[original file is EmbeddedSELinuxReport.pdf by Yuichi Nakamura]
[Copyright © 2007 Hitachi Software Engineering Co., Ltd.]
[translated by ikoma]
CELF Technical Jamboree #18
Dec. 21, 2007
Development of SELinux -- SELinux can be used for Embedded Systems
Dec. 21, 2007
Yuichi Nakamura, Research & Development Dept., Hitachi Software Engineering Co., Ltd.
ynakam (at) hitachisoft.jp
2
Table of Contents
* 1. What is SELinux?
* 2. Barriers to Embedded SELinux
* 3. Development of Embedded SELinux
* 4. Developent Activities in Japanese Community
* 5. Misc. Talks
3
1. What is SELinux?
4
What is SELinux?
* Secure OS technology developed by NSA (http://www.nsa.gov/)
- Standard option in kernel 2.6
* Secure OS features
- Assignment of minimum amount of authorization per process
- Access control even root can not circumvent (mandatory access control)
- Minimizing authorization that attackers might obtain
* Benefits of SELinux
- Containment of attackers' behavior, and minimizing the damage from intrusion
- Effective even if security hall are left unfixed
* Good track record
- Set ON as default on distribution for enterprises (Redhat)
5
Implementation of SELinux
Process
|
(1)access request
|
+--------------------------Linux kernel-----------------------+
| V |
| +-------------------+ |
| |(2)Linux permission| |
| | check | |
| +-------------------+ |
| | |
| V |
| +-----------+ (4)security check request +-----------+ |
| | (3) LSM |----------------------------->|(5)SELinux | |
| | |<-----------------------------| | |
| +-----------+ (6) check results +-----------+ |
| | |
+------(7)access----------------------------------------------+
|
V
Resource6
TE (Type Enforcement)
Access Control Model of SELinux
* domain: authorization name owned by process
* type: identifier of resource
* Permission between domain and label
process permission resource +-----------------+ +----------------------+ | http daemon | read | file: /var/www | | domain: httpd_t |------------------------->| type: web_contents_t | +-----------------+ +----------------------+
* Domain has no authorization by default
* Set accessible types explicitly
* Processes work with minimal authorization necessary
7
Security Policy
* Means setting for SELinux
* Aggregation of access permission setting (allow setting)
- example of allow setting
allow httpd_t web_contents_t file:{ read };
^ ^ ^
| | |
domain type permission* By default, access denied; enumerate required access permissions
- May amount to 100,000 items
8
2. Barriers against Embedded SELinux
9
SELinux for Embedded Systems
* Promising as security measure for embedded systems
- Tolerance against attackers even without updates
- Architecture independent
- No special hardware required
* Adaptation for embedded systems
- Just porting is easy
- But there are barriers...
10
Barriers to Embedded SELinux
* 1. Configuration is not easy <==
* 2. Perfomance issues
11
Difficult Configuration: General Setting of SELinux
* Procedure to setup
- 1) Obtain sample policy (reference policy)
- 2) Remove unnecessary policy
- 3) Add as required
* Why difficult?
- Dependency among setting items
- Large number of setting formats
- Too many items to remove
12
Difficult Configuration: Dependency
* When to remove items, care has to be taken so that errors do not occur
- As a missing label declaration causes error, all items with the label should be removed
- E.g. Removing sendmail setting, error occurs on apache side
- Because apache was using a label declared in sendmail
* Be careful for many items to be removed
13
Difficult Configuration: Too Many Setting Formats
* A large number of items to set up for SELinux
- 700 kinds of permissions
* Use of "Macro" to organize items to set up
* Number of macros explodes
- Several thousand macros
- Impossible to remember!!
14
Difficult Configuration: A Lot of Items to Delete
* Sample policy is generic and huge
- Various setting for Fedora, Debian, SUSE etc. are put together
- Size is huge
- File size 2MB+; memory footprint 5MB+
==> Diet required for embedded systems
* Example: removing apache
- More than 400 lines removed
- Remove with understanding the semantics of setting, and resolving dependency
- Further more lines on base system had to be removed
- I gave up!
