From: "Dr. Greg" <greg@enjellic.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: linux-security-module@vger.kernel.org
Subject: Re: [PATCH 00/13] Implement Trusted Security Event Modeling.
Date: Tue, 1 Aug 2023 05:42:25 -0500 [thread overview]
Message-ID: <20230801104225.GA22902@wind.enjellic.com> (raw)
In-Reply-To: <CAEjxPJ7a8AhO3VztWc3pP47v0ky3sM-HjUJVq4ocguVd5UAWKw@mail.gmail.com>
On Mon, Jul 31, 2023 at 10:38:42AM -0400, Stephen Smalley wrote:
Good morning Stephen, I hope this note finds your day starting well.
It has been awhile since we have spoken, the Linux Security Summit in
2015 if I remember correctly.
> I have no stake in this, but just wondering whether you considered
> using the BPF LSM to implement your logic via eBPF programs. The BPF
> LSM allows one to attach eBPF programs to any/all LSM hooks. That
> would allow your security model to be used on any kernel >= 5.7. If
> I were writing a LSM from scratch today, that's what I would do...
An interesting and relevant observation.
We have some initial eBPF work completed, but that work suggests that
TSEM is a vehicle for implementation of eBPF functionality, rather
than a candidate for replacement by eBPF. It is unclear, at least
from our pespective, perhaps we are misinformed as to eBPF capability,
as to how eBPF would replace TSEM functionality.
A rather fundamental premise of TSEM, and a large part of its
implementation, is the notion of security modeling namespaces. We've
probably spent as much time as anyone on working with the mathematical
modeling of security behavior and it seems unlikely that relevant
models can be developed without isolating the model to the
characteristics of a specific workload.
The ability to externally model the security behavior of a workload is
also important with respect to the use of trust roots such as SGX
enclaves, other TEE's and hardware trust implementations. For
example, with SGX an implementation has to be done in userspace, I
also wouldn't envision machine learning implementations as being
acceptable for inclusion in the kernel proper.
The value that we see with eBPF, in respect to TSEM, is as a means of
implementing Quasi-Deterministic Models (QDM's) with an in-kernel
Trusted Modeling Agent (TMA) implementation. In QDM's, eBPF programs
would be used to implement 'parameter leveling' prior to the
generation of the security state coefficients. This provides a path
for a single kernel modeling implementation to support multiple model
definitions.
An in-kernel TMA is a significant consumer of the kernel cryptographic
functionality, both for the generation of security state coefficients
and the cryptographic checksumming of files and executable code.
With respect to these issues, would IMA be considered as a candidate
for replacement with eBPF functionality? We would be extremely
interested in community sentiment on this issue.
Have a good day.
As always,
Dr. Greg
The Quixote Project - Flailing at the Travails of Cybersecurity
prev parent reply other threads:[~2023-08-01 10:43 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 10:23 [PATCH 00/13] Implement Trusted Security Event Modeling Dr. Greg
2023-07-10 10:23 ` [PATCH 01/13] Update MAINTAINERS file Dr. Greg
2023-07-10 20:00 ` Randy Dunlap
2023-07-15 22:45 ` Dr. Greg
2023-07-10 10:23 ` [PATCH 02/13] Add TSEM specific documentation Dr. Greg
2023-07-11 4:37 ` Randy Dunlap
2023-07-17 0:36 ` Dr. Greg
2023-07-17 1:56 ` Randy Dunlap
2023-08-08 18:48 ` Serge Hallyn
2023-08-11 20:22 ` Dr. Greg
2024-01-04 15:54 ` Paul Moore
2024-01-05 3:54 ` Dr. Greg
2024-01-04 4:00 ` [PATCH 2/13] " Paul Moore
2024-01-05 2:55 ` Dr. Greg
2024-01-08 11:43 ` Dr. Greg
2024-02-05 16:09 ` Paul Moore
2024-02-19 11:16 ` Dr. Greg
2023-07-10 10:23 ` [PATCH 03/13] Implement CAP_TRUST capability Dr. Greg
2023-08-07 20:21 ` Casey Schaufler
2023-08-15 10:19 ` Dr. Greg
2023-08-15 17:15 ` Casey Schaufler
2023-07-10 10:23 ` [PATCH 04/13] Add TSEM master header file Dr. Greg
2023-08-07 20:39 ` Casey Schaufler
2023-08-10 2:57 ` Dr. Greg
2023-08-10 15:03 ` Casey Schaufler
2023-07-10 10:23 ` [PATCH 05/13] Add primary TSEM implementation file Dr. Greg
2023-08-07 21:00 ` Casey Schaufler
2023-08-11 7:21 ` Dr. Greg
2023-07-10 10:23 ` [PATCH 06/13] Add root domain trust implementation Dr. Greg
2023-07-10 10:23 ` [PATCH 07/13] Implement TSEM control plane Dr. Greg
2023-07-10 10:23 ` [PATCH 08/13] Add namespace implementation Dr. Greg
2023-07-10 10:23 ` [PATCH 09/13] Add security event description export facility Dr. Greg
2023-07-10 10:23 ` [PATCH 10/13] Add event description implementation Dr. Greg
2023-07-10 10:23 ` [PATCH 11/13] Implement security event mapping Dr. Greg
2023-07-10 10:23 ` [PATCH 12/13] Implement an internal Trusted Modeling Agent Dr. Greg
2023-07-10 10:23 ` [PATCH 13/13] Activate the configuration and build of the TSEM LSM Dr. Greg
[not found] ` <CAEjxPJ7a8AhO3VztWc3pP47v0ky3sM-HjUJVq4ocguVd5UAWKw@mail.gmail.com>
2023-08-01 10:42 ` Dr. Greg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230801104225.GA22902@wind.enjellic.com \
--to=greg@enjellic.com \
--cc=linux-security-module@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).