{"id":260,"date":"2012-02-03T12:03:12","date_gmt":"2012-02-03T20:03:12","guid":{"rendered":"http:\/\/blog.mozilla.org\/webappsec\/?p=260"},"modified":"2012-02-03T12:03:12","modified_gmt":"2012-02-03T20:03:12","slug":"browserid-system-security","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/","title":{"rendered":"BrowserID: System security"},"content":{"rendered":"<p>With the launch of <a href=\"http:\/\/www.browserid.org\">browserid.org<\/a> we have been busy <a title=\"Securing BrowserID\" href=\"http:\/\/blog.mozilla.org\/webappsec\/2011\/12\/14\/securing-browserid\/\">reviewing the code<\/a> and design of BrowserID.<\/p>\n<p>However, we also wanted to:<\/p>\n<ul>\n<li>Enforce <strong>privilege separation<\/strong> at the system level<\/li>\n<li>Render the<strong> potential security issues<\/strong> in the web app code, and other services running <strong>less relevant<\/strong><\/li>\n<\/ul>\n<p>This is implemented via:<\/p>\n<ul>\n<li><strong>Role based access control<\/strong> (<strong>RBAC<\/strong>)<\/li>\n<li>Enforced by a <strong>Mandatory access control<\/strong> framework (<strong>MAC<\/strong>)<\/li>\n<\/ul>\n<p><strong>MAC vs DAC<\/strong><\/p>\n<ul>\n<li>With DAC, the<strong> users are responsible for setting access permissions<\/strong>,<br \/>\nsuch as read, write, execute (those are set by the user owning the file).<\/li>\n<li>With MAC, the system sets and controls the permissions, and <strong>users cannot modify permissions<\/strong>, even of files they own.<\/li>\n<\/ul>\n<p><strong>RBAC<\/strong> is an access control model, which is enforced by <strong>MAC<\/strong>. Note that for compatibility reasons, the<br \/>\nLinux DAC model is still in use. However, <strong>MAC<\/strong> has always precedence over <strong>DAC<\/strong>.<\/p>\n<p><strong>Types<\/strong><\/p>\n<ul>\n<li>File system objects, and some other system <strong>objects are grouped<\/strong> into different types.<\/li>\n<\/ul>\n<p><strong>Roles<\/strong><\/p>\n<ul>\n<li>With RBAC <strong>processes (subjects) are grouped<\/strong> into different roles.<\/li>\n<li>The roles have a detailed list of permissions for each type.<\/li>\n<li>The list of permissions is called an <strong>access matrix<\/strong> (also called access vector).<\/li>\n<li>The sum of the access matrices is called the RBAC <strong>security policy<\/strong>.<\/li>\n<\/ul>\n<p>Like in a theater, where the same person can be role playing different<br \/>\ncharacters,<strong> the same processes can be started under different roles<\/strong> (and<br \/>\neven transition to other roles if those are set to be compatible).<br \/>\n<strong>RSBAC<\/strong><br \/>\nFor the BrowserID project, we have selected <a href=\"http:\/\/www.rsbac.org\/\"><strong>RSBAC<\/strong><\/a> as the MAC framework, which<br \/>\nimplements a module called RC (Role Compatibility) as it&#8217;s RBAC model.<\/p>\n<ul>\n<li>RSBAC allows to retain both flexibility and very detailed access control (<strong>no compromise<\/strong>).<\/li>\n<li>It is a patch to the Linux kernel, which implements <strong>hooks<\/strong> and an <strong>access<\/strong> <strong>decision framework<\/strong>.<\/li>\n<li>It has <strong>several security models<\/strong> implemented (called modules)<\/li>\n<ul>\n<li>Each model can return GRANTED, NOT_GRANTED or DO_NOT_CARE (=GRANTED) for each access decision.<\/li>\n<\/ul>\n<\/ul>\n<p>RSBAC modules we are using in particular:<\/p>\n<ul>\n<li><strong>RC<\/strong> The RBAC module<strong><br \/>\n<\/strong><\/li>\n<li><strong>AUTH<\/strong> The authentication module<\/li>\n<ul>\n<li>Lists which user ids a process is allowed to switch to.<\/li>\n<li>You cannot login as a user, or switch to a user id, if you did not allow it through AUTH<\/li>\n<\/ul>\n<li><strong>CAP<\/strong> The capabilities module, controls Linux&#8217;s capabilities.<\/li>\n<ul>\n<li>For example we disable root capabilities (<strong>root is a regular user<\/strong>)<\/li>\n<\/ul>\n<\/ul>\n<p><strong>Security Policy<\/strong><br \/>\nCommon approach:<\/p>\n<ul>\n<li>One policy file <strong>per package<\/strong>.<\/li>\n<ul>\n<li>Complex and require a lot of maintenance. May require repackaging each package.<\/li>\n<li>More difficult to customize and extend the policy in some cases.<\/li>\n<\/ul>\n<li>Policy <strong>enabled only for specific system daemons<\/strong> (RHEL SELinux&#8217;s does this by default: it&#8217;s called the <strong>targeted<\/strong> policy).<\/li>\n<ul>\n<li>Easier management and setup, but if unprotected daemons\/processes are compromised, this does not\u00a0 help much.<\/li>\n<li>Lower security level.