Security framework for embedded Linux

Building a secure system involves many components and layers of security. From physical security to protection from cloud-based threats, every aspect of a system must be evaluated and protected. Linux offers several frameworks for protecting the operating system and associated components. Here, two popular Linux frameworks will be examined - SELinux and SMACK.

Security Enhanced Linux (SELinux) was first integrated into the open source Linux kernel (Release 2.6) in 2003. Simple Mandatory Access Control - Kernel (SMACK) is the newcomer to Linux security frameworks, and has found traction in embedded devices because it is more compact, and easier to administer and configure. Both SELinux and SMACK are mechanisms to protect operating system resources from unauthorised access using a mechanism called Mandatory Access Control (MAC).

Discretionary Access Control

To understand the difference between the two modes of access control, we need to consider first how Discretionary Access Control (DAC) behaves. Standard Linux systems use a set of access attributes that are part of every file system resource. These attributes govern the access permissions for a given file system resource. These permissions include ‘Read’, ‘Write’ and ‘eXecute’ (RWX).

DAC grants the owner of the resource the authority to decide who gets access to those resources. It is suitable for protection from accidental access violations and its policy centres on users.

Mandatory Access Control

Policy rules for Linux systems based on Mandatory Access Control (MAC) are centrally controlled by the operating system, and cannot be modified by ordinary system users. A policy developer controls which programs or processes can perform specific operations on system resources. Users cannot modify access permissions either accidentally or intentionally. MAC policy centres on programs rather than users, answering the question, ‘What can this program do or not do’?

SELinux

SELinux by default allows no access. Rules must be created and loaded into the operating system to specify allowable access rights. Using SELinux, all accesses must be explicitly granted. The collection of rules is called the SELinux Policy.

SELinux uses access control attributes attached to each file system called a security context. The most commonly used context fields include user, role and type, usually written as user:role:type. Every object (processes, files, etc.) has a security context. Policy rules allow a process in one context to perform operations on an object in another context.

SELinux comes with utilities that help manage its configuration. For example, an audit tool logs every system access that is denied. Another tool analyses the audit log and creates an access rule based on the log entry of the denial. Yet another utility can append that rule into the policy to make it permanent. This makes it easy to detect and fix access issues in SELinux systems. Furthermore, a developer need not create rules from scratch. Several reference policies exist which range from minimal to comprehensive that form a good basis from which to build your own custom SELinux policy.

The power of SELinux comes from its granularity. SELinux controls many kernel resources, beyond the DAC model of only controlling file permissions. Because of this granularity, SELinux policies for even simple systems contain hundreds or even thousands of rules. It is well understood that SELinux has both a learning curve and significant administrative burden.

SMACK

The complexities of SELinux gave birth to Simplified MAC-Kernel (SMACK). SMACK uses the same underlying kernel infrastructure as SELinux, but reduces the granularity to make system development, configuration and administration easier. It’s still a MAC system, meaning it is governed by a central policy and not by system users. According to its designers, simplicity was its primary design goal.

SMACK consists of three components - a SMACK enabled kernel, SMACK utilities and the configuration data (policy). SMACK is based on labels attached to objects. The only operation ever done on a label is to test for equality. Every task on a SMACK-based system is assigned a label. Special labels are assigned to system tasks such as ‘init’. Several special labels have specific meaning, such as the asterisk as a wild card character.

Summary

SELinux is complex and designed for enterprise level security. Even a simple system requires thousands of individual rules to operate. SELinux permissions are much more granular, and therefore can protect system resources such as memory, I/O, sockets and more. SELinux is mature and has good tools for monitoring and control, troubleshooting and policy examination and maintenance.

SMACK was designed with embedded systems in mind. As a result it is easier to configure and maintain. SMACK tools are not as rich as those available for use with SELinux. Permissions are not as granular.

Whatever framework you chose, remember that access control is only one component of a secure system. Security for embedded Linux devices must be considered at design time, and can be challenging to get right. One thing is certain - the importance of securing your devices from malicious attacks can no longer be an afterthought.