trusted operating systems securing networked systems jeffrey w. thompson argus systems group, inc
TRANSCRIPT
Trusted Operating Trusted Operating SystemsSystems
Securing Networked SystemsSecuring Networked Systems
Jeffrey W. ThompsonJeffrey W. ThompsonArgus Systems Group, Inc.Argus Systems Group, Inc.
IntroductionIntroduction
• A technical discussion of platform security• Using Argus’ PitBull .comPack trusted operating
system product suite as a reference• Concepts are easily translatable to other TOS
systems.
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
Company Profile
• Argus Systems Group, Inc. is an international provider of Internet security software and engineering services providing E-commerce systems security solutions
• Dedicated to providing security solutions necessary to advance new ways of conducting business over the Internet
Overview
• Failings of Standard Operating Systems
• Understanding Trusted Operating Systems
• How TOS Addresses Failings
• Applying TOS to Modern Architectures
Experts Agree. . .
““The threats posed by the modern The threats posed by the modern computing environment cannot be computing environment cannot be
addressed without secure operating systems. addressed without secure operating systems. Any security effort which ignores this fact Any security effort which ignores this fact
can only result in a ‘fortress built upon can only result in a ‘fortress built upon sand’.”sand’.”
Excerpted from: “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments”,
US National Security Agency (NSA) Report, 1998
Failings of Standard Platforms
• Super User/Root
• Discretionary Access Control
• Networking Is Not Tied To Security
Understanding the SandUnderstanding the Sand
Super User/Root
• Privileged access to the system is either on or off.
• Only one user is considered to have this “special” access
• Creates a common and single point of attack
Super User/Root Ramifications
• Buffer Overflow Attacks
• Misdirection of “root” programs
• Access to most system files (ok, all files)
Buffer Overflow Attacks
• Setuid 0 programs• Daemons running as root• If you want to learn more attend to Greg Hoglund’s Advanced Buffer
Overflow Techniques talk at 4:30pm today.
A buffer overflow attack places new programmatic code on aA buffer overflow attack places new programmatic code on aa process’ stack, and causes the process to execute this codea process’ stack, and causes the process to execute this codewhen returning from a function. This code is executed with when returning from a function. This code is executed with the same rights as the running process, allowing the attackerthe same rights as the running process, allowing the attackerto force the program to perform nefarious tasks.to force the program to perform nefarious tasks.
An attacker goes after…An attacker goes after…
Misdirection of “root” programs
A setuid 0 program that can be “tricked” into performingA setuid 0 program that can be “tricked” into performingunforeseen actions can be used to obtain permanent rootunforeseen actions can be used to obtain permanent rootaccess to a system.access to a system.
Examples:Examples:
Race conditions that allow file overwritesRace conditions that allow file overwritesReads any file on systemReads any file on systemProgram allows setting of location of tmp fileProgram allows setting of location of tmp file
All of these can easily lead to unauthorized root accessAll of these can easily lead to unauthorized root access
Discretionary Access Control
1 The owner of the file where the data is stored determines who gets initial access to it.
2 A user with READ access can let other users have access to the data, either by making a copy or by making a setuid program that gives access.
3 A user with WRITE access can let other users have access to the data by making a setuid program that gives access.
4 The owner of a file can’t stop other users who have access from giving that access to others, and the owner cannot know if the transfer has taken place.
DAC Ramifications
• A user that owns a file can modify it, irregardless of the permissions on the file
• If you become root you have access to most system files (as they are all owned by root) and an easy path to gaining ongoing access to the system
• In order for an attacker to access a file, he simply has to become the user that owns the file.
• Root access also gives you DAC override and access to all files irregardless of permissions.
Networking is Not Tied To Security
User access to files and resources on a system is not relatedUser access to files and resources on a system is not relatedin any way to how the user connects to the system.in any way to how the user connects to the system.
Firewalls and network filtering determine what services a Firewalls and network filtering determine what services a remote connection can access, but provide no additionalremote connection can access, but provide no additionalsecurity or policy once a user is connected to the system.security or policy once a user is connected to the system.
A user connected over the Internet has exactly the sameA user connected over the Internet has exactly the samefile access on a system as the same user logged in fromfile access on a system as the same user logged in froman internal connection, or a VPN connection.an internal connection, or a VPN connection.