<\/li>\n<\/ul>\n<\/ul>\n<p>Our approach:<\/p>\n<ul>\n<li>Global <strong>base<\/strong> policy common to all systems<\/li>\n<ul>\n<li>Runs on default installs for <strong>RHEL 6 systems<\/strong><\/li>\n<li>&#8220;<strong>Role per service<\/strong>&#8221; instead of &#8220;Role per package&#8221;<\/li>\n<\/ul>\n<\/ul>\n<ul>\n<li>Extended by a <strong>custom<\/strong> policy file, per system type basis<\/li>\n<ul>\n<li>BrowserID has such a custom policy file<\/li>\n<\/ul>\n<ul>\n<li>Separate NodeJS&#8217;s daemons, keys, secure cookie storage, etc.<\/li>\n<\/ul>\n<ul>\n<li>Different custom policy for the database, web servers, and so on.<\/li>\n<\/ul>\n<\/ul>\n<ul>\n<li>Faster!<\/li>\n<ul>\n<li>Faster deployment (no repackaging, no separate per package tests).<\/li>\n<\/ul>\n<ul>\n<li>Security policy development team does not need to wait on the package team or vice-versa (in our case, RedHat, which release updates and upgrades independently)<strong><\/strong><\/li>\n<li>The security engineer\/admin only has to verify the policy works as expected on system update (generally the policy only needs update on major version upgrades like RHEL 5 to RHEL 6)<\/li>\n<\/ul>\n<\/ul>\n<p><strong>Future<\/strong><br \/>\nWe plan to have a <strong>specific NodeJS RSBAC module<\/strong>, enabling us to switch role from within NodeJS depending on the operation performed, to obtain a more detailed separation.<\/p>\n<ul>\n<li>Critical code sections could run with an elevated role.<\/li>\n<li>Other parts of the process cannot elevate to this role.<\/li>\n<ul>\n<li>Note that technically this is a hybrid form of MAC+DAC as the process itself decides when to switch roles, but the policy limits which role, by which process, and so on.<\/li>\n<\/ul>\n<li>The elevated role, still has a very detaille policy which does not give access to more than what it needs.<\/li>\n<\/ul>\n<p>When a regular code section has a bug and the exploitation of the bug gives system access or the ability to run system commands\/access the filesystem\/access the database, the attacker will be contained in their role and RSBAC will deny access to the types that the elevated role would have access to (for example, cookies and keys).<\/p>\n<p>Therefore, <strong>even if<\/strong> the root or an administrative user was compromised,<br \/>\nthe attacker would again, be limited by:<\/p>\n<ul>\n<li>The role&#8217;s access matrix<\/li>\n<li>The capabilities allowed for the process that has been compromised<\/li>\n<li>Switch to the user IDs AUTH permits for this process.<\/li>\n<\/ul>\n<p>In short, the detailed access control severely reduces the attack vectors.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the launch of browserid.org we have been busy reviewing the code and design of BrowserID. However, we also wanted to: Enforce privilege separation at the system level Render the &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/\">Read more<\/a><\/p>\n","protected":false},"author":406,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8632],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BrowserID: System security - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guillaume Destuynder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/\",\"name\":\"BrowserID: System security - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2012-02-03T20:03:12+00:00\",\"dateModified\":\"2012-02-03T20:03:12+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BrowserID: System security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc\",\"name\":\"Guillaume Destuynder\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/0de446c53eb8368872d481e18d363d39\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g\",\"caption\":\"Guillaume Destuynder\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BrowserID: System security - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/","twitter_misc":{"Written by":"Guillaume Destuynder","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/","url":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/","name":"BrowserID: System security - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2012-02-03T20:03:12+00:00","dateModified":"2012-02-03T20:03:12+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2012\/02\/03\/browserid-system-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"BrowserID: System security"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc","name":"Guillaume Destuynder","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/0de446c53eb8368872d481e18d363d39","url":"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g","caption":"Guillaume Destuynder"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/260"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/406"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=260"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}