mac_sofi: a proof of concept MAC module

Wed Jul 19 18:35:51 UTC 2017

On 07/19/17 03:26, Dewayne Geraghty wrote:

> Would it be possible to expand on how SOFI is better/different to MAC
> lomac?  As it seems that the testing program is the differentiator?

1. LOMAC integrity is essentially a single number. SOFI integrity is a
set of integrity attributes. This provides integrity values that are
only partially ordered. For example, there is usually no ordering
between "trusted by user A" and "trusted by user B", and a file can be
also trusted by both users simultaneously. Then, if user A changes the
file, it remains "trusted by A", but ceases to be "trusted by B", until
user B verifies its new content.

2. LOMAC demotes only subjects (processes) upon reading from objects
(files). SOFI demotes the reader side of each operation, that is, the
subject of a read operation, the object of a write operation, and both
the subject and the object of a read/write operation.

3. SOFI integrity values, which form a lattice instead of a simple
linear ordering, provide "more interesting" combining of integrities of
subjects and objects. Integrity demotion is based on intersection of
integrities. Granting of integrity attributes is based on union. In my
opinion, it supports real world needs of integrity enforcement better
than LOMAC.

4. LOMAC uses a single integrity value both for following information
flow and for making access decisions. SOFI uses and updates subject's
and object's integrity values for tracking information flow, but makes
its access decisions by comparing subject's integrity with object's
ACLs, which are not changed by normal operations.

5. SOFI provides two "escape paths" from strict integrity checking:

An integrity checking function allows a reader to keep a subset of
integrity attributes, which would be otherwise removed by a low
integrity writer. For example, an antivirus engine can read a
downloaded, potentially infected, hence low-integrity file without
reducing its own integrity needed for further functioning.

Integrity granting and accepting functions allow transfer of integrity
attributes from readers to writers. It is similar to a set-uid bit or to
LOMAC relabeling of a process upon execution of a file. Unlike set-uid
or LOMAC, integrity granting in SOFI is not limited to processes. For
example, if an antivirus engine checks a file successfully, it can grant
it a higher integrity.

> Aside: Also you may not be aware that system namespace extended
> attributes do not function within a jail, though this is the same as the
> rest of MAC.  I'm told that SELinux uses "security" and others use
> "trusted" namespaces, perhaps for some future FreeBSD...?

As my implementation is only a demonstration of ideas of the SOFI model,
I did not take jails into account.

-- 
Martin Beran