CSE544 - Project #1 - LSM Module for Safe-Open

Due Date: Fr February 15, 2013 at 11:59pm.

In this assignment, you will complete a Linux Security Module for preventing link traversal attacks based on the safe-open concept from Chari et al..

Follow these instructions:

  1. Get the module code from here. This code contains three files: (1) sample.c, which contains a Linux Security Module that authorizes file access based on labels associated with files and executables (place in directory linux-2.6.23/security) and (2) Makefile, which enables sample.c to be compiled for the kernel (place in linux-2.6.23/security).

  2. The method you are to implement is described in the Chari et al. paper in Section 6.1. Here the paper defines a method where file processing is tracked to determine if an UNTRUSTED link or directory is accessed during file processing. If so, then no files that are TRUSTED can be accessed.

  3. In this project, we will focus on one user-space program, which will be the fileutil /bin/cp. The aim is prevent cp from violating the safe-open heuristic. When copying a file, the following requirements must be met.

  4. Complete the functions inode_has_perm and sample_bprm_set_security in sample.c.

  5. The inode_has_perm function authorizes file and directory access. This function is called indirectly for every element of a file path used in name resolution (directories, links, and files). The function retrieves the process and object labels and authorizes access of the process to the object. You will augment this function to manage the safe-open flags and authorize access based on the safe-open rules of Section 6.1 (YOUR CODE highlights where).

  6. The sample_bprm_set_security assigns a label to each process. You will need to set the current->security field for the new process based on the ssid computed for it and initialize the safe-open flags.

  7. Build the module by making the kernel with security/sample.c using the provided Makefile for security directory. Since you have already built the kernel, only the file sample.c will be compiled (via "make all"). Run the module by loading using sudo insmod sample.ko from the security directory. Then, run the copying cases described below. Unload the module with sudo rmmod sample.

  8. Perform the following operations: (1) create directories "untrusted" and "trusted," which you need to label accordingly using setfattr; (2) files named "input" and "output" in each directory, which you must label with the directory's label manually; (3) links "link-input" and "link-output" in each directory that point to respective files in the other directory; and (4) label the file /bin/cp as "trusted" also.

  9. I will test your program by copying files using /bin/cp. Obviously, cp takes two file names as arguments. Access to those files must only be permitted if they satisfy the requirements for safe-open as described in Section 6.1 of Chari et al.. I will test copying (source and target) using the following file paths:

    1. ~/trusted/input (and output)
    2. ~/untrusted/input (and output)
    3. ~/trusted/link-input (and link-output)
    4. ~/untrusted/link-input (and link-output)
    5. ~/trusted/input (output) with multiple hard links
    6. ~/untrusted/input (output) with multiple hard links
    7. ~/trusted/../...(to root)/etc/passwd
    8. ~/untrusted/../...(to root)/etc/passwd
    9. ~/trusted/../untrusted/input (output)
    10. ~/trusted/../untrusted/link-input (link-output)
    11. ~/untrusted/../untrusted/input (output)
  10. NOTE: The file created by cp will always be labeled "trusted", so you will need to reset the file labels after each use (write a script).

  11. A log of each session will be captured in /var/log/messages. The log entries identify the process label produced by sample_bprm_set_security and the files that were authorized and not authorized by inode_has_perm. You must also highlight when you set and reset safe-open flags.

  12. NOTE: Your module must block operations for the target process only. Otherwise, other processes will stop working (you have the power, so be careful!).

  13. Please submit your sample.c, your log of the run of cp.

  14. Also, please answer the questions below associated with the assignment. Include the answers in an ascii file.

When you have completed your module, submit it, the output, and the answers to the questions via ANGEL by 11:59pm on Fr February 15. Make sure that you have tested your submission prior to uploading.

Questions

  1. Explain using the mandatory protection system why is the file copied by cp always given the label "trusted"?

  2. What is a link traversal attack?

  3. Why does rule (a) in Section 6.1 prevent link traversal attacks?

  4. Why does rule (b) in Section 6.1 prevent link traversal attacks?

You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.


Trent Jaeger
Last modified: Feb 11 23:43:07 EST 2010