Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/setools/ drwxr-xr-x |
Viewing file: infoflow_help.txt (15.38 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) | An overview of information flow analysis apol, version 3.0 October 1, 2006 selinux@tresys.com Apol supports the ability to automate the search for overt information flows between two types. The purpose of this analysis is to identify undesirable or unexpected flows of information allowed by a Type Enforcement (TE) policy. For example, imagine that the type shadow_t is assigned to the shadow password file /etc/shadow. To determine all the types to which information can flow from the shadow_t type (e.g, indicating possible paths for encrypted passwords to be unintentionally leaked), do a "flow from" analysis on the shadow_t type. Another example might be a firewall application where your intent is to understand all flows allowed between two network interfaces. Information flow analysis in SELinux is challenging for several reasons, including: + The TE policy mechanism is extremely flexible, allowing for good and bad flows to be easily specified, not necessarily by the policy writer's intent. + TE policies tend to be complex, with possibly tens of thousands of rules and hundreds of types, making it difficult for a policy writer to know all that is allowed. + SELinux currently supports over 50 object classes and hundreds of object permissions, each of which must be examined with their ability to allow information flow from/to its associated object class. The remainder of this file provides an overview on how apol performs information flow analysis. What Is Overt Information Flow In SELinux? ------------------------------------------ Information flow is defined in terms of access allowed (not necessarily whether that access is actually used). In SELinux, all objects and subjects have an associated type. Generally speaking, subjects can read or write objects, and thereby cause information to flow into and out of objects, and into and out of themselves. For example, given two types (say subject_t and object_t) and a subject (with subject_t type) able to read, but not write, an object (with object_t type), a rule that would allow this access might look like the following: allow subject_t object_t : {file link_file} read; This case would have the following direct information flows for the types subject_t and object_t: subject_t: FROM object_t object_t: TO subject_t If this were the only rule relating to these two types, there would be no other direct information flows from or to either. An information flow can only occur when a subject is involved; a flow directly between two objects cannot exist since a subject is required to cause action. In SELinux, processes are generally the subject. There are currently 58 object classes (including processes, which are both subjects and objects). In apol, the subject is easy to recognize; any type that is used in the 'source' field of an allow rule is presumed to be associated with a subject, usually as the domain type of some process. The object type is the type used in the 'target' field of an allow rule. In the case of objects, the allow rule also explicitly identifies the object classes for which the rule applies. This fact results in a complication for analyzing information flows; specifically that flows between types are restricted by object classes. A flow between types is typically not allowed for all object classes, but for only those classes identified. So to be more precise, the direct information flows allowed by the object rules for object_t in the example above are: object_t [file, link_file]: TO subject_t A perspective difference exists between source (subject) types and target (object) types. A read permission between a source type and a target type is a flow out of the target (which is being read) and flow into the source (which, being a process, is receiving the data being read into its memory). Object permission mappings -------------------------- The above examples used 'read' permission, but described flows as 'in' or 'out' or 'from' and 'to'. In general, for information flow analysis, the only access between subjects and objects that are of interest, are read and write. Remembering the perspective difference mentioned above, read and write access results in the following flow for subjects (sources) and objects (targets): SUBJECT: READ: IN flow WRITE: OUT flow OBJECT: READ: OUT flow WRITE: IN flow NOTE: A process can be either a subject or an object, so when the process object class is specified in the allow rule, the target type is associated with process object class and the object flow rules apply. Although read and write access are the only access rights of interest for an information flow analysis, 'read' and 'write' permissions are not the only SELinux permissions of interest. The name of a permission does not necessarily imply whether it allows read or write access. Indeed, to perform an information flow analysis requires mapping all defined permissions for all object classes to read and write access. This mapping can be a difficult chore, and certainly requires extensive understanding of the access allowed by each of the hundreds of permissions currently defined. For example, the file object class has the 'getattr' permission defined that allows the ability to determine information about a file (such as date created and size). One could consider this a read access since the subject is reading information about the file. Then again this begins to feel like COVERT information flow analysis, where one is concerned about illicit signaling of information through non-traditional means (e.g., signaling the critical data by varying the size of file is a covert flow, writing the data directly in the file so it can be read is an overt flow). This type of decision must be made for each defined object permission for each defined object class. The permission mapping mechanism in apol allows each permission to be mapped to read, write, both or none. In addition, the tool attempts to 'fix' a permission map to fit the needs of the currently opened policy. So, for example, if a permission map file does not map a set of permissions, or skips an entire object class, apol will label the missing permissions to "unmapped" and treat them as if they were mapped to 'none.' Likewise, if a map has permissions that are undefined in the current policy, it will ignore those mappings. In this way, apol continues its tradition of supporting old and new versions of policies (see below for more on managing permission maps). Apol provides mechanisms to manage and customize permission mappings that best suit your needs. These tools, including a permission map editor, are all available under the Advanced menu (see more on this topic below). Permission weighting -------------------- In addition to mapping each permission to read, write, both, or none, it is possible to assign the permission a weight between 1 and 10 (the default is 10). Apol uses this weight to rate the importance of the information flow this permission represents and allows the user to make fine-grained distinctions between high-bandwidth, overt information flows and low-bandwidth, or difficult to exploit, covert information flows. For example, the permissions "read" and "write" on the file object could be given a weight of 10 because they are very high-bandwidth information flows. Additionally, the "use" permission on the fd object (file descriptor) would probably be given a weight of 1 as it is a very low-bandwidth covert flow at best. Note that a permission might be important for access control, like fd use, but be given a low