Download pdf - Virtualization in Multilevel Security Environments...Virtualization Technologies • Type 1 - Hypervisor-based virtualization > xVM - style (think XEN) > Logical Domains (LDOM) - firmware-style,

11

Virtualization in Multilevel Security Environments

Dr. Christoph [email protected]://blogs.sun.com/schuba

- 2 -

Agenda

• Using OS Virtualization to Build MLS Architecture> OS Virtualization> Labeled Local and Remote File Systems> Trusted Desktop

• Overview Trusted VirtualBox• What We Can Do Today• What We Can Do Tomorrow

- 3 -

Agenda



- 4 -

Virtualization Technologies

• Type 1 - Hypervisor-based virtualization> xVM - style (think XEN)> Logical Domains (LDOM) - firmware-style, Sparc CMT

• OS virtualization> Containers (aka Zones), both x64 and Sparc

• Type 2 - Hypervisor-based virtualization• Desktop and network virtualization

> Sunray, VDI, Crossbow, ...• Combinations!

- 5 -

Server Virtualization Categories

Hard Partitions Virtual Machines OS Virtualization Resource Mgmt.

Server

OS

App

Multiple OS Single OS> Very High RAS> Very Scalable> Mature Technology> Ability to run different

OS versions

> Ability to live migrate an OS

> Ability to run different OS versions and types

> De-couples OS and HW versions

> Very scalable and low overhead

> Single OS to manage> Cleanly divides system

and application administration

> Fine grained resource management

> Very scalable and low overhead

> Single OS to manage> Fine grained resource

management

- 6 -

Virtualization

Virtualization is the idea to introduce an abstraction layer that decouples previously adjacent layers to deliver greater resource utilization and flexibility.

• Layers? > application, operating system, network, storage, file

system, memory, resources, etc.

- 7 -

A Word About the Software

• Solaris vs. OpenSolaris> Initially Developer Focus, soon Enterprise> Free> Open Source> Superior prototyping Environment for Security Research

– virtualization technologies, – process privileges, – fault and service management, – open storage, especially ZFS– cryptographic framework, etc.

• Type-2 Hypervisor VirtualBox

- 8 -

Multilevel Architecture

• Layered architecture implements:> Mandatory access

control> Hierarchical labels> Principle of least

privilege> Trusted path> Role-based

access

SPARC, x86 or x64 HardwareLocal or Sun Ray display

Global Zone

Need-to-know PublicInternal

Use

Solaris Kernel

- 9 -

Solaris Trusted Extensions

Mandatory Access Control & Security Labels

Non-Hierarchical

Net Inc. Music Online Daisy's Florists

Solaris 10 with or w/out Trusted Extensions

Commercial HierarchyExecutive

ManagementVP and Above

Directors

All Employees

Trusted Extensions

Government Hierarchy

Top Secret

Secret

Confidential

Classified

Trusted Extensions

• All objects are labeled, based on sensitivity• Access governed by label hierarchal relationship

- 10 -

What's Solaris Trusted Extensions?

• A redesign of the Trusted Solaris product using a layered architecture.

• An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects

• A set of software packages integrated into the standard Solaris 10 system.

• A set of label-aware services which implement multilevel security

- 11 -

What are Label-Aware Services?

• Services which are trusted to protect multilevel information according to predefined policy

• Trusted Extensions Label-aware service include:> Labeled Desktops> Labeled Printing> Labeled Networking> Labeled Filesystems> Label Configuration and Translation> System Management Tools> Device Allocation

- 12 -

Trusted Extensions in a Nutshell

• Every object has a label associated with it> Files, windows, printers, devices, network packets,

network interfaces, processes, etc...• Accessing or sharing data is controlled by the

objects' label relationship to each other> 'Secret' objects do not see 'Top Secret' objects

• Administrators utilize Roles for duty separation> Security admin, user admin, installation, etc...

• Processes use privileges rather than root access• Strong independent certification of security

- 13 -

Trusted Solaris History• 1990, SunOS MLS 1.0

> Conformed to TCSEC (1985 Orange Book)• 1992, SunOS CMW 1.0

> Compartmented-mode workstation requirements> Release 1.2 ITSEC certified for FB1 E3, 1995

• 1996, Trusted Solaris 2.5> ITSEC certified for FB1 E3, 1998

• 1999, Trusted Solaris 7• 2000, Trusted Solaris 8

> Common Criteria: CAPP, RBACPP, LSPP at EAL4+• 2008, Solaris 10 Trusted Extensions

> Common Criteria: CAPP, RBACPP, LSPP at EAL4+

- 14 -

Solaris™ Trusted Extensions

TrustedNetworking

TrustedDesktop

Label-Aware

Services

TrustedNetworking

TrustedDesktop

Label-Aware

Services

TCP/IPProcess

Containment[Zones]

PrivilegesModifiedTCP/IP

ProcessContainment

[Labels]

Trusted'sPrivileges

Trusted Solaris 8 Trusted Extensions

Solaris 10*●Benefits:

● Software portability● Patch compatibility● Shorter release window● More familiar

- 15 -

Integration of Trusted Extensions

• Leveraging Solaris functionality: > Process & User Rights Management, auditing, zones> Make use of existing Solaris kernel enhancements

• Elimination of patch redundancy:> All Solaris patches apply, hence available sooner> No lag in hardware platform availability

• Extend Solaris Application Guarantee• Full hardware and software support

> File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.)> Processors (SPARC, x86, AMD64)> Infrastructure (Cluster, Grid, Directory, etc.)

