Talking Smack for Tizen security [LWN.net]

By Nathan Willis
June 5, 2013

Tizen Dev Con 2013

At the 2013 Tizen Developer Conference (TDC) in San Francisco, several sessions dealt with the challenges of implementing security on mobile phones and other consumer electronics devices. Among the security sessions, Casey Schaufler and Michael Demeter described their work applying Smack to Tizen, including the effort required to develop a sensible set of security domains that are not too complicated to maintain.

Bringing the Smack down

Schaufler and Demeter presented a session that can only be described as part talk, part vaudeville act—complete with props, audience participation, and Three Stooges clips. They began with a brief overview of Smack itself, but quickly moved on to how it should be used; that is, how application developers should determine what sorts of Smack rules their code needs. They also discussed the difficulty of finding the right system-level policies for a platform like Tizen, and presented case studies comparing two approaches—including the one they officially adopted.

Smack implements mandatory access control, they explained, starting with the basic rule "what's mine is mine; what's yours is yours." That rule, of course, means that no processes can talk to each other, so working with Smack in practice is a matter of defining the right exceptions to that basic premise, which are known as Smack rules. Each Smack rule grants one "access mode" to an object to a particular outside party. To illustrate the key exceptions needed by applications, Schaufler and Demeter went through a series of Abbott and Costello–esque routines mimicking processes trying (usually unsuccessfully) to share data via a notebook, while arguing about what permissions were needed. They then pulled a volunteer from the audience on stage, and mimicked processes trying to exchange packets by tossing rubber balls from one side of the stage to the other.

For example, Schaufler would announce that he had write access to send a packet to the audience member on the other end of the stage, then throw the ball, at which point Demeter would shout "Smack!" and slap it to the crowd mid-flight, explaining that the audience member also needed read access in order for the packet to be delivered. With read and write permissions for files and network message-passing thus artfully explained, the two moved on to the problem of granularity in Smack rule sets, which they illustrated with an attempt to build a tower out of dice.

The issue is that the Smack identifiers used to distinguish "mine" and "yours" in Smack are simple text labels, and generally the identifier used is chosen to be the same as the name of the application's main process. In Tizen, they explained, installable HTML5 applications declare their Smack identifier in their .manifest file. The Tizen application installer is a privileged process, and sets up the Smack identifier when it installs the app. The manifest essentially allows each application to create its own unique Smack domain. But that approach quickly becomes unworkable because using a domain for every application means each application must specify Smack rules for every other application on the system—or, at least, the sheer number of Smack rules can grow that fast. Too many rules to manage means more mistakes, and more resources used up on the system.

However, Schaufler explained, there are about a dozen different definitions of what a "security domain" is, so trying to reduce the number of Smack rules by grouping applications and services into fewer domains is not trivial. They described a "case study" of an unnamed mobile OS that used the one-domain-per-app model (an approach which had previously been announced as the plan for Tizen). In that "naive" setup, just 600 applications generated more than 20,000 Smack rules. Furthermore, there were numerous rules in the rule set that were obviously bad (such as apps that wanted write access to the system clock). And, by and large, the huge corpus of rules simply sketched out an "everybody shares with everybody else" platform, which is functionally equivalent to not having the one-domain-per-app configuration, but is unmaintainable.

Less is more

Considering these results, eventually the Tizen security team decided to reducing the granularity of the Smack configuration problem as much as possible, primarily by putting all end-user apps into a single security domain—by default, though individual apps can still create a domain of their own if necessary.

The concept stratifies the system into three levels. The lowest is called the "floor" domain, which includes those filesystem locations that every process must have read access to: /, /dev/, /bin/sh, system libraries, and so on; read-only access is available to all applications. Above "floor" sits the "system" domain, which is reserved for system processes like systemd, D-Bus, and DNS, which need read/write access to platform resources. The "application" domain sits at level furthest from the floor; by default all apps belong to this domain and can exchange messages and files. It is possible that the team will add another domain specifically for telephony apps, they said, but they are being cautious about any such expansions. The three-tiered system still requires a set of Smack rules to define access to "system" domain items; there will just be fewer of them required.

Any application can still declare its own Smack domain, so those applications that need to protect data (such as a password storage app) can do so. The decision to lump all end-user apps into one domain shifts more of the responsibility for protecting the device onto the maintainers of the application store. Defining how any device vendor implements its store is out of scope for Tizen itself, although the project does discuss many of the angles in its documentation. The most common scenario is expected to be an app creating a domain of its own (and listing the access rules for other apps); related apps can share a single Smack domain, with reviewers at the vendor's application store testing submissions to find apps that ask for questionable access.

The upcoming Tizen 3.0 release will be the first implement the three-domain system, and will include a base set of Smack rules. The Tizen 2.1 release used much finer granularity; its rule set contains 41,000 access rules. At this point the focus is on making the default rule set "more correct," with "smaller" still to come, but it is already considerably smaller and easier to understand than the competition. Schaufler and Demeter said that while Tizen 2.1's Smack rule set contained 41,000 rules, the SELinux reference policy is over 900,000 lines.

