diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml index aec7d60..1ab796e 100644 --- a/.github/workflows/mdbook.yml +++ b/.github/workflows/mdbook.yml @@ -37,6 +37,7 @@ jobs: curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh rustup update cargo install --version ${MDBOOK_VERSION} mdbook + cargo install --version ${MDBOOK_VERSION} mdbook-bib - name: Setup Pages id: pages uses: actions/configure-pages@v5 diff --git a/Makefile b/Makefile index 15a1351..e8a1966 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -export PATH := $(shell echo $$HOME)/.cargo/bin:$(PATH) +export PATH := $(shell echo $$HOME)/.cargo/bin:$(PATH):/usr/sbin PROFILE ?= release RELEASE = $(if $(filter $(PROFILE),release),--release,) BIN_DIR := target/$(PROFILE) @@ -12,6 +12,7 @@ $(BIN_DIR)/chsr: cargo build $(RELEASE) --bin chsr || true $(BIN_DIR)/capable: + aya-tool generate task_struct > capable-ebpf/src/vmlinux.rs cargo xtask build-ebpf $(RELEASE) || true cargo build --package capable $(RELEASE) || true diff --git a/book/book.toml b/book/book.toml index 4eb2e72..92a2ad1 100644 --- a/book/book.toml +++ b/book/book.toml @@ -13,4 +13,10 @@ edit-url-template = "https://github.com/LeChatP/RootAsRole/edit/master/book/{pat [preprocessor.graphviz] command = "mdbook-graphviz" -output-to-file = false \ No newline at end of file +output-to-file = false + +[preprocessor.bib] +title="References" +hb-tpl = "references.hbs" +cite-hb-tpl = "cite.hbs" +bibliography = "references.bib" \ No newline at end of file diff --git a/book/src/cite.hbs b/book/src/cite.hbs new file mode 100644 index 0000000..fa5b259 --- /dev/null +++ b/book/src/cite.hbs @@ -0,0 +1 @@ +[[{{item.authors.[0].[0]}}{{#if item.authors.[2]}} et al.{{else}}{{#if item.authors.[1]}} & {{item.authors.[1].[0]}}{{/if}}{{/if}} {{item.pub_year}}]({{path}}#{{item.citation_key}})] \ No newline at end of file diff --git a/book/src/knowledge/command_match.md b/book/src/knowledge/command_match.md index 2a56ccc..df683c0 100644 --- a/book/src/knowledge/command_match.md +++ b/book/src/knowledge/command_match.md @@ -2,7 +2,7 @@ ## Role Conflict resolution -As you may know with this RBAC model, it is possible for multiple roles to reference the same command for the same users. Since we do not ask by default the role to use, our tool applies an smart policy to choose a role using user, group, command entry and least privilege criteria. We apply a partial order comparison algorithm to decide which role should be chosen : +As you may know with this RBAC model, it is possible for multiple roles to reference the same command for the same users. Since we do not ask by default the role to use, our tool applies an smart policy to choose a role using user, group, command entry and least privilege criteria. We apply a partial order comparison algorithm @@abedinDetectionResolutionAnomalies2006 to decide which role should be chosen : * Find all the roles that match the user id assignment or the group id, and the command input * Within the matching roles, select the one that is the most precise and least privileged : diff --git a/book/src/knowledge/ebpf.md b/book/src/knowledge/ebpf.md index 911edf1..7a3d817 100644 --- a/book/src/knowledge/ebpf.md +++ b/book/src/knowledge/ebpf.md @@ -1,3 +1,3 @@ # What is eBPF ? -eBPF (extended Berkeley Packet Filter) is a technology that allows the execution of custom programs in the Linux kernel without changing the kernel source code or loading kernel modules. In RootAsRole, we use eBPF to implement the `capable` command. This command allows you to check if a process requests any capability. \ No newline at end of file +eBPF (extended Berkeley Packet Filter) @@sharafExtendedBerkeleyPacket2022 is a technology that allows the execution of custom programs in the Linux kernel without changing the kernel source code or loading kernel modules. In RootAsRole, we use eBPF to implement the `capable` command. This command allows you to check if a process requests any capability. \ No newline at end of file diff --git a/book/src/knowledge/rbac.md b/book/src/knowledge/rbac.md index 860c2fa..40c7165 100644 --- a/book/src/knowledge/rbac.md +++ b/book/src/knowledge/rbac.md @@ -1,10 +1,17 @@ -# Why you need to use Role-Based Access Control Model +# What is Role-Based Access Control