- 16 -

Labeled Zones in Trusted Extensions

• Each zone provides a security boundary> Unique sensitivity label per zone> Labels are implied by process zone IDs> Processes and data are isolated by label

• No object is writable by more than one zone> Mount policy prevents writing down or reading up> Network policy requires endpoint label equality (default)

• Information sharing between zones is based on label relationships

- 17 -

Solaris Kernel Services

• Multilevel Networking

• Filesystem mount policy

• Containment (zones)> Processes> Devices> Resource Pools


Global Zone


Use

Solaris Kernel

- 18 -

Multilevel Services

• Label Policy Administration

• Name Services• Labeled Printing• File relabeling• Device Allocation• Labeled Windows• Single Sign-on


Global Zone


Use

Solaris Kernel

- 19 -

Single Level Applications

• Application Launchers

• Windows XP Remote Desktop

• Mozilla• StarOffice• CDE or Java

Desktop SystemSPARC, x86 or x64 HardwareLocal or Sun Ray display

Global Zone


Use

Solaris Kernel

- 20 -

Agenda



- 21 -

Filesystem MAC policies

• Labels derived from a filesystem owner's label• Mount policy is always enforced

> No reading-up– Read-write mounts require label equality in labeled zones

> Reading-down– Read-only mounts require dominance by client– Can be restricted via zone's limit set and network label range

> Writing-up– Cannot write-up to regular files– Limited write-up to label-aware services (via TCP and doors)

> Writing-down– Restricted to privileged label-aware global zone services

- 22 -

Labeled Filesystems

• Read-only access to lower-level directories

• Supports all filesystem types

• Both local and NFS filesystems

• Administered via Global Zone

internal public

/

need-to-know

exportexportexport

usrzone

rootroot rootNeed to know Zone

Internal Zone Public Zone

Labe

l Hie

rarc

hy

ADMIN_HIGHNEED TO KNOWINTERNAL USE ONLYPUBLICADMIN_LOW

Subdirectory

Loopback Mount

Legend

Global Zone

- 23 -

Labeled Filesystems





internal public

/

need-to-know

exportexportexport

usrzone

rootroot root

usrusr usr

Global Zone

Need to know Zone


Labe

l Hie

rarc

hy


Subdirectory

Loopback Mount

Legend

- 24 -

Labeled Filesystems





internal public

/

need-to-know

internal

zone exportexportexport

export

usrzone

rootroot root

usrusr usr

Global Zone

Need to know Zone


Labe

l Hie

rarc

hy


Subdirectory

Loopback Mount

Legend

- 25 -

Labeled Filesystems





internal public

/

need-to-know

public

zone

internal

zone

public

exportexportexport

export export export

usrzone

rootroot root

usrusr usr

Global Zone

Need to know Zone


Labe

l Hie

rarc

hy


Subdirectory

Loopback Mount

Legend

- 26 -

NFS Support for Zones

• NFS clients:> Each zone has its own automounter> Kernel enforces MAC policy for NFS mounts

• NFS servers:> Per-zone sharing policy set in global zone> Kernel enforces MAC policy for NFS requests

• The global zone administrator can export filesystems from labeled zones> Each export must be a single-level filesystem> Zone's label automatically applied to each export

- 27 -

Global Zone


Use

Solaris Kernel

Multilevel Network

SunRay Network

IntranetIntranet

Intranet

Labeled Networking

- 28 -

Single and Multilevel Ports

• Kernel maintains cache of labels and endpoints> Implicit labels based on IP address or Network> Explicit labels based on CIPSO label in packet

• Packets are routed to hosts and zones by label matching rules> Generally label equality required between endpoints> Multilevel ports accept labels within range or set> For NFS operations, read-down is supported

– Sockets are marked with special socket attribute– Unique binding of port, label, and IP address

- 29 -

Agenda



- 30 -

Solaris Trusted Desktop

• Provides a user friendly graphical environment to interact with multiple classifications of data simultaneously whilst maintaining the security of that data

• Screen real estate is shared, everything else is compartmentalized according to security label> Filesystem and other device access, Interclient

communication, Copy & Paste, Drag & Drop are all restricted to applications with the same security label

• Workspace role assumption for performing user accountable, privileged tasks within the same desktop session

- 31 -

Trusted Desktop - Key Features

• Workspaces are labeled to allow launching of applications at different security labels

