This week the Umbrella
released version 0.7 of Umbrella, a "security mechanism" that implements
Process-Based Access Control (PBAC) and authentication of signed binaries
for Linux. Since Umbrella 0.7 is the first feature complete release, we
thought now might be a good time to take a look at the project. Kristian
Sørensen, one of the Umbrella Team members, was kind enough to respond
to our questions about Umbrella.
While Umbrella sounds a bit like Security-Enhanced Linux or other on
the surface, Sørensen pointed out that Umbrella is designed for
consumer devices rather than general-purpose servers or other systems,
though it might be useful for "specific server environments."
Sørensen provided this explanation of Umbrella:
Umbrella does not deal with users, roles, types or domains. The security
policy is _only_ enforced on running processes. Every time a new process is
created, the policy of its parent is inherited to the child - possibly with
additional policies, specified by the parent.
There are two categories of policies: File system restrictions (FSR) and
Capability restrictions (CR). A FSR is simply a path (e.g. /etc/passwd),
which restricts the process having this policy from accessing that file. If
the restriction were "/etc" the entire directory is off limits, and thus a
restriction on "/" denies access to the entire file system. The capability
restrictions are non-file system restrictions, such as creation of sockets
(IP networking, bluetooth etc.), sending signals, creation of new processes
Umbrella has no need for a security administrator to manage the security
policy of an entire system. Umbrella relies of the programmers of to embed
the security policy into programs. This is done in a very simple manner: By
replacing fork() with rfork() and by embedding execute restrictions to the
The security policy in the binaries (both rfork and execute restrictions)
is protected by a digital signature: A signed SHA1 hash of the binary is
placed in the ELF header, and checked on time of execution. If the binary
or its restrictions has been tampered with, the hash will not match and the
binary is denied access to run. In order for the signed binaries to be
authenticated in the first place, the public key of the vendor must be
placed within the key ring of Umbrella.
Umbrella requires a 2.6.9 kernel (or later) and includes a kernel patch,
the Umbrella library and a user-space program. Binaries that will be
restricted by Umbrella need to be signed using Bsign and
GnuPG. Umbrella and DigSig are the only projects this
author is aware of that check digital signatures of binaries. The policy
for the application is stored in the binary itself.
Since Umbrella can be used to restrict binaries unless they are signed by
an authority, we asked Sørensen if Umbrella was similar to so-called
"trusted computing" efforts. Sørensen confirmed that Umbrella was
"related to 'trusted computing'."
As the binaries are signed you can verify that they are not tampered with
on each execution. The unique thing here, is that this "tamper-proof"
concept is utilized to protect the security policy and the binary at the
While it's desirable to prevent attacks on consumer electronics devices, we
asked if Umbrella could also be used to prevent users from "hacking"
devices to expand the capabilities of a device -- something that may not be
desirable from the end-user's point of view. Sørensen acknowledged
that a device could be designed so that it would be "very
difficult" for a user to "tamper with the software of the
What about performance? Sørensen said that the team had just finished
benchmarking Umbrella, and found that it had "between 2.5% and 4.5%
overhead, depending on how the system is stressed. Thus, having Umbrella in
the kernel is not noticeable."
According to Sørensen, the Umbrella project started as a master's
project, but he has plans to start a company in the fall, based on the
Umbrella technology, called Linnovative.
It should be interesting to see how Umbrella develops and whether this
approach catches on. It is simpler than SELinux, but doesn't look suitable
for use in general systems at this time -- which is a shame, as it would be
nice to have a simpler system that's usable for general purpose server and
desktop systems. However, Umbrella may be another tool that helps Linux
gain acceptance in the embedded and consumer electronics market.
to post comments)