Why?
Because you can't trust the programs you run to act as you expect. In most cases when you run programs they are authorised to do anything you can do. Malware and vulnerabilities in software can lead your programs to use your privileges to act maliciously.
How does it work?
FBAC-LSM is a security extension for Linux. It restricts programs based on the features that you want them to perform. You specify high level goals such as "Web Browser", some application-specific information (which can usually be automated), and then FBAC-LSM stops the programs from misbehaving. See the demonstration.
Features
- Limits the damage that software vulnerabilities or Trojan horses can cause by defining what programs are allowed to do.
- Restricts programs based on high level security goals using functionalities, which represents the authority to perform program features.
- Functionalities are reusable policy abstractions which are adapted for specific applications via parameters.
- Functionalities are also hierarchical (can contain other functionalities), so policy details can be encapsulated and policy is constructed using abstractions.
- Simultaneously provides Mandatory Access Controls and Discretionary Access Controls: administrators can configure policies which enforce application restrictions on users (MAC), and users can further confine applications to ensure the application is acting on their behalf (DAC).
- The policy manager provides a graphical interface which can step users through the process of creating new application policies.
- The policy manager can suggest functionalities, and can automate the process of specifying application details for parameters. This leaves users to specify high level goals, such as confirming which features the application should provide, and where the user stores certain resources which the program can access. For example, for the KWrite program, confirming that it is a File Editor, and specifying that you want it to be able to edit files in particular directories.
- Policy to restrict a program can usually be specified successfully without having to run the untrusted program.
- Unlike most application confinement schemes, it is not necessary for the person creating the application policy to vet every low-level action that a program performs.
- A learning mode which suggests extra privileges based on program activity is available. This can be used if the functionalities available do not provide the required privileges. Learning can occur either while enforcing policy or while policy is not in effect.
- The policy manager can be used to review policy in
detail:
- the policy for an application can be queried to test if the program will be allowed to access specific resources,
- a list of all the low level privileges which a program will be allowed to access can be displayed,
- the user can "drill down" through the hierarchical policy to view how functionalities which contain other functionalities grant privileges,
- the way policy will be expressed on disk can be displayed,
- or a high level description of a policy can be
viewed.
- Mediates access to files and the network.
- Can manage other security systems. Currently the policy manager can experimentally export to and manage AppArmor profiles.
Get it
Currently FBAC-LSM is in early stages of development. It is functional, but it is unstable. FBAC-LSM has been developed on OpenSUSE 10.3, and is developed against this previous version of the kernel with the AppArmor LSM extensions. In the future FBAC-LSM will be compatible with the new LSM interface.
It is also possible to use the user-space tools on just about any Linux system (with Qt4 installed) to get a feel for how FBAC-LSM works without installing the LSM to enforce policy. There are multiple ways you can test what is authorised by a policy, or to simulate program activity. There is currently limited support for managing AppArmor using FBAC-LSM tools.
Currently FBAC-LSM is only available as source (see the next section for download instructions).
Please report your experiences.
Contribute code or policies
Grab the source using git from:
git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm
Using Linux you can pull a copy of the repository (which includes code and policies) to your computer using the command:
git clone git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm
There is lots to be done, and no mater your expertise you can be of assistance. Check out the TODO file.
Some more information is available on the FBAC-LSM development sourceforge project page.
Send patches, files or comments to the (very quiet) public mailing list fbac-lsm-general at lists.sourceforge.net (subscribe here) or to z.cliffe at schreuders.org
Donations
Developing FBAC-LSM takes a lot of time. Please consider making a $5 donation to support continuing development.
What does the name mean?
FBAC-LSM (pronounced: Eff-back L.S.M.) is named after the security model FBAC and the LSM security framework. FBAC stands for Functionality-Based Application Confinement. The Linux Security Module (LSM) framework allows the Linux kernel to be extended with additional security features. An important component of FBAC-LSM is a Linux Security Module (LSM). FBAC-LSM also includes user-space tools. I realise the name FBAC-LSM is not catchy. One day it will probably be renamed.
Who are the developers?
I (Z. Cliffe Schreuders) created FBAC-LSM for my PhD research. I am currently looking for people to help to develop FBAC-LSM further. Here is a list of all the people who have contributed code to FBAC-LSM so far:
Z. Cliffe Schreuders
Adric Schreuders
I would also like to acknowledge my supervisors who helped with guidance during my research:
Christian Payne
Associate Professor Tanya McGill
More information and documentation
A detailed explanation of the graphical interface with screenshots.
White paper: FBAC-LSM User Interaction. Check out the published papers and conference presentations.
Videos
These videos give an overview of how FBAC-LSM works, and demonstrates how it is used.
LCA2010 (linux.conf.au) presentation:
Gives an overview of the problems with previous approaches to application-oriented access controls, explains how the new approach (FBAC-LSM) works, and gives a live demo of using FBAC-LSM to confine a Trojan horse.
This presentation was received well, was of interest to many of the attendees, and resulted in ongoing discussions after the conference. There were more people in the room than are visible in the video :)
Open in a new window, with further presentation details and the option to download.
Highlights some key points: the main components policy is made up of, where policy is stored on disk, how the path-based pattern matching wildcards work (similar to AppArmor wildcards), enforcing modes that policies can be in, steps for confining applications, and some helpful commands.
Demonstration:(Opens a new window to play)
Note that once the program has been confined, the damage which it could cause in the event of the presence of software vulnerabilities or malware is severely limited. This example confines the program KWrite which is a text editor, to only allow access to particular files. KWrite is not a particularly high risk target - although it is safer not to trust programs when possible - and this demo illustrates how policies can be created to confine applications.
FBAC-LSM now provides new automation features not covered in this video.