15
Difficult Configuration: Summary
* 1) Obtain sample policy (reference policy)
* 2) Remove unnecessary policy
- Too many places to remove
- Bunch of dependency errors
- Incomprehensible settings
* 3) Add missing part
- Dependency errors
- Incomprehensible settings
* Conclusion: Give up SELinux!?
16
Performance Issues
* Performance deterioration with SELinux
- Overhead of system calls
- Larger memory footprint
- Larger file sizes
17
Overhead of System Calls (Before Tuning)
* CPU: SH 751R, File System: ext3
* Measured overhead with lmbench
* Overhead compared with 1 when SELinux disabled
+----------------+---------------+---------------+ | Measured itemd | Overhead(%) | SH7751R board | | (lmbench used) | (Pentium4 PC) | Before tuning | +----------------+---------------+---------------+ | read | 12.3 | 130.0 | +----------------+---------------+---------------+ | write | 14.0 | 146.6 | +----------------+---------------+---------------+
* Overhead is large for embedded systems (esp. read/write)
18
Memory Consumption (Before Tuning)
* Measurement method
- A = free command on kernel with SELinux disabled
- B = free command on kernel with SELinux enabled, policy read
- Consumption = B - A
- Sample policy is used as is
* Results : Memory consumption : 5365 kbyte
* Very tough with memory of 32MB or 64MB ...
19
Increased File Size (Before Tuning)
* Measured file size increase with SELinux
+--------------+--------------------+ | Item | Size increase | | | before tuning (KB) | +--------------+--------------------+ | kernel | 73.7 | |(zimage file) | | +--------------+--------------------+ | library | 482.1 | +--------------+--------------------+ | command | 374.6 | +--------------+--------------------+ | policy file | 1356.2 | +--------------+--------------------+ | total | 2286.6 | +--------------+--------------------+
* Too larget to hold on flash memory
20
Summary So Far: Embedded SELinux
* 1. Configuration is not easy
* 2. Performance issues
- Large overhead
- Large memory footprint
- Large file usage
21
3. Development of Embedded SELinux
22
Items to Develop for Embedded SELinux
* To solve configuration issues
- "SELinux Policy Editor" for embedded systems
* To improve performance
- Less overead
- Less memory footprint
- Less file usage
* SH support of audit
* Mainlining
23
Porting: Evaluation Environment
* Board: Renesas Technology R0P751RLC0011RL (aka R2D+)
- CPU: SH 7751R
- main memory: 64Mbyte
* File system
- Test and verified with ext2 (compact flash) and jffs2(flash ROM)
* Linux support on flash ROM : courtesy of Renesas Solutions Corp.
24
What is SELinux Policy Editor?
* Tool to configure configure SELinux
* Hides labels and resoves dependency with "easy formatting (SPDL)"
* Developed by Hitach Software Engineering Co., Ltd.
*GPL
25
Components of SELinux Policy Editor
Complexity concealed
with easy format(SPDL)
|
v
Simplified Policy ====> Converter ===> Policy for SELinux
^
|
|
GUI, command line tool,
automatic generator, etc.
Policy can be built without
knowing about SPDL format
26
Features of SPDL
* Configuration is written in SPDL
- Configuration example for running Apache web server
{
domain httpd_t;
program /usr/sbin/httpd;
...
allow /etc/httpd/** r,s;
allow /var/log/httpd/** r,a,s;
allow /var/www/** r,s;
allownet -protocol tcp -port 80,443 server;
}* Concealment of labels
- Directly specifiable with file names, port numbers
- Need not to worry about dependency
* Consolidation and cutting redundancy of permissions,
|
V* Drastic reduction of elements to be configured
Configurable permissions: 700 -> approx. 100
Number of lements to be configured: 2000 (macros) -> 10
27
Adapting SELinux Policy Editor to Embedded Systems
* Original SELinux Policy Editor was inconvenient for embedded systems
- Must be executed on the target machine
* SELinux Policy Editor 2.2.0 (released november 2007) supports embedded systems
- Policy can be developed on cross environment
- Released under GPL
* Download:
http://seedit.sourceforge.net/ (in Japanese and English)
28
Benefits of SELinux Policy Editor
* Need not to use sample policy
- Liberated from the hell of macros, the hell of dependency
* Custom policy specific to embedded systems can be easily written
- SPDL easy to understand
* Can write a small poicy
- Can write only policy as required
- e.g. appox. 60k bytes for 10 applications
* Now you can configure SELinux for embedded systems!