• Windows are labeled both on their frames and the tasklist to provide a visual indicator of their security context

- 32 -

Trusted Desktop – Key Features

• Labels are color coded to make them even more easily identifiable

- 33 -

Trusted Desktop – Key Features

• The Trusted Stripe is the primary trust indicator, showing a shield icon when the user is interacting with the Trusted Path of the system e.g. entering passwords

• Also has a role assumption menu, a current workspace label indicator and window label indicator for the window with the current pointer focus

- 34 -

Trusted Desktop – Key Features• The selection manager intercepts C&P and D&D

requests and denies them unless the security policy permits the user to reclassify data

- 35 -

Labeled Desktops and Thin Clients

- 36 -

Agenda



- 37 -

Virtualization inside Labeled Zones

Need-to-know

InternalUse

VirtualBox

Vista

PublicVirtualBox

Vista

Public

- 38 -

Trusted VirtualBox - What is it?

• Combination of existing technology into solutions• Layered virtualization:

> VirtualBox inside Labeled Zones• Extending Solaris Trusted

Extensions functionality to other Operating Systems> Mandatory Access Control> Multilevel Security> Labeled desktop, networking,

device access

Need-to-know Internal

Use

VirtualBox

Vista

PublicVirtualBox

Vista

Public

Solaris Global Zone/KernelHardware

- 39 -

Delivered as...?

• Configuration software• Live CD image builder • Service• Preconfigured hardware

> laptop, workstation

- 40 -

Recipe - Blend to perfection

- 41 -

Recipe - Blend to perfection

1. Solaris Trusted Extensions2. VirtualBox instances in Labeled Zones3. Encrypted ZFS datasets

for data storage4. Labeled IPsec

for communications security5. Validated Execution

for system file integrity protection

- 42 -

Virtualization inside Labeled Zones

Need-to-know

InternalUse

VirtualBox

Vista

PublicVirtualBox

Vista

Public

- 43 -

Virtualization for SNAP

One server


Use

VirtualBox

Vista

PublicVirtualBox

Vista

Public

HardwareSolaris Global Zone/Kernel / SRSS

• Multiple Windows instances in the Sun Ray server• Currently requires separate machines

- 44 -

One FAT client


Use

VirtualBox

Vista

PublicVirtualBox

Vista

Public

HardwareSolaris Global Zone/Kernel

Fat Client running apps in labeled zones

- 45 -

Secure Laptop OLPCeo

One FAT laptop


Use

VirtualBox

Vista

PublicVirtualBox

Vista

Public

Hardware

Solaris Global Zone/Kernel

• Secure laptop for high value information• Preconfigured to provide secure Windows

- 46 -

Agenda



- 47 -

What we can do today

• Prevent unauthorized dissemination of confidential data (leaks)

• Isolation via Virtualization• Prevent loss of confidential data via remote attack• Medium assurance of system integrity

- 48 -

Preventing Leaks

• Trusted Desktop provides isolation• Data is contained in labeled zones• Networking is constrained by labeling policy• Confidential data cannot be:

> Downgraded to the public zone> Observed by public zones processes> Exported to removable media> Sent to a public printer

- 49 -

Isolation by Virtualization

• User programs run in uniquely labeled zones (including VirtualBox)

• Security enforcing programs and administrative data are protected in the global zone

• No object is writable by more than one zone• Information sharing between zones is based on

label relationships

- 50 -

Defense Against Remote Attack

• No network services are listening for remote connections in labeled zones

• Clients in the internal zone cannot access the Internet except through VPN

• The global zone only serves local clients

- 51 -

Medium Assurance of System Integrity

• All policy configuration is inaccessible from labeled zones

• Shared data is always read-only for clients• Auditing is enabled and cannot be observed or

erased by from labeled zones• Separation of duty is enforced through

administrative roles• System is Common Criteria certified at EAL4+ for

CAPP, RBAC, and LSPP

- 52 -

Agenda



- 53 -

What we can do tomorrow

• Prevent loss of data from theft• Privacy based on need to know• Loss of data from impersonation• High assurance of system integrity

- 54 -

Loss of data from theft

• Each zone will have a unique ZFS dataset encrypted with a unique key

• Zones cannot be booted without providing the key• Key could be provided via a USB dongle or

smartcard

- 55 -

Privacy based on need to know

• Access to remote data can be restricted via labeled IPsec

• Security Associations will match data to the appropriately labeled zone

• Network privacy and Integrity will be provided

- 56 -

Loss of Data from Impersonation

• Use of multi-factor authentication to mitigate password attacks

• Use combination of biometric, smartcard, or USB dongle to provide something > you are and/or you have as well as something you know

- 57 -

High Assurance of System Integrity

• Use of Digital Signatures to validate executables, shared libraries and administrative databases

• Use of TPM as root of trust for system to ensure that OS is itself trustworthy

5858

Dr. Christoph [email protected]://blogs.sun.com/schuba

Thank you. Questions?