[original file is EmbeddedSELinuxReport.pdf by Yuichi Nakamura]
[Copyright © 2007 Hitachi Software Engineering Co., Ltd.]
[translated by ikoma]


CELF Technical Jamboree #18
Dec. 21, 2007


Development of SELinux -- SELinux can be used for Embedded Systems

Dec. 21, 2007
Yuichi Nakamura, Research & Development Dept., Hitachi Software Engineering Co., Ltd.
ynakam (at) hitachisoft.jp

2

Table of Contents

* 1. What is SELinux?

* 2. Barriers to Embedded SELinux

* 3. Development of Embedded SELinux

* 4. Developent Activities in Japanese Community

* 5. Misc. Talks

3

1. What is SELinux?

4

What is SELinux?

* Secure OS technology developed by NSA (http://www.nsa.gov/)

* Secure OS features

* Benefits of SELinux

* Good track record

5

Implementation of SELinux

        Process
           |
  (1)access request
           |
+--------------------------Linux kernel-----------------------+
|          V                                                  |
| +-------------------+                                       |
| |(2)Linux permission|                                       |
| |       check       |                                       |
| +-------------------+                                       |
|          |                                                  |
|          V                                                  |
|    +-----------+  (4)security check request   +-----------+ |
|    | (3) LSM   |----------------------------->|(5)SELinux | |
|    |           |<-----------------------------|           | |
|    +-----------+   (6) check results          +-----------+ |
|          |                                                  |
+------(7)access----------------------------------------------+
           |
           V
        Resource

6

TE (Type Enforcement)

Access Control Model of SELinux

* domain: authorization name owned by process

* type: identifier of resource

* Permission between domain and label

     process              permission           resource
+-----------------+                          +----------------------+
| http daemon     |          read            | file: /var/www       |
| domain: httpd_t |------------------------->| type: web_contents_t |
+-----------------+                          +----------------------+

* Domain has no authorization by default

* Set accessible types explicitly

* Processes work with minimal authorization necessary

7

Security Policy

* Means setting for SELinux

* Aggregation of access permission setting (allow setting)

    allow httpd_t web_contents_t file:{ read };
             ^          ^                 ^
             |          |                 |
           domain      type            permission

* By default, access denied; enumerate required access permissions

8

2. Barriers against Embedded SELinux

9

SELinux for Embedded Systems

* Promising as security measure for embedded systems

* Adaptation for embedded systems

10

Barriers to Embedded SELinux

* 1. Configuration is not easy <==

* 2. Perfomance issues

11

Difficult Configuration: General Setting of SELinux

* Procedure to setup

* Why difficult?

12

Difficult Configuration: Dependency

* When to remove items, care has to be taken so that errors do not occur

* Be careful for many items to be removed

13

Difficult Configuration: Too Many Setting Formats

* A large number of items to set up for SELinux

* Use of "Macro" to organize items to set up

* Number of macros explodes

14

Difficult Configuration: A Lot of Items to Delete

* Sample policy is generic and huge

* Example: removing apache

15

Difficult Configuration: Summary

* 1) Obtain sample policy (reference policy)

* 2) Remove unnecessary policy

* 3) Add missing part

* Conclusion: Give up SELinux!?

16

Performance Issues

* Performance deterioration with SELinux

17

Overhead of System Calls (Before Tuning)

* CPU: SH 751R, File System: ext3

* Measured overhead with lmbench

* Overhead compared with 1 when SELinux disabled

+----------------+---------------+---------------+
| Measured itemd |   Overhead(%) | SH7751R board |
| (lmbench used) | (Pentium4 PC) | Before tuning |
+----------------+---------------+---------------+
| read           |          12.3 |         130.0 |
+----------------+---------------+---------------+
| write          |          14.0 |         146.6 |
+----------------+---------------+---------------+

* Overhead is large for embedded systems (esp. read/write)

18

Memory Consumption (Before Tuning)

* Measurement method

* Results : Memory consumption : 5365 kbyte

* Very tough with memory of 32MB or 64MB ...

19

Increased File Size (Before Tuning)

* Measured file size increase with SELinux

+--------------+--------------------+
| Item         | Size increase      |
|              | before tuning (KB) |
+--------------+--------------------+
| kernel       |               73.7 |
|(zimage file) |                    |
+--------------+--------------------+
| library      |              482.1 |
+--------------+--------------------+
| command      |              374.6 |
+--------------+--------------------+
| policy file  |             1356.2 |
+--------------+--------------------+
| total        |             2286.6 |
+--------------+--------------------+

* Too larget to hold on flash memory

20

Summary So Far: Embedded SELinux

* 1. Configuration is not easy

* 2. Performance issues

21

3. Development of Embedded SELinux

22

Items to Develop for Embedded SELinux

* To solve configuration issues

* To improve performance

* SH support of audit

* Mainlining

23

Porting: Evaluation Environment

* Board: Renesas Technology R0P751RLC0011RL (aka R2D+)

* File system

* Linux support on flash ROM : courtesy of Renesas Solutions Corp.

24

What is SELinux Policy Editor?

* Tool to configure configure SELinux

* Hides labels and resoves dependency with "easy formatting (SPDL)"

* Developed by Hitach Software Engineering Co., Ltd.