Summing it All Up
Setuid ‘0’ programsSetuid ‘0’ programs
User AUser AFrom InternetFrom Internet
User AUser AFrom InternalFrom Internal
Services running as rootServices running as root
User ‘A’ has the same access on the system no matter where he User ‘A’ has the same access on the system no matter where he comes from. User ‘A’ may be able to cause serious damage to comes from. User ‘A’ may be able to cause serious damage to system depending on his access rights.system depending on his access rights.
Setuid programs are Setuid programs are major points of attack.major points of attack.
Many services have Many services have to run as root and are to run as root and are vulnerable to attack.vulnerable to attack.
Compromise is only a matter of time.Compromise is only a matter of time.All we can do is wait and watch.All we can do is wait and watch.
Understanding TOS(Trusted Operating Systems)
• Least Privilege
• Authorizations
• Mandatory Access Control
• Network Labeling
• Security Gate
• CGI Daemon
Privilege Topics
• Definitions
• Process Privileges
• File System Privileges
• Privilege Inheritance
Privilege Definitions
Least Privilege
“The principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”
Privilege Bracketing
The principle of enabling and disabling privileges around the smallest section of code which require it.
Privileges
• Traditional UNIX has one privilege: root.
• Argus has divided the root privilege into many sub-privileges, for example:
PV_FS_MOUNTPV_DAC_R
• Argus includes new privileges, for example:
PV_MAC_WPV_PV_PROC
Process Privileges
Three privilege sets are associated with each process:
Limiting the maximum possible privilege set a process can have during its lifetime
Maximum the set of privileges over which a process has control
Effective the set of privileges used to override system restrictions
Process Privileges (cont’d)
The following rules apply to process privilege sets:
– A process may manipulate its effective privilege set within the bounds set by its maximum privilege set.
– A process’s effective privilege set (EPS) must always be a subset of the process’s maximum privilege set.
– A process’s maximum privilege set (MPS) must always be a subset of the process’s limiting privilege set (LPS).
Process Privileges (cont’d)
Rules (cont’d):
– A process may only lower its maximum privilege set, never increasing it (except certain privileged processes).
– A process may only lower its limiting privilege set, never increasing it (no privilege will override this restriction).
File System Privileges
File System Privilege Information:
– Privilege information is stored in the inode (index node) of each file on the system..
– Privilege information is ignored for directories Three privilege sets are associated with each file:
• innate
• proxy
• authorized
File System Privileges (cont’d)
Innate PrivilegesPrivileges a process is guaranteed to have in its maximum privilege vector upon startup.
Proxy PrivilegesPrivileges that will be granted only if the process has them in its maximum privilege set prior to executing the file (i.e. privileges that the process will be allowed to “keep” across the exec).
Authorized PrivilegesPrivileges that will be granted only if the user has at least one of the authorizations in the Privileged Authorization Set of the file.
Privilege Inheritance
• New processes are created via the fork() system call.
• fork() copies all privileges from the parent to the new child.
• Executable files (programs) are executed via the exec() system call.
• exec() calculates the new process’s privileges according to several rules based on the privileges in the old process and privileges on the executable file.
Privilege vs. Authorization
PrivilegeAn attribute of a process that allows the process to execute specific, security-relevant code within the TCB.
AuthorizationAn attribute of a user ID that allows a process acting on behalf of the user to execute specific, security-relevant code within the TCB.
Control via Authorization
Authorizations are the keyto gain access to a program’s features.
Authorizations are the keyto gain access to a program’s features.
User accounts have authorizations,not privileges.
User accounts have authorizations,not privileges.
Unauthorized Use of Programs
• When a user runs a program (creates a new process and runs an executable file) that is privileged, that program can check to see if the user is authorized to use the program or the privileges.
• If the person running the program doesn’t have the appropriate authorization, the program can:
1) exit with an error message
2) run with a reduced feature set (e.g., ls shows all files if run by an ISSO, otherwise it shows only files dominated by the lsing process)
3) disallow some functionality (e.g., the -c option on cpio can only be used by the ISSO)
Privilege Authorizations
• An executable can have a set of privileges placed on it that will only be put into the process’ maximum set if it passes an authorization check.
• An executable can have two types of authorizations placed on it
– Access Authorizations
– Privilege Authorizations
• Access Authorizations require a user to have the authorization in order to run the executable.
• Privilege authorizations require a user to have the authorization in order to have the authorized privilege set put into the maximum set.
Authorizations and Roles
Three roles
ISSO (Information Systems Security Officer)
SA (System Administrator)
SO (System Operator)
Other authorizations (not a complete list):
BOOT SHUTDOWN
DOWNGRADE UPGRADE
LOGIN AUTH
ILMODIFY SETSL
OUTSIDEACCRED AUDIT
By convention, authorization names are capitalized.