[The author wishes to thank the Linux Foundation for travel assistance to Tizen Dev Con.]

(Log in to post comments)

Talking Smack for Tizen security

Posted Jun 6, 2013 16:26 UTC (Thu) by ware (guest, #83607) [Link]

Very true. However, much of the previous complexity now exists in the userspace components.

Talking Smack for Tizen security

Posted Jun 6, 2013 19:48 UTC (Thu) by Method (guest, #26150) [Link]

Care to explain this? Middleware MAC is only enforcing the access controls already present in Android. Newer, experimental MAC implementations in the middleware are just that, experimental, not something in a released version of a device.

The SELinux policy in SE Android is doing what the Tizen policy is doing, enforcing access to kernel objects. Why is it that the SMACK policy is an order of magnitude large *and* doesn't protect system resources (e.g., all system apps are running as _ and all app labels have rwxa to _). Further, a *fundamental* concept of SMACK is that root processes (technically processes with MAC_* related capabilities) have full access to modify SMACK, since /smack/onlycap isn't set that means all those system processes running as root have that access.

Contrast to SE Android where very few services run as root, and they are all constrained by policy to only be able to do what they need.

So, in conclusion, not only is your policy 25 times larger but it doesn't protect anything.

Talking Smack for Tizen security

Posted Jun 6, 2013 21:13 UTC (Thu) by ware (guest, #83607) [Link]

I don't believe anyone in the presentation or this article discussed SE Android so I don't know why you're bringing up an experimental MAC implementation usable only for a specific Linux solution into a discussion about a general purpose Linux platform focused on many different product verticals.

Talking Smack for Tizen security

Posted Jun 6, 2013 21:44 UTC (Thu) by Method (guest, #26150) [Link]

Err. The article is about Tizen, a mobile platform, not a general purpose computing platform. How is it inappropriate to compare it to SE Android, a mobile platform?

Talking Smack for Tizen security

Posted Jun 6, 2013 21:57 UTC (Thu) by Method (guest, #26150) [Link]

And you never explained:

"Very true. However, much of the previous complexity now exists in the userspace components."

The main difference with SELinux on Android is that Zygote has to set a label for new apps that it runs, because it does not fork/execve() as an optimization. Interestingly enough SMACK has _always required a helper app to set a new label on a new processes_, moving much of the complexity into userspace components.

Oops.

Still not seeing why this is better than the alternative. Can you please explain?

Talking Smack for Tizen security

Posted Jun 6, 2013 22:03 UTC (Thu) by ware (guest, #83607) [Link]

Tizen has a mobile profile yes but it is not a mobile platform in the sense Android is. Additionally SE Android is targeted at...Android. Surprise! Tizen couldn't use it.

Talking Smack for Tizen security

Posted Jun 6, 2013 22:27 UTC (Thu) by Method (guest, #26150) [Link]

You still haven't explained the comment above.

Tizen *could* use SELinux, and would likely be able to have a comparable policy to SELinux on Android.

Talking Smack for Tizen security

Posted Jun 6, 2013 21:26 UTC (Thu) by spender (subscriber, #23067) [Link]

I'll let you guys fight out whose multi-thousand-rule policy is more useless than the other.

Meanwhile, back in reality, you're wasting all this time and effort barricading the windows while attackers continue to break right through the front door. Using the same exact techniques since 2007 to invisibly disable SELinux, AppArmor, Smack, IMA, and all other LSMs, no less:

http://www.youtube.com/watch?v=KvREwhfQmbc
http://www.youtube.com/watch?v=WI0FXZUsLuI

But please go on with your high and mighty speech, I'll wait here for the response of "reality and the most critical and easiest exploits aren't in our threat model".

-Brad

Talking Smack for Tizen security

Posted Jun 6, 2013 21:39 UTC (Thu) by ware (guest, #83607) [Link]

If you're concerned with high and mighty speeches, you shouldn't give them.

Talking Smack for Tizen security

Posted Jun 7, 2013 9:54 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

Is there some reason you didn't simply say "How does your system cope with the attacks shown at (link) and (link)?"

Talking Smack for Tizen security

Posted Jun 7, 2013 11:59 UTC (Fri) by spender (subscriber, #23067) [Link]

Yes, because Method here already knows the answer to that question. He was in the audience in 2010 when I gave the following talk at the Linux Security Summit: http://grsecurity.net/spender_summit.pdf In other words, he's not ignorant, just an unabashed SELinux shill with much to profit off its illusion of security. Formerly of Tresys (developers of the reference policy used in RHEL and Fedora, whose business centered around SELinux) and now with his own SELinux-based company.

