Virtualization in Multilevel Security Environments ... Virtualization Technologies • Type 1 - Hypervisor-based

Embed Size (px)

Text of Virtualization in Multilevel Security Environments ... Virtualization Technologies • Type 1 -...

  • 11

    Virtualization in Multilevel Security Environments

    Dr. Christoph Schuba Christoph.Schuba@Sun.COM http://blogs.sun.com/schuba

  • - 2 -

    Agenda

    • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop

    • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow

  • - 3 -

    Agenda

    • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop

    • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow

  • - 4 -

    Virtualization Technologies

    • Type 1 - Hypervisor-based virtualization > xVM - style (think XEN) > Logical Domains (LDOM) - firmware-style, Sparc CMT

    • OS virtualization > Containers (aka Zones), both x64 and Sparc

    • Type 2 - Hypervisor-based virtualization • Desktop and network virtualization

    > Sunray, VDI, Crossbow, ... • Combinations!

  • - 5 -

    Server Virtualization Categories

    Hard Partitions Virtual Machines OS Virtualization Resource Mgmt.

    Server

    OS

    App

    Multiple OS Single OS > Very High RAS > Very Scalable > Mature Technology > Ability to run different

    OS versions

    > Ability to live migrate an OS

    > Ability to run different OS versions and types

    > De-couples OS and HW versions

    > Very scalable and low overhead

    > Single OS to manage > Cleanly divides system

    and application administration

    > Fine grained resource management

    > Very scalable and low overhead

    > Single OS to manage > Fine grained resource

    management

  • - 6 -

    Virtualization

    Virtualization is the idea to introduce an abstraction layer that decouples previously adjacent layers to deliver greater resource utilization and flexibility.

    • Layers? > application, operating system, network, storage, file

    system, memory, resources, etc.

  • - 7 -

    A Word About the Software

    • Solaris vs. OpenSolaris > Initially Developer Focus, soon Enterprise > Free > Open Source > Superior prototyping Environment for Security Research

    – virtualization technologies, – process privileges, – fault and service management, – open storage, especially ZFS – cryptographic framework, etc.

    • Type-2 Hypervisor VirtualBox

  • - 8 -

    Multilevel Architecture

    • Layered architecture implements: > Mandatory access

    control > Hierarchical labels > Principle of least

    privilege > Trusted path > Role-based

    access

    SPARC, x86 or x64 Hardware Local or Sun Ray display

    Global Zone

    Need-to- know Public

    Internal Use

    Solaris Kernel

  • - 9 -

    Solaris Trusted Extensions

    Mandatory Access Control & Security Labels

    Non-Hierarchical

    Net Inc. Music Online Daisy's Florists Solaris 10 with or w/out

    Trusted Extensions

    Commercial Hierarchy Executive

    Management VP and Above

    Directors

    All Employees

    Trusted Extensions

    Government Hierarchy

    Top Secret

    Secret

    Confidential

    Classified

    Trusted Extensions

    • All objects are labeled, based on sensitivity • Access governed by label hierarchal relationship

  • - 10 -

    What's Solaris Trusted Extensions?

    • A redesign of the Trusted Solaris product using a layered architecture.

    • An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects

    • A set of software packages integrated into the standard Solaris 10 system.

    • A set of label-aware services which implement multilevel security

  • - 11 -

    What are Label-Aware Services?

    • Services which are trusted to protect multilevel information according to predefined policy

    • Trusted Extensions Label-aware service include: > Labeled Desktops > Labeled Printing > Labeled Networking > Labeled Filesystems > Label Configuration and Translation > System Management Tools > Device Allocation

  • - 12 -

    Trusted Extensions in a Nutshell

    • Every object has a label associated with it > Files, windows, printers, devices, network packets,

    network interfaces, processes, etc... • Accessing or sharing data is controlled by the

    objects' label relationship to each other > 'Secret' objects do not see 'Top Secret' objects

    • Administrators utilize Roles for duty separation > Security admin, user admin, installation, etc...