MAC Definition
Mandatory Access Control:
“A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.”
TCSEC, Glossary
MAC Explanation
1 The owner of a file cannot change the MAC settings of a file unless he is authorized to do so.
2 The owner of a file cannot give another user access to the file unless the user is already authorized to have access to that class of data.
3 Copies of the file will automatically be protected at least as well as the original file, no matter how the copy is created and no matter what program or utility is used.
MAC Topics
• Definitions and Rules
• Sensitivity Labels
• Process Labels
• Object Labels
• Login Label
SL Components
An SL has a single hierarchical component (classification or class).
Examples:unclassified, classified, secret, top secretpublic, sensitive, confidential, classified
An SL also has (optional) non-hierarchical components (compartments or categories).
Examples:financial, personnel, marketing, engineeringprojectA, projectB, projectC
An SL is generally written with the class and compartments separated by a colon.
Examples:TS:A,B S:A,B,C TS (no
compartment)
SL Dominance
Classes can be treated like numbers, with a class being less than, equal to, or greater than another.
Examples:
topsecret > secret > confidential > unclassified
A compartments set can be a subset of another, or it can be a super set, or equal, or disjoint.
Examples:{A,B} is a subset of {A,B,C}{B,C} is a superset of both {B} and {C} (and the null
set){A,B} and {B,C} are disjoint
SL Dominance (cont’d)
A label (SL1) is said to dominate another label (SL2) if and only if both of the following are true:
1) the class of SL1 is greater than or equal to the class of SL2, and
2) the compartment set of SL1 is a superset of, or equals, the compartment set of SL2
Examples: (TS > S > C)TS:A,B dominates TS:B and S:A,B and SS:A,B,C dominates S:A and S and C:A,B,C
Equality is a special case of dominance, that is, if two labels dominate each other, they are equal.
For some labels, such as TS:A,B and S:C, neither label dominates the other.
SL Dominance (cont’d)
TS:A,B,C
TS:A,B
S:BTS
S
S:B,C
The diagram below shows how SLs are related by dominance. Each arrow points from one SL to an SL it dominates. If a label dominates another, it is said to be “higher” than the second, and the second is said to be “lower” than the first.
SL Inheritance
• Every process and file on the system has an SL.
• When a process creates a file, the file is created with the SL of the process.
• When a process creates a new process (with the fork system call), the new process inherits the same SL.
• The system boots with a specific SL, which is inherited by all other processes. Some of these processes, such as the login process, can change their SLs.
• Each user account is assigned a default SL by the security officer as the account is created. This default is what a user will have as his session SL when he logs on.
SL Access Controls
• A process cannot open a file for read unless the SL of the process dominates the SL of the file.
• A process cannot open a file for write unless the SL of the process equals the SL of the file.
• Unless a process has the privilege needed to change an SL, the process cannot change its own SL or the SL of any process or file on the system.
• This form of access control is called Mandatory Access Control (MAC).
• This means that if a process makes a copy of a file, the new file will be at the SL of the process, which is equal to or higher than the original file’s SL, so the security of the copy is equal to or greater than the security of the original file.
Clearances and Max SLs
• Every process on the system has two extra SLs:– Minimum Clearance
– Maximum Clearance
• These SLs are used only when the process attempts to change its own SL or the SL or another object.
• Directories and devices can have a second SL:– Maximum SL
• This SL is used for access control. A process can write to a device or into a directory (create or delete files) if the process SL is within the range of the device or directory’s SLs instead of being restricted to being equal to the device or directory's minimum SL.
MAC Rule Summary
Dominance
A label L1 is said to dominate label L2 if the hierarchical component of L1 is greater than or equal to that of L2 and if all compartments (categories) of L2 are contained in the compartments of L1.
Information Flow
Information/data is allowed to flow between objects or subjects only if the destination sensitivity label dominates the source sensitivity label (“write up, read down” or “*-property”).
Process Labels
Label information is stored in the proc structure of each process on the system.
Three SLs are associated with each process:
Effective SL
Minimum Clearance
Maximum Clearance
The range of SLs from minimum clearance to maximum clearance is called the “clearance range.”
Process Labels (cont’d)
The following rules apply to process SLs:
• A process effective SL must dominate the process minimum clearance.
• A process effective SL must be dominated by the process’s maximum clearance.
• Only a privileged process may change the effective SL or minimum or maximum clearance of a process.