So I don't really expect a response, I've already predicted the response based on previous discussions when reality is brought up. SELinux is a convoluted solution that looks great on paper to people in their 50s still clinging on to their copy of the orange book, but it was not created to stop malicious attacks and was developed by people who have no clue about hacking or how to hack. Yet this doesn't stop them from promoting it for whatever purpose (http://danwalsh.livejournal.com/10131.html, ROP anyone?) and making pointless claims of superiority because their access control system has more useless features and complexity than the others. It reminded me of the too-ironic post from Stephen Smalley while trashing AppArmor: http://lwn.net/Articles/399053/. A reasonable person could say the same exact things about SELinux. Its proliferation continues as long as everyone maintains the false assertion of superiority its proponents love throwing around.

My capabilities post was republished in many places: http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
but it appears no one gave any thought to the last two paragraphs, which I'll reproduce here:

> So, what does this all have to do with PaX, interpreters, and arbitrary code execution on the filesystem? Withstanding a bug in the privileged code that would, for instance, allow the mknod()ing of arbitrary devices, none of the things listed above are operations performed normally by privileged applications. In order to perform these (sometimes complex) actions, the flow of execution needs to be diverted and controlled. Access control systems strive to remove privilege/capabilities from all programs except those that require it. Traditionally, they had only been interested in certain interactions with the system, but not with the *cause* of those interactions. Thus, for an app that needed to exec /bin/sh for some controlled operation, the access control system would see no problem with also allowing it to exec a root shell. The addition of PaX and the concept of removing arbitrary code execution from processes (and in the future, extending this process further with other techniques) has changed all this in a significant way that, to my knowledge, hasn't been properly articulated elsewhere.

> Under a traditional access control system, compromising an application immediately leads to being able to easily and artfully weave the privileges of that process into something usable. We rarely get nice, simple bugs with no constraints. Those constraints can make the bug unexploitable or can introduce limitations/requirements on the exploitation end. These are the constraints just imposed by the bug/application itself, not even considering the constraints imposed by the protections of the system. It's easy to think about chaining a kernel exploit when the address space of a process is your virtual playground, but what would you do without arbitrary code execution in combination with strict access control, randomized address space layout, and some form of fptr protection/control flow integrity? What if many of these protections were also present in the kernel you're trying to attack? How often will such an attack be possible under bug/application constraints? I'm not sure many have thought/had to think about this.

I believe the complexity of SELinux and other similar access control is built off being stuck in an academic 1980s mindset, unable to consider or adapt to the realities and improvements of the past decade, which really have changed how we need to think about attack and defense.

To respond directly to your nonconstructive post, I feel that honesty and speaking truth to power are more important than social niceties. I also don't believe all opinions are created equal. Some of them are formed by people who have been living in a funded SELinux reality distortion field for the past 11 years, while others have been involved in actual security.

-Brad

Talking Smack for Tizen security

Posted Jun 7, 2013 14:10 UTC (Fri) by Method (guest, #26150) [Link]

Reminds me of something I wrote in 2004:
http://www.gentoo.org/proj/en/hardened/primer.xml

Talking Smack for Tizen security

Posted Jun 7, 2013 14:36 UTC (Fri) by spender (subscriber, #23067) [Link]

I'm glad your 2004 self at least learned something from me (unless the important point re: access control was contributed by Adam Mondl, I'll ask him when he wakes up). Perhaps your 2013 self needs reminding of that point, since you are only pushing the last line of defense and not the other more important aspects ;)

-Brad

Talking Smack for Tizen security

Posted Jun 7, 2013 14:46 UTC (Fri) by Method (guest, #26150) [Link]

Oh, Brad.

I'm glad you think you invented layered security, and still have a victim complex.

Use the way back machine, you'll see that all of that was mine.

You have no idea what I push and what I don't. Like always you are content to sit on the sidelines and say "I told you so" over and over as if anyone cares. Your 2013 self is a spitting image of your 2004 self, sit around and blame and whine and troll.

Nothing to see here folks, move along.

Talking Smack for Tizen security

Posted Jun 9, 2013 22:14 UTC (Sun) by spender (subscriber, #23067) [Link]

I know you wish there was nothing here to see, but since you've brought up some things that demand a response:

If I didn't pioneer actual layered security in the way in which it will be done in the future on host systems, then who did? I mean, there is a reason why you're talking about grsecurity in that 2004 article and not something else, isn't there? ;)

Anyone can read your blog and see what you're pushing in public (just look at the top 3 tags here: http://securityblog.org/tags.html). It's quite clear it's SELinux. Now if you're saying you're also pushing (via advocacy I guess, since you've done no research/work in this field) kernel self-protection as a necessary prerequisite for any form of mandatory access control, then I'm glad to hear you're advocating the use of grsecurity in private, as we've been the only name in the game since 2003.

I'm quite content being someone actually producing useful code to solve real problems, speaking up against the status quo, liars, charlatans, and shills. I trust history will look back on that more favorably than someone pushing the over-complicated SELinux for the past 10 years because his previous employer put itself forth as the only people knowledgeable enough to develop SELinux policies (I recall very well this being said at LSS 2010). Curious coming from someone who claims to understand the proper role of access control in overall security, seething with pride here in this thread that his SELinux has more useless knobs than Smack.

-Brad