID. To facili- tate the discussion, we introduce the notion of observed effective set oE and observed permitted set oP and the implementation sets iE and iP . A process becomes privilege-aware either by manipulating the effective, permitted, or limit privilege sets through the setppriv or setpflags system calls. In all cases, oE and oP are invariant in the process of becoming privilege-aware. In the process of becoming privilege-aware, the following assignments take place: iE = oE 8.1 iP = oP 8.2 When a process is privilege-aware, oE and oP are invariant under UID changes. When a process is not privilege-aware, oE and oP are observed as follows: oE = euid == 0 ? L : iE 8.3 oP = euid == 0||ruid == 0||suid == 0 ? L : iP 8.4 When a non-privilege-aware process has an effective UID of 0, it can exercise the privileges contained in its limit set, the upper bound of its privileges. If a non-privilege-aware process has any of the UIDs 0, it will appear to be capable of potentially exercising all privileges in L. It is possible for a process to return to the non-privilege aware state, which the kernel will always attempt on exec. This operation is permitted only if the following conditions are met: • If any of the UIDs is equal to 0, P must be equal to L. • If the effective UID is equal to 0, E must be equal to L. When a process gives up privilege awareness, the following assignments take place: if euid == 0 iE = LI 8.5 if anyuid == 0 iP = LI 8.6Parts
» SECURE OPERATING SYSTEMS 3 Operating Systerm Security
» SECURE OPERATING SYSTEMS Operating Systerm Security
» SECURITY GOALS Operating Systerm Security
» SECURITY GOALS 5 Operating Systerm Security
» TRUST MODEL Operating Systerm Security
» THREAT MODEL 7 Operating Systerm Security
» THREAT MODEL Operating Systerm Security
» SUMMARY Operating Systerm Security
» MANDATORY PROTECTION SYSTEMS PROTECTION SYSTEM 11
» PROTECTION SYSTEM 13 Operating Systerm Security
» REFERENCE MONITOR Operating Systerm Security
» REFERENCE MONITOR 15 Operating Systerm Security
» SECURE OPERATING SYSTEM DEFINITION
» SECURE OPERATING SYSTEM DEFINITION 17
» ASSESSMENT CRITERIA 19 ASSESSMENT CRITERIA
» SUMMARY 21 Operating Systerm Security
» MULTICS HISTORY THE MULTICS SYSTEM
» MULTICS FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS SECURITY FUNDAMENTALS THE MULTICS SYSTEM 25
» MULTICS PROTECTION SYSTEM MODELS
» MULTICS PROTECTION SYSTEM THE MULTICS SYSTEM 29
» MULTICS REFERENCE MONITOR THE MULTICS SYSTEM 31
» MULTICS SECURITY 33 Operating Systerm Security
» MULTICS SECURITY Operating Systerm Security
» MULTICS SECURITY 35 Operating Systerm Security
» MULTICS VULNERABILITY ANALYSIS Operating Systerm Security
» SUMMARY 37 Operating Systerm Security
» UNIX HISTORY SYSTEM HISTORIES
» WINDOWS HISTORY SYSTEM HISTORIES
» UNIX SECURITY 41 Operating Systerm Security
» UNIX PROTECTION SYSTEM UNIX SECURITY
» UNIX AUTHORIZATION UNIX SECURITY 43
» Complete Mediation: How does the reference monitor interface ensure that all security-
» Complete Mediation: Does the reference monitor interface mediate security-sensitive oper-
» Complete Mediation: How do we verify that the reference monitor interface provides com-
» Tamperproof: How does the system protect the reference monitor, including its protection
» Tamperproof: Does the system’s protection system protect the trusted computing base pro-
» UNIX VULNERABILITIES UNIX SECURITY 47
» WINDOWS SECURITY 49 Operating Systerm Security
» WINDOWS PROTECTION SYSTEM WINDOWS SECURITY
» WINDOWS AUTHORIZATION WINDOWS SECURITY 51
» Verifiable: What is basis for the correctness of the system’s trusted computing base?