Object Labels
Label information is stored in the inode (index node) of each object on the system.
Two SLs are associated with each object:
Maximum SL
Minimum SL
(The maximum SL is only used for directories and devices.)
Object Labels (cont’d)
The following rules apply to object SLs:
• An object minimum SL must be dominated by the object’s maximum SL.
• Only a privileged process may change the SLs of an object.
Login Label
Each user is assigned a default login SL, a minimum clearance (SL), and a maximum clearance (SL). (all stored in /etc/security/clear).
At login, the user is assigned his default login SL unless an SL is explicitly requested.
Example:
login: smith -e "othersl a b"
A user can only log in with an SL within his clearance range.
• Network data is labeled based on interface, host, and port
• A process/service cannot talk to external hosts unless the data is dominated by the process
• Outgoing data is checked against a range of allowable date based on network rules
Network Labeling
Network Security Rule
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
A table of network security rules is loaded into the networking A table of network security rules is loaded into the networking stack. The rules look like this:stack. The rules look like this:
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
This is a host rule...
Network Security Rule
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
…with a mask, so the rule applies to all hosts with a 192.0.0.xxx IP address.
mask
Network Security Rule
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
The rule applies to both incoming and outgoing packets.
mask
Network Security Rule
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
The rule applies only to those 192.0.0.xxx packets with TCP protocol.
mask protocol
Network Security Rule
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
The rule applies only to those 192.0.0.xxx packets with TCP protocol and using ports 21-24.
mask protocol start port rangeend port range
Network Security Rule
name
CON A | TS ALL || IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
All packets must be in this range. They must also be in NI rule range.
mask protocol start port rangeend port range
min SLmax SL
Network Security Rule
name
CON A |
TS ALL |
| IMPL_LO |
tcp:IN OUT192.0.0.14 /255.255.255.0 21- 24
Set incoming packet SL to CONFIDENTIAL A.
mask protocol start port rangeend port range
min SLmax SL
default SL
Network Security Rule
Securing Services
Host AHost AHttpdHttpd
Con HttpdCon Httpd
SQLSQLCon SQLCon SQL
InterfaceInterface
:80:80Con HttpdCon Httpd
Interface Interface DefaultDefaultCon DefaultCon Default
VPNVPNInterfaceInterface:3300:3300Con SQLCon SQLInterface Interface DefaultDefaultCon DefaultCon Default
InterfaceInterface
:3300:3300Con SQLCon SQL
:80:80Con HttpdCon Httpd
Interface Interface DefaultDefaultCon DefaultCon Default
Host BHost B
Host CHost C
Outgoing Restrictions
HttpdHttpdCon HttpdCon Httpd
CGI CGI ProgramsPrograms
InterfaceInterface
:80:80Con HttpdCon Httpd
Interface Interface DefaultDefaultCon DefaultCon Default
The web server can communicate on its :80 due to the host rule.The web server can communicate on its :80 due to the host rule.CGI programs cannot make network connections back out asCGI programs cannot make network connections back out asThey will run as “Con Httpd” and thus not dominate the They will run as “Con Httpd” and thus not dominate the Incoming data rule of “Con Default”. A range can be put on theIncoming data rule of “Con Default”. A range can be put on theinterface to enforce restrictions on all outgoing packets as well.interface to enforce restrictions on all outgoing packets as well.
Security Gateway
Security Gateway is a trusted program that:
– allows communication between two processes with disjoint Sensitivity Labels
– allows only one-to-one communication
– is written by security experts
Security Gate
CGICGISL: Con CGISL: Con CGI
SQLSQLSL: Con SQLSL: Con SQL
These applications cannot talk as These applications cannot talk as they are in disjoint compartments.they are in disjoint compartments.
Security Gate
CGICGISL: Con CGISL: Con CGI
SQLSQLSL: Con SQLSL: Con SQL
SecuritySecurityGateGate
Privileged program that acts as a gateway for Privileged program that acts as a gateway for communication between two applications.communication between two applications.
This only allows the programs to talk, but This only allows the programs to talk, but doesn’t allow access to files or other doesn’t allow access to files or other resources of these applications.resources of these applications.
CGI Daemon
A secure CGI daemon that
– separates CGI functionality of a web server from the web server itself
– provides a secure way to execute any CGI programs
– provides virtual partition between web server and CGI programs
– provides a secure communication between web server and CGI program
CGI Daemon
httpdhttpd CGIdCGId
CGI CGI ProgramsPrograms
SGSG
CGId runs in a separate CGId runs in a separate compartment, and has nocompartment, and has noaccess to httpd compartmentalizedaccess to httpd compartmentalizedfiles or its network access.files or its network access.