weight for information flow because it cannot be used to pass large amounts of information. The default permission maps that are installed with apol have weights assigned for all of the permissions. The weights are in four general categories as follows: 1 - 2 difficult to exploit covert flows (example: fd:use) 3 - 5 less difficult to exploit covert flows (example: process:signal) 6 - 7 difficult to use, noisy, or low-bandwidth overt flows (example: file:setattr) 8 - 10 high-bandwidth overt flows (example: file:write) These categories are loosely defined and the placement of permissions into these categories is subjective. Additional work needs to be done to verify the accuracy of both the mappings of the permissions and the assigned weights. These weights are used in transitive information flow analysis to rank the results and to make certain that important paths between types are presented first. For example, consider a policy with the following information flows: allow one_t two_t : file write; allow three_t two_t : file read; allow one_t three_t : fd use; If the permissions were mapped as described above and an analysis of the transitive flows from one_t to three_t were done, the analysis would return the path one_t->two_t->three_t first because the read and write permissions have a much higher weight. The direct flow between one_t and three_t would still be returned by the find more flows, but it would appear later in the list of flows. Types of information flow analysis ---------------------------------- The examples so far have only looked at 'direct' information flows. As its name implies, direct information flow analysis examines a policy for information flows that are directly permitted by one or more allow rules. In essence, every allow rule defines a direct information flow between the source and target types (for those allowed permissions that map to read, write, or both). The direct information flow analysis automates the search for these direct flows. Transitive information flow analysis attempts to link together a series of direct information flows to find an indirect path in which information can flow between two types. The results for a transitive closure will show one or more steps in the chain required for information to flow between the start and end types. Currently, the results will only show one such path for each end type; specifically the shortest path. For example, given the following rules: allow one_t two_t : file write; allow three_t two_t: file read; A direct flow analysis between one_t and three_t would not show any flows since no rule explicitly allows access between them. However, a two-step flow exists that would allow flow between these two types, namely one_t writing information into a file type (two_t) that three_t can read. These are the types of flows that the transitive analysis attempts to find. For both analyses, the results are presented in a less-than-desirable tree form (a more natural form might be a graph presentation; presently we are not prepared for that type of investment into the GUI). Each node in the tree represents a flow (in the direction selected) between the type of the parent node and the type of the node. The results window shows details about the flow, including links to the rule(s) that allow the flow. Managing permission mappings ---------------------------- The ability to directly manage permission maps is important for the following reasons: + Permission maps are central to analyzing information flows, and the correctness of the map has a direct influence on the value of the results. + The mapping for individual permissions and object classes are subjective, and changing permissions to alter the analysis might be necessary (e.g., by unmapping certain object classes to remove them from the analysis). + You might be trying to work with several different policies each with different definitions of object classes and permissions. Because of these reasons, apol was designed to provide great latitude in managing permission mappings using the Advanced->Permission Mappings menus. A user need not manage permission maps directly. Apol is equipped with default permission maps (in /usr/share/setools/) that will be loaded automatically when an information flow analysis is performed. Use the Advanced menus to manually load a permission map from any file location. This capability allows you to keep several versions of permission map files, loading the correct one for the current analysis. In addition, you can manually load the default permission map (see below). There are two ways to edit the mappings in a permission map: 1) edit a map file directly, or 2) use the permission map editor under the Advanced menu. The editor displays all the object classes and permissions currently mapped (or unmapped) in the currently loaded policy. Additionally, the editor displays weight values for each permission. These values tell apol the importance of each permission to the analysis. The user can configure these weight values according to the analysis goals. For example, the user may consider any read or write permissions of highest importance to the analysis, whereas permission to use a file descriptor may be of least importance. A permission will default to a weight of 10 if a weight value is not provided for the permission in the permission map. Since apol will adapt a permission map file to meet the needs of a loaded policy, the loaded map may be different than the file on disk. Saving the loaded map will change the on-disk file to match the loaded map. Changes to the default permission map can be saved as your default permission map (i.e., $HOME/.apol_perm_mapping). If .apol_perm_mapping exists, it will be used as your default. Otherwise the system default from /usr/share/setools will be used as the default. NOTE: Only one permission map may be loaded at a time, and only if a policy.conf file is opened. If apol has performed an information flow analysis, the default permission map will be loaded automatically unless a permission map was previously manually loaded. Loading a new permission map will unload the current map; closing the policy will also unload the map. Finding more flows ------------------ For a transitive information flow, there might be many different information flows between two types. For example, given the following policy: allow one_t two_t : file write; allow three_t two_t: file read; allow four_t two_t: file read; allow four_t three_t: file write; In this policy, two ways exist that information can flow between one_t and three_t: through three_t and through three_t and four_t. In complicated policies, many information flows between two types can exist, but the initial transitive information flow analysis might not find all of them. For example, apol might only find the flow through three_t and four_t initially in the policy above. Apol provides the means to find more information flows between two types after the inital analysis is completed. In the results display for an end type, there is a link labeled "Find More Flows." Clicking on the link will bring up a dialog box that allows you to set a maximum time duration and a maximum number of flows. Finding all of the paths between two types could take a significant amount of time for a complicated policy, so this dialog provides the means to set limits on the search. The search will stop when either of the limits are met. After the search completes, the additional paths will be displayed in the same results tab. Note that if a large number of flows are found it may take the display several seconds to render the text. |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0141 ]-- |