    • Processes use privileges rather than root access • Strong independent certification of security

  • - 13 -

    Trusted Solaris History • 1990, SunOS MLS 1.0

    > Conformed to TCSEC (1985 Orange Book) • 1992, SunOS CMW 1.0

    > Compartmented-mode workstation requirements > Release 1.2 ITSEC certified for FB1 E3, 1995

    • 1996, Trusted Solaris 2.5 > ITSEC certified for FB1 E3, 1998

    • 1999, Trusted Solaris 7 • 2000, Trusted Solaris 8

    > Common Criteria: CAPP, RBACPP, LSPP at EAL4+ • 2008, Solaris 10 Trusted Extensions

    > Common Criteria: CAPP, RBACPP, LSPP at EAL4+

  • - 14 -

    Solaris™ Trusted Extensions

    Trusted Networking

    Trusted Desktop

    Label- Aware

    Services

    Trusted Networking

    Trusted Desktop

    Label- Aware

    Services

    TCP/IP Process

    Containment [Zones]

    Privileges Modified TCP/IP

    Process Containment

    [Labels]

    Trusted's Privileges

    Trusted Solaris 8 Trusted Extensions

    Solaris 10* ●Benefits:

    ● Software portability ● Patch compatibility ● Shorter release window ● More familiar

  • - 15 -

    Integration of Trusted Extensions

    • Leveraging Solaris functionality: > Process & User Rights Management, auditing, zones > Make use of existing Solaris kernel enhancements

    • Elimination of patch redundancy: > All Solaris patches apply, hence available sooner > No lag in hardware platform availability

    • Extend Solaris Application Guarantee • Full hardware and software support

    > File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.) > Processors (SPARC, x86, AMD64) > Infrastructure (Cluster, Grid, Directory, etc.)

  • - 16 -

    Labeled Zones in Trusted Extensions

    • Each zone provides a security boundary > Unique sensitivity label per zone > Labels are implied by process zone IDs > Processes and data are isolated by label

    • No object is writable by more than one zone > Mount policy prevents writing down or reading up > Network policy requires endpoint label equality (default)

    • Information sharing between zones is based on label relationships

  • - 17 -

    Solaris Kernel Services

    • Multilevel Networking

    • Filesystem mount policy

    • Containment (zones) > Processes > Devices > Resource Pools

    SPARC, x86 or x64 Hardware Local or Sun Ray display

    Global Zone

    Need-to- know Public

    Internal Use

    Solaris Kernel

  • - 18 -

    Multilevel Services

    • Label Policy Administration

    • Name Services • Labeled Printing • File relabeling • Device Allocation • Labeled Windows • Single Sign-on

    SPARC, x86 or x64 Hardware Local or Sun Ray display

    Global Zone

    Need-to- know Public

    Internal Use

    Solaris Kernel

  • - 19 -

    Single Level Applications

    • Application Launchers

    • Windows XP Remote Desktop

    • Mozilla • StarOffice • CDE or Java

    Desktop SystemSPARC, x86 or x64 HardwareLocal or Sun Ray display

    Global Zone

    Need-to- know Public

    Internal Use

    Solaris Kernel

  • - 20 -

    Agenda

    • Using OS Virtualization to Build MLS Architecture > OS Virtualization > Labeled Local and Remote File Systems > Trusted Desktop

    • Overview Trusted VirtualBox • What We Can Do Today • What We Can Do Tomorrow

  • - 21 -

    Filesystem MAC policies

    • Labels derived from a filesystem owner's label • Mount policy is always enforced

    > No reading-up – Read-write mounts require label equality in labeled zones

    > Reading-down – Read-only mounts require dominance by client – Can be restricted via zone's limit set and network label range

    > Writing-up – Cannot write-up to regular files – Limited write-up to label-aware services (via TCP and doors)

    > Writing-down – Restricted to privileged label-aware global zone services

  • - 22 -

    Labeled Filesystems

    • Read-only access to lower- level directories

    • Supports all filesystem types

    • Both local and NFS filesystems

    • Administered via Global Zone

    internal public

    /

    need-to-know

    exportexportexport

    usrzone

    rootroot rootNeed to know Zo

Recommended

View more >