Confidential WebConfidential Web Confidential CGIConfidential CGI
How TOS Addresses Failings
• Buffer Overflow Attacks• Misdirection of “root” programs• A user that owns a file can modify it, irregardless of the permissions on
the file• If you become root you have access to most system files (as they are
all owned by root) and an easy path to gaining ongoing access to the system
• User access to files and resources on a system is not related in any way to how they connect to the system.
• Firewalls and network filtering determine what services a remote connection can access, but provide no additional security or policy once a user is connected to the system.
• A user connected over the Internet has exactly the same file access on a system as the same user logged in from an internal connection, or a VPN connection.
Buffer Overflow Attacks
• Least Privilege allows– Programs run with minimal abilities– Programs can drop privileges when they are no
longer needed
Buffer Overflow Attacks Example
HttpdHttpdBind to Privileged Port PrivilegeBind to Privileged Port Privilege
Httpd can be run as normal userHttpd can be run as normal userwith bind to privileged port privilege.with bind to privileged port privilege.There is no need for it to be root now.There is no need for it to be root now.
HttpdHttpdNo PrivilegeNo Privilege
Once httpd binds to its network portOnce httpd binds to its network portit can drop its privilege as it is no it can drop its privilege as it is no longer required.longer required.
A buffer overflow attack on this daemon now results in no A buffer overflow attack on this daemon now results in no special privileges. Also if it were attacked when it had special privileges. Also if it were attacked when it had privilege the attacker would only gain the bind privilegeprivilege the attacker would only gain the bind privilege
In standard Unix httpd has complete access to the systemIn standard Unix httpd has complete access to the systemeven though it really only needs the ability to bind to aeven though it really only needs the ability to bind to aprivileged port. Why?privileged port. Why?
Misdirection of “root” programs
• Least privilege reduces the damage caused.
Most attacks of this type rely upon specific abilities of the rootMost attacks of this type rely upon specific abilities of the rootuser for their success (such as complete file access). As mostuser for their success (such as complete file access). As mostprograms do not need this ability, the number of attacks is reduced.programs do not need this ability, the number of attacks is reduced.
Also, a program can drop these special privileges when no longerAlso, a program can drop these special privileges when no longerneeded thus further reducing the code that could be targettedneeded thus further reducing the code that could be targettedfor an attack.for an attack.
Misdirection of “root” programs
Program CodeProgram Code
Main()…Main()…
More codeMore code
And more codeAnd more code
This program running as rootThis program running as rootunder standard Unix has under standard Unix has potential attack points potential attack points throughout its entire code throughout its entire code base.base.
Misdirection of “root” programs
Program CodeProgram Code
Main()…Main()…
Enable PrivilegesEnable Privileges
Privileged codePrivileged code
Drop privilegesDrop privileges
More codeMore code
And more codeAnd more code
This program running as any This program running as any user under a TOS has user under a TOS has potential attack points only potential attack points only where privileges are active where privileges are active thus greatly reducing attack thus greatly reducing attack vulnerability.vulnerability.
A user that owns a file can modify it
• MAC can be used to restrict access to a file even if a user is the owner.
System Files – Owned by Root System Files – Owned by Root at Implementation_Lowat Implementation_Low
User logged in as Root User logged in as Root but forced to SL of Confidentialbut forced to SL of Confidential
Root has read access to system files but not write accessRoot has read access to system files but not write accessdue to MAC protection. The user has no way of changing hisdue to MAC protection. The user has no way of changing hiseffective SL and thus can never gain write access.effective SL and thus can never gain write access.
Root has access to all files
Under a TOS, root is not a special user. The user mustUnder a TOS, root is not a special user. The user mustprivileges or authorizations that allow him access to aprivileges or authorizations that allow him access to aprivileged program in order to gain special abilities.privileged program in order to gain special abilities.
Implication: Programs running as root are really no Implication: Programs running as root are really no different than programs running as any other user.different than programs running as any other user.
Network Protection
Network rules can force a user to enter the system a Network rules can force a user to enter the system a specific effective SL thus limiting their access.specific effective SL thus limiting their access.
These rules can cause a user to have different types of These rules can cause a user to have different types of access that are dependent on where he logs in from (even access that are dependent on where he logs in from (even through a VPN).through a VPN).
Implications: Implications:
System files can be MAC protected to never be modifiable by any System files can be MAC protected to never be modifiable by any user coming from a public connection.user coming from a public connection.