Model? -Role-Based Access Control (RBAC) is a security model that grants access to resources based on a user's role within an organization. Here are some reasons why you need to use Role-Based Access Control: +Role-Based Access Control (RBAC) is a access control model that grants access to resources based on a user's role within an organization @@ferraioloProposedNISTStandard2001. This model makes it easier to manage user-centric access control policies. Indeed, this design allows to simply the distribution of user's responsibilities and better organize the access control policies in this context. -1. **Simplified User Management**: RBAC eliminates the need to manage individual user permissions, making it easier to add or remove users from a system. -1. **Increased Efficiency**: RBAC automates the process of granting and revoking access to resources, reducing the administrative burden on IT teams. -1. **Scalability**: RBAC is highly scalable, making it an ideal solution for large and complex organizations. -1. **Flexibility**: RBAC can be applied to various systems, applications, and networks, making it a versatile security solution. +# What about Attribute-based Access Control Model ? -By implementing Role-Based Access Control, RootAsRole provides a efficient way to manage user access to resources within your organization. \ No newline at end of file +Attribute-Based Access Control (ABAC) is a more flexible model that grants access based on attributes of the user, the resource, the actions, and the environment by applying constraints on them. This design allows to implement generic access control policies. However, ABAC does not solve the problem of managing user-centric responsibilities access control policies. Indeed, ABAC allow to define generic policies, but not to manage them correctly given specific access control need. However, As ABAC can define a generic policy, it can be used to implement RBAC @@jinRABACRoleCentricAttributeBased2012, Bell-Lapadula (for confidentiality) @@balamuruganHoneyBeeBehaviour2015 or even Biba (for integrity) access control models @@kashmarAccessControlModels2020. + +So ABAC is allowing to reach multiple access control properties by implementing multiple specific access control models. However, not respecting precisely these models designs may not reach the expected security properties. + +# So why not use ABAC instead of RBAC for RootAsRole? + +RootAsRole wants to delegate administrative responsibilities to severals users with more respect on the principle of least privilege. This means that RootAsRole access control policy is more user-centric, and thus, RBAC is more adapted to this context. + +# Is it possible to use ABAC with RootAsRole? + +Today, it requires some development to integrate RootAsRole in an ABAC implementation. However, RootAsRole will never implement ABAC by itself, so RootAsRole would requires to implement RBAC (with RootAsRole information) in the ABAC solution. \ No newline at end of file diff --git a/book/src/knowledge/sod.md b/book/src/knowledge/sod.md index def0f64..da0b52e 100644 --- a/book/src/knowledge/sod.md +++ b/book/src/knowledge/sod.md @@ -2,7 +2,7 @@ ## Static Separation of Duties -Static Separation of Duties (SSD) within an RBAC ensures that no single user can hold conflicting administrative roles, enhancing security and operational integrity. For instance, SSD policies would prevent a user assigned as a "System Administrator" from also being a "Network Administrator" or "Backup Administrator," thereby mitigating the risk of entire control of a system and potential fraud. +Static Separation of Duties (SSD) within an RBAC ensures that no single user can hold conflicting administrative roles, enhancing security and operational integrity@@ferraioloProposedNISTStandard2001. For instance, SSD policies would prevent a user assigned as a "System Administrator" from also being a "Network Administrator" or "Backup Administrator," thereby mitigating the risk of entire control of a system and potential fraud. With RootAsRole, you can implement SSD by creating roles that are mutually exclusive by adding `ssd` array in a role definition. For example, you can create a role for a "System Administrator" and another for a "Network Administrator." You can then assign