*GPL

25

Components of SELinux Policy Editor

Complexity concealed
with easy format(SPDL)
      |
      v
Simplified Policy ====> Converter ===> Policy for SELinux
      ^
      |
      |
GUI, command line tool,
automatic generator, etc.
Policy can be built without
knowing about SPDL format

26

Features of SPDL

* Configuration is written in SPDL

          {
          domain httpd_t;
          program /usr/sbin/httpd;
          ...
          allow /etc/httpd/** r,s;
          allow /var/log/httpd/** r,a,s;
          allow /var/www/** r,s;
          allownet -protocol tcp -port 80,443 server;
          }

* Concealment of labels

* Consolidation and cutting redundancy of permissions,

           |
           V

* Drastic reduction of elements to be configured

27

Adapting SELinux Policy Editor to Embedded Systems

* Original SELinux Policy Editor was inconvenient for embedded systems

* SELinux Policy Editor 2.2.0 (released november 2007) supports embedded systems

* Download:

28

Benefits of SELinux Policy Editor

* Need not to use sample policy

* Custom policy specific to embedded systems can be easily written

* Can write a small poicy

* Now you can configure SELinux for embedded systems!

29

Tuning SELinux

* Less overhead

* Less memory footprint

* Less file usage

30

Less Overheads

* Focused to reduce overhead on read/write

* Hand tuned for others

31

Less Overhead with read/write

* Checking at read/write is redundant

* Reduced SELinux check at read/write

* Created patch and got it mainlined (linux 2.6.24 and later)

32

Results of Reduced Overheads

* Results of lmbench (CPU: SH7751R)

+---------------+------------------+-----------------+
| Measured Item | Overheads before | Overhead after  |
|   (lmbench)   | tuning (%)       | tuning (%)      |
+---------------+------------------+-----------------+
| read          |            130.0 |            12.5 |
+---------------+------------------+-----------------+
| write         |            146.6 |            14.9 |
+---------------+------------------+-----------------+

* Better read/write --> mainlined

* Other optimization

33

Less Memory Footprint

* Created policy using SELinux Policy Editor

* Reduced fixed buffer

34

Less Memory Footprint (Results)

+------------------+------------------+------------------+
|                  | footprint before | footprint after  |
|                  | tuning (kbytes)  | tuning (kbytes)  |
+------------------+------------------+------------------+
| memory footprint |             5365 |              465 |
+------------------+------------------+------------------+

* Now machines with memory 32MB/64MB can afford

* SELinux Policy Editor has a great effect

35

Less File Usage

* (1) Policy development with SELinux Policy Editor

* (2) Reduction of libraries: development of minimal lib selinux

* (3) Reduction of commands

36

Less File Usage (Results)

+--------------------+-----------------+-----------------+
| Items              | Size before     | Size after      |
|                    | tuning (kbytes) | tuning (kbytes) |
+--------------------+-----------------+-----------------+
| Increase of kernel |            73.7 |            73.7 |
| size (zImage file) |                 |                 |
+--------------------+-----------------+-----------------+
| Libraries          |           482.1 |            66.3 |
+--------------------+-----------------+-----------------+
| Commands           |           374.6 |            10.8 |
+--------------------+-----------------+-----------------+
| Policy file        |          1356.2 |            60.4 |
+--------------------+-----------------+-----------------+
| Total              |          2286.6 |           211.2 |
+--------------------+-----------------+-----------------+

* Achieved approx. 200KB ==> Now loadable on flash memory

* SELinux Policy Editor has great impact => Approx. 1.3MB saving

* Diet of libraries and commands => Approx. 700KB saving

37

Adapting Audit for SH

* What is audit?

* Log convenient for developing SELinux policy can be obtained

* CPU dependent, as entry.S is modified

* x86, Power PC and MIPS already supported

* But SH is not supported yet

* Wrote patch and got it mainlined

38

Audit Support: Remaining Issues

* ARM is not yet supported

* Homework from the audit maintainer

* Proposal by the SH maintainer

* Command in userland (auditctl command) should be ported; not easy task

* "audit to get full paths" should be mainlined

39

4. Developent Activities in Japanese Community

* Improving worst executing time

* Support of BusyBox SELinux

40

Improvig the Worst Execution Time

Background: AVC (Access Vector Cache)

* Speed up of accessibility check in SELinux

                             SELinux Reference Monitor
                      +- - - - - - - - - - - - - - - - - - - +
     (1) accessiblity |         (4) cache search result      |
          inquiry     |   +-----+<-------|                   |
Subject  ---------------->| AVC |    +----------+            |    +----------+
(process)             |   +-----+    | Security |            |    | Security |
         --------------------------->| Server   |---------------->| Policy   |
          (2) AVC miss|              +----------+ (3) search |    +----------+
                      +- - - - - - - - - - - - - - - - - - - +

                        Search result     Search security policy
                        has been cached   and determine accessibility
                         (Fast)             (Slow)

* Search in AVC: 100 times faster than direct policy search; order of microseconds

* Cache hit rate is over 99.5%

41

Patch to Improve the Worst Execution Time

* Wanted make security policy search faster

* Cause: search in bitmap struct is slow

* Patch for faster search of bitmap struct created and submitted (by Kaigai)

42

5. Misc. Talks

* Impression on mainlining

* Remaining issues

* On the significance of overhead reduction

43

Impression on Mainlining

* "Release early, release often" works

* Procedure which was successful for SELinux

44

Remaining Issues

* More diet

* More sophisticated SELinux Policy Editor for embedded systems

45

Summary of Patch Locations for Embedded SELinux

* SELinux Policy Editor for embedded systems

* read/write performance improvement

* Memory footprint reduction by reducing fixed buffer

* Library size reduction

* BusyBox for SELinux

* Worst execution time improvement

* audit for SH

46

Summary

* Barriers against SELinux for embedded systems

* Developement of SELinux for embedded systems

Now SELinux is available even on embedded systems

Let's use SELinux!

47

* Linux is a registered trademark or trademark of Linus Torvalds in the US and other contries

* Other company names and product names are registered trademarks or trademark of respective owners




Jamboree18EmbeddedSeLinuxReport (last edited 2008-05-07 18:21:54 by localhost)