Administrative programs can be isolated so that they are only Administrative programs can be isolated so that they are only executable by internally connected users.executable by internally connected users.
Summing it All Up
Least Privilege ProgramsLeast Privilege Programs
User AUser AFrom InternetFrom Internet
User AUser AFrom InternalFrom Internal
Services running as rootServices running as root
User ‘A’ can be given restricted access if coming over the User ‘A’ can be given restricted access if coming over the Internet (even no access), while the same user coming in from Internet (even no access), while the same user coming in from an internal connection can be given more access.an internal connection can be given more access.
Setuid programs are now Setuid programs are now running with least privilege.running with least privilege.
Services can run as Services can run as different users, or different users, or even as root. They even as root. They gain no special rights gain no special rights because of this.because of this.
Applications are isolated from each other and the Applications are isolated from each other and the system, limiting the damaged caused by a penetration.system, limiting the damaged caused by a penetration.
Applying TOS to Modern Architectures
• Basic Web Server
• Root as a Guest Account
Defining Labels
• Hierarchical components:– TOP_SECRET(TS), Confidential(CON),
Unclassified(U), Implementation_Low(IMPL_LO)
• Compartments:– WEB, A, MAIL
Basic Web Server
FilesFiles
Web content and CGI is stored at Unclassified WEBWeb content and CGI is stored at Unclassified WEB
Web Server configuration is stored at U WEB_CONF but could Web Server configuration is stored at U WEB_CONF but could be stored at U WEB if you would like the content creator to have be stored at U WEB if you would like the content creator to have access to configuration filesaccess to configuration files
Basic Web Server
FilesFiles
System files (configuration, libraries, and binaries) are all stored System files (configuration, libraries, and binaries) are all stored at Implementation Low.at Implementation Low.
Basic Web Server
Web ServerWeb Server
The web server is run at CON WEB WEB_CONF, giving it read The web server is run at CON WEB WEB_CONF, giving it read access to all web content and its own configuration files. The access to all web content and its own configuration files. The web server and any CGI programs it runs are unable to modify web server and any CGI programs it runs are unable to modify the files due to MAC restrictions.the files due to MAC restrictions.
Basic Web Server
NetworkNetwork
The interface places all external connections to the web server at The interface places all external connections to the web server at CON WEB WEB_CONF allowing communications to take place CON WEB WEB_CONF allowing communications to take place at that SL.at that SL.
FTP and SSH connections are placed at U WEB allowing FTP and SSH connections are placed at U WEB allowing content to be placed on the system. Clearly SSH is a better content to be placed on the system. Clearly SSH is a better mechanism for doing this!mechanism for doing this!
Root as a Guest Account
NICNIC
System FilesSystem FilesSL: IMPL_LOSL: IMPL_LO
SL: Con UserSL: Con User
telnetdtelnetd Root ShellRoot Shell:23 SL: Con User:23 SL: Con User
Read OnlyRead Only
SendmailSendmail Mail FilesMail Files
Pop/ImapPop/Imap SL: Con MailSL: Con Mail:25, 110, 143 :25, 110, 143 SL: Con MailSL: Con Mail
Can’tCan’tAccessAccessEach Each OtherOther
Root connects in at Con User and is unable to modify ANY Root connects in at Con User and is unable to modify ANY system files.system files.
Root as a Guest Account
NICNIC
System FilesSystem FilesSL: IMPL_LOSL: IMPL_LO
SL: Con UserSL: Con User
telnetdtelnetd Root ShellRoot Shell:23 SL: Con User:23 SL: Con User
Read OnlyRead Only
SendmailSendmail Mail FilesMail Files
Pop/ImapPop/Imap SL: Con MailSL: Con Mail:25, 110, 143 :25, 110, 143 SL: Con MailSL: Con Mail
Can’tCan’tAccessAccessEach Each OtherOther
The mail system is also completely isolated. Any breach The mail system is also completely isolated. Any breach here, will not lead to a system compromise.here, will not lead to a system compromise.
Commercial Trusted OS Platforms
• Argus PitBull .comPack – Solaris 7 (Sparc & x86)– Porting to:
• Solaris 8 (Sparc & x86)
• IBM AIX
• Linux (32bit and 64bit kernels)
• Hewlett Packard– Virtual Vault (HP hardware)
The Argus Revolution
• Free PitBull Foundation Licenses for Individual Non-Commercial Use
• http://www.argusrevolution.com/