these roles to different users, ensuring that no single user has both roles at the same time. If a user obtains a new role that conflicts with an existing role, RootAsRole will prevent the user to use any conflicting role. diff --git a/book/src/references.bib b/book/src/references.bib new file mode 100644 index 0000000..94ff88b --- /dev/null +++ b/book/src/references.bib @@ -0,0 +1,106 @@ + +@inproceedings{abedinDetectionResolutionAnomalies2006, + location = {Berlin, Heidelberg}, + title = {Detection and Resolution of Anomalies in Firewall Policy Rules}, + isbn = {978-3-540-36799-4}, + doi = {10.1007/11805588_2}, + series = {Lecture Notes in Computer Science}, + abstract = {A firewall is a system acting as an interface of a network to one or more external networks. It implements the security policy of the network by deciding which packets to let through based on rules defined by the network administrator. Any error in defining the rules may compromise the system security by letting unwanted traffic pass or blocking desired traffic. Manual definition of rules often results in a set that contains conflicting, redundant or overshadowed rules, resulting in anomalies in the policy. Manually detecting and resolving these anomalies is a critical but tedious and error prone task. Existing research on this problem have been focused on the analysis and detection of the anomalies in firewall policy. Previous works define the possible relations between rules and also define anomalies in terms of the relations and present algorithms to detect the anomalies by analyzing the rules. In this paper, we discuss some necessary modifications to the existing definitions of the relations. We present a new algorithm that will simultaneously detect and resolve any anomaly present in the policy rules by necessary reorder and split operations to generate a new anomaly free rule set. We also present proof of correctness of the algorithm. Then we present an algorithm to merge rules where possible in order to reduce the number of rules and hence increase efficiency of the firewall.}, + pages = {15--29}, + booktitle = {Data and Applications Security {XX}}, + publisher = {Springer}, + author = {Abedin, Muhammad and Nessa, Syeda and Khan, Latifur and Thuraisingham, Bhavani}, + editor = {Damiani, Ernesto and Liu, Peng}, + date = {2006}, + langid = {english}, + keywords = {Anomalies, Firewalls, Network Security, Packet Filters, Security Policy}, + file = {Abedin et al_2006_Detection and Resolution of Anomalies in Firewall Policy Rules.pdf:/home/ebilloir/Zotero/storage/SF8UN3P2/Abedin et al_2006_Detection and Resolution of Anomalies in Firewall Policy Rules.pdf:application/pdf}, +} + +@article{sharafExtendedBerkeleyPacket2022, + title = {Extended Berkeley Packet Filter: An Application Perspective}, + volume = {10}, + rights = {https://creativecommons.org/licenses/by-nc-nd/4.0/}, + issn = {2169-3536}, + url = {https://ieeexplore.ieee.org/document/9968265/}, + doi = {10.1109/ACCESS.2022.3226269}, + shorttitle = {Extended Berkeley Packet Filter}, + pages = {126370--126393}, + journaltitle = {{IEEE} Access}, + shortjournal = {{IEEE} Access}, + author = {Sharaf, Husain and Ahmad, Imtiaz and Dimitriou, Tassos}, + urldate = {2024-06-20}, + date = {2022}, +} + +@incollection{jinRABACRoleCentricAttributeBased2012, + location = {Berlin, Heidelberg}, + title = {{RABAC}: Role-Centric Attribute-Based Access Control}, + volume = {7531}, + isbn = {978-3-642-33703-1 978-3-642-33704-8}, + url = {http://link.springer.com/10.1007/978-3-642-33704-8_8}, + shorttitle = {{RABAC}}, + pages = {84--96}, + booktitle = {Computer Network Security}, + publisher = {Springer Berlin Heidelberg}, + author = {Jin, Xin and Sandhu, Ravi and Krishnan, Ram}, + editor = {Kotenko, Igor and Skormin, Victor}, + editorb = {Hutchison, David and Kanade, Takeo and Kittler, Josef and Kleinberg, Jon M. and Mattern, Friedemann and Mitchell, John C. and Naor, Moni and Nierstrasz, Oscar and Pandu Rangan, C. and Steffen, Bernhard and Sudan, Madhu and Terzopoulos, Demetri and Tygar, Doug and Vardi, Moshe Y. and Weikum, Gerhard}, + editorbtype = {redactor}, + urldate = {2024-06-20}, + date = {2012}, + doi = {10.1007/978-3-642-33704-8_8}, + note = {Series Title: Lecture Notes in Computer