29
Tuning SELinux
* Less overhead
* Less memory footprint
* Less file usage
30
Less Overheads
* Focused to reduce overhead on read/write
- Particularly large (approx. 150%)
* Hand tuned for others
- Inline expanded functions by hand
- Removed unused permission checks with networking (control per NIC, IP address, etc.)
31
Less Overhead with read/write
* Checking at read/write is redundant
- Security check at file read/write
- Doubly checked
- At file open and at read/write system call issued
- Doubly checked
* Reduced SELinux check at read/write
Check requried only for special cases (when configuration changed between 1->2)
* Created patch and got it mainlined (linux 2.6.24 and later)
32
Results of Reduced Overheads
* Results of lmbench (CPU: SH7751R)
+---------------+------------------+-----------------+ | Measured Item | Overheads before | Overhead after | | (lmbench) | tuning (%) | tuning (%) | +---------------+------------------+-----------------+ | read | 130.0 | 12.5 | +---------------+------------------+-----------------+ | write | 146.6 | 14.9 | +---------------+------------------+-----------------+
* Better read/write --> mainlined
* Other optimization
- Failed to get mainlined because they made code dirty
33
Less Memory Footprint
* Created policy using SELinux Policy Editor
- Can create only policy required
- Created a policy for 10 applications
* Reduced fixed buffer
- Modified to allocate buffer for hash table (252KB) dynamically according to policy size
- Reduced buffer size from 252KB to 1KB
- Got mainlined (linux 2.6.24)
34
Less Memory Footprint (Results)
+------------------+------------------+------------------+ | | footprint before | footprint after | | | tuning (kbytes) | tuning (kbytes) | +------------------+------------------+------------------+ | memory footprint | 5365 | 465 | +------------------+------------------+------------------+
* Now machines with memory 32MB/64MB can afford
* SELinux Policy Editor has a great effect
- Approx. 4.6MB is attributed to policy size reduction
35
Less File Usage
* (1) Policy development with SELinux Policy Editor
* (2) Reduction of libraries: development of minimal lib selinux
- Libraries on SELinux
- libselinux, libsepol, libsemanage
- libsepol and libsemanage can be omitted for embedded systems
- minimal libselinux
- Dependency with libselinux, libsepol removed
- Unnecessary functions from libselinux removed
- Submitted to SELinux community and got merged
- Compiled with "make EMBEDDED=y" to generate minimal libselinux
482KB => 66KB
* (3) Reduction of commands
- a) Selected minimal required commands
- b) Busyboxized them
- Shared work among volunteers from Japan SELinux Users Group
Submitted to BusyBox Community and got merged
375KB => 11KB
36
Less File Usage (Results)
+--------------------+-----------------+-----------------+ | Items | Size before | Size after | | | tuning (kbytes) | tuning (kbytes) | +--------------------+-----------------+-----------------+ | Increase of kernel | 73.7 | 73.7 | | size (zImage file) | | | +--------------------+-----------------+-----------------+ | Libraries | 482.1 | 66.3 | +--------------------+-----------------+-----------------+ | Commands | 374.6 | 10.8 | +--------------------+-----------------+-----------------+ | Policy file | 1356.2 | 60.4 | +--------------------+-----------------+-----------------+ | Total | 2286.6 | 211.2 | +--------------------+-----------------+-----------------+
* Achieved approx. 200KB ==> Now loadable on flash memory
* SELinux Policy Editor has great impact => Approx. 1.3MB saving
* Diet of libraries and commands => Approx. 700KB saving
37
Adapting Audit for SH
* What is audit?