» WINDOWS VULNERABILITIES WINDOWS SECURITY 55
» INFORMATION FLOW Operating Systerm Security
» INFORMATION FLOW SECRECY MODELS 59
» INFORMATION FLOW SECRECY MODELS
» BELL-LAPADULA MODEL INFORMATION FLOW SECRECY MODELS 61
» INFORMATION FLOW SECRECY MODELS 63
» INFORMATION FLOW INTEGRITY MODELS
» BIBA INTEGRITY MODEL INFORMATION FLOW INTEGRITY MODELS 65
» LOW-WATER MARK INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» CLARK-WILSON INTEGRITY INFORMATION FLOW INTEGRITY MODELS 67
» THE CHALLENGE OF TRUSTED PROCESSES
» COVERT CHANNELS Operating Systerm Security
» CHANNEL TYPES COVERT CHANNELS 71
» SUMMARY 73 Operating Systerm Security
» THE SECURITY KERNEL Operating Systerm Security
» SECURE COMMUNICATIONS PROCESSOR 77 Operating Systerm Security
» SCOMP ARCHITECTURE SECURE COMMUNICATIONS PROCESSOR
» SCOMP HARDWARE SECURE COMMUNICATIONS PROCESSOR 79
» SCOMP TRUSTED OPERATING PROGRAM
» SCOMP KERNEL INTERFACE PACKAGE
» SECURE COMMUNICATIONS PROCESSOR 85 Operating Systerm Security
» GEMINI SECURE OPERATING SYSTEM
» GEMINI SECURE OPERATING SYSTEM 87
» SUMMARY 89 Operating Systerm Security
» RETROFITTING SECURITY INTO A COMMERCIAL OS
» HISTORY OF RETROFITTING COMMERCIAL OS’S 93
» HISTORY OF RETROFITTING COMMERCIAL OS’S COMMERCIAL ERA
» MICROKERNEL ERA 95 Operating Systerm Security
» MICROKERNEL ERA Operating Systerm Security
» UNIX ERA 97 Operating Systerm Security
» RECENT UNIX SYSTEMS UNIX ERA 99
» SUMMARY 101 Operating Systerm Security
» TRUSTED EXTENSIONS ACCESS CONTROL
» SOLARIS COMPATIBILITY 105 Operating Systerm Security
» SOLARIS COMPATIBILITY Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION Operating Systerm Security
» TRUSTED EXTENSIONS MEDIATION 107 Operating Systerm Security
» PROCESS RIGHTS MANAGEMENT PRIVILEGES
» PRIVILEGE BRACKETING AND RELINQUISHING
» CONTROLLING PRIVILEGE ESCALATION PROCESS RIGHTS MANAGEMENT PRIVILEGES 111
» ASSIGNED PRIVILEGES AND SAFEGUARDS
» RBAC AUTHORIZATIONS ROLE-BASED ACCESS CONTROL RBAC
» CONVERTING THE SUPERUSER TO A ROLE
» TRUSTED EXTENSIONS NETWORKING 115 Operating Systerm Security
» TRUSTED EXTENSIONS NETWORKING Operating Systerm Security
» TRUSTED EXTENSIONS MULTILEVEL SERVICES TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
» TRUSTED EXTENSIONS ADMINISTRATION Operating Systerm Security
» SUMMARY 119 Operating Systerm Security
» LSM HISTORY LINUX SECURITY MODULES
» LSM IMPLEMENTATION LINUX SECURITY MODULES 123
» LINUX SECURITY MODULES 125 Operating Systerm Security
» SELINUX REFERENCE MONITOR SECURITY-ENHANCED LINUX
» SECURITY-ENHANCED LINUX 127 Operating Systerm Security
» SELINUX PROTECTION STATE SECURITY-ENHANCED LINUX 129
» SELINUX LABELING STATE SECURITY-ENHANCED LINUX 131
» SELINUX TRANSITION STATE SECURITY-ENHANCED LINUX 133
» SELINUX TRUSTED PROGRAMS SECURITY-ENHANCED LINUX 135
» SUMMARY 139 Operating Systerm Security
» CAPABILITY SYSTEM FUNDAMENTALS Operating Systerm Security
» CAPABILITY SECURITY Operating Systerm Security
» CHALLENGES IN SECURE CAPABILITY SYSTEMS 143
» CAPABILITIES AND THE ⋆-PROPERTY
» CAPABILITIES AND CONFINEMENT CHALLENGES IN SECURE CAPABILITY SYSTEMS
» CAPABILITIES AND POLICY CHANGES
» ENFORCING THE ⋆-PROPERTY BUILDING SECURE CAPABILITY SYSTEMS
» ENFORCING CONFINEMENT BUILDING SECURE CAPABILITY SYSTEMS 147
» REVOKING CAPABILITIES BUILDING SECURE CAPABILITY SYSTEMS 149
» SUMMARY 151 SUMMARY Operating Systerm Security
» SEPARATION KERNELS 155 SEPARATION KERNELS
» VAX VMM DESIGN VAX VMM SECURITY KERNEL
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 163
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS
» SECURITY IN OTHER VIRTUAL MACHINE SYSTEMS 165
» SUMMARY 167 Operating Systerm Security
» ORANGE BOOK Operating Systerm Security
» ORANGE BOOK 171 Operating Systerm Security
» COMMON CRITERIA CONCEPTS COMMON CRITERIA
Show more