- Mechanism to log system calls in Linux kernel
* Log convenient for developing SELinux policy can be obtained
- Full path names of accessed files can be collected
- Not necessity but convenient
* CPU dependent, as entry.S is modified
* x86, Power PC and MIPS already supported
* But SH is not supported yet
* Wrote patch and got it mainlined
- To be merged in 2.6.25
38
Audit Support: Remaining Issues
* ARM is not yet supported
Any volunteer? (^^;
* Homework from the audit maintainer
- Pass test cases of CAPP and LSPP
Help! (^^;;;; [this is an emoticon in a sweat...]
* Proposal by the SH maintainer
- Code below arch has much redundancy; there should be room for improvement
* Command in userland (auditctl command) should be ported; not easy task
- Dummy audit rules have to be registered to generate log with full paths
* "audit to get full paths" should be mainlined
- Planned to submit after Christmas vacation
39
4. Developent Activities in Japanese Community
* Improving worst executing time
- by Kaigai; merged in 2.6.24
* Support of BusyBox SELinux
- Work shared among volunteers from Japan SELinux Users Group
- Ported and submitted SELinux commands and options
- Major commands porting done
- Supporting domain assignment of SELinux
- By Shinji
Already merged in BusyBox 1.8.2
40
Improvig the Worst Execution Time
Background: AVC (Access Vector Cache)
* Speed up of accessibility check in SELinux
SELinux Reference Monitor
+- - - - - - - - - - - - - - - - - - - +
(1) accessiblity | (4) cache search result |
inquiry | +-----+<-------| |
Subject ---------------->| AVC | +----------+ | +----------+
(process) | +-----+ | Security | | | Security |
--------------------------->| Server |---------------->| Policy |
(2) AVC miss| +----------+ (3) search | +----------+
+- - - - - - - - - - - - - - - - - - - +
Search result Search security policy
has been cached and determine accessibility
(Fast) (Slow)* Search in AVC: 100 times faster than direct policy search; order of microseconds
* Cache hit rate is over 99.5%
-> In the worst case (probability is less than 0.5%), 100 times slower check occurs
- order of hundred microseconds
41
Patch to Improve the Worst Execution Time
* Wanted make security policy search faster
* Cause: search in bitmap struct is slow
* Patch for faster search of bitmap struct created and submitted (by Kaigai)
- Policy search time has been reduced to 1/3
- Merged in 2.6.24
42
5. Misc. Talks
* Impression on mainlining
* Remaining issues
* On the significance of overhead reduction
43
Impression on Mainlining
* "Release early, release often" works
* Procedure which was successful for SELinux
- 1) Issue RFC when you find a problem
- Submit the problem (with numbers), simple code to resolve it, and improved values
- 2) Have a good sleep
- 3) Harvest better solutions
- Discussion are carried on without you
- Other problems may be shown
You may have more homework (^^;;;
- While discussing reducing memory footprint, performance tuning was requested
- 4) Discussion goes on
- 5) Resubmit, discuss, and repeat
44
Remaining Issues
* More diet
- Redundancy still remains
- e.g.
- MLS processing in kernel is unnecessary; boolean etc. can be reduced
- libselinux is not included in uClibc
- Target: below 100kb of memory file consumption
* More sophisticated SELinux Policy Editor for embedded systems
- There are not so many users yet
45
Summary of Patch Locations for Embedded SELinux
* SELinux Policy Editor for embedded systems
Downlad from http://seedit.sourceforge.net/ ; supported on 2.2.0 and later
* read/write performance improvement
- Merged in 2.6.24
* Memory footprint reduction by reducing fixed buffer
- Merged in 2.6.24
* Library size reduction
- Merged in libselinux 2.0.35
* BusyBox for SELinux
Mostly merged in BusyBox 1.8.2
Links to applet submitting mail archive is too many to list here (;
- Domain assignment support (merged in 1.8.0)
* Worst execution time improvement
- Merged in 2.6.24
* audit for SH
- To be merged in 2.6.25
46
Summary
* Barriers against SELinux for embedded systems
- Difficult configuration
- Performance issues
* Developement of SELinux for embedded systems
- Configuration development with SELinux Policy Editor supporting embedded systems
- Tuning
Now SELinux is available even on embedded systems
Let's use SELinux!
47
* Linux is a registered trademark or trademark of Linus Torvalds in the US and other contries
* Other company names and product names are registered trademarks or trademark of respective owners