Science}, +} + +@inproceedings{balamuruganHoneyBeeBehaviour2015, + location = {Chennai, India}, + title = {A Honey Bee behaviour inspired novel Attribute-based access control using enhanced Bell-Lapadula model in cloud computing}, + isbn = {978-1-4799-8787-0 978-1-4799-8788-7}, + url = {http://ieeexplore.ieee.org/document/7396064/}, + doi = {10.1109/ICIICT.2015.7396064}, + eventtitle = {2015 International Conference on Innovation Information in Computing Technologies ({ICIICT})}, + pages = {1--6}, + booktitle = {International Confernce on Innovation Information in Computing Technologies}, + publisher = {{IEEE}}, + author = {Balamurugan, B and Shivitha, N Gnana and Monisha, V and Saranya, V}, + urldate = {2024-06-20}, + date = {2015-02}, +} + +@incollection{kashmarAccessControlModels2020, + location = {Cham}, + title = {From Access Control Models to Access Control Metamodels: A Survey}, + volume = {70}, + isbn = {978-3-030-12384-0 978-3-030-12385-7}, + url = {http://link.springer.com/10.1007/978-3-030-12385-7_61}, + shorttitle = {From Access Control Models to Access Control Metamodels}, + pages = {892--911}, + booktitle = {Advances in Information and Communication}, + publisher = {Springer International Publishing}, + author = {Kashmar, Nadine and Adda, Mehdi and Atieh, Mirna}, + editor = {Arai, Kohei and Bhatia, Rahul}, + urldate = {2024-06-20}, + date = {2020}, + langid = {english}, + doi = {10.1007/978-3-030-12385-7_61}, + note = {Series Title: Lecture Notes in Networks and Systems}, +} + +@article{ferraioloProposedNISTStandard2001, + title = {Proposed {NIST} standard for role-based access control}, + volume = {4}, + issn = {1094-9224, 1557-7406}, + url = {https://dl.acm.org/doi/10.1145/501978.501980}, + doi = {10.1145/501978.501980}, + abstract = {In this article we propose a standard for role-based access control ({RBAC}). Although {RBAC} models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative definition of {RBAC} exists today. This lack of a widely accepted model results in uncertainty and confusion about {RBAC}'s utility and meaning. The standard proposed here seeks to resolve this situation by unifying ideas from a base of frequently referenced {RBAC} models, commercial products, and research prototypes. It is intended to serve as a foundation for product development, evaluation, and procurement specification. Although {RBAC} continues to evolve as users, researchers, and vendors gain experience with its application, we feel the features and components proposed in this standard represent a fundamental and stable set of mechanisms that may be enhanced by developers in further meeting the needs of their customers. As such, this document does not attempt to standardize {RBAC} features beyond those that have achieved acceptance in the commercial marketplace and research community, but instead focuses on defining a fundamental and stable set of {RBAC} components. This standard is organized into the {RBAC} Reference Model and the {RBAC} System and Administrative Functional Specification. The reference model defines the scope of features that comprise the standard and provides a consistent vocabulary in support of the specification. The {RBAC} System and Administrative Functional Specification defines functional requirements for administrative operations and queries for the creation, maintenance, and review of {RBAC} sets and relations, as well as for specifying system level functionality in support of session attribute management and an access control decision process.}, + pages = {224--274}, + number = {3}, + journaltitle = {{ACM} Transactions on Information and System Security}, + shortjournal = {{ACM} Trans. Inf. Syst. Secur.}, + author = {Ferraiolo, David F. and Sandhu, Ravi and Gavrila, Serban and Kuhn, D. Richard and Chandramouli, Ramaswamy}, + urldate = {2022-11-24}, + date = {2001-08}, + langid = {english}, + file = {Ferraiolo et al_2001_Proposed NIST standard for role-based access control.pdf:/home/ebilloir/Zotero/storage/U5ID298G/Ferraiolo et al_2001_Proposed NIST standard for role-based access control.pdf:application/pdf}, +} diff --git a/book/src/references.hbs b/book/src/references.hbs new file mode 100644 index 0000000..c0aa67b --- /dev/null +++ b/book/src/references.hbs @@ -0,0 +1,26 @@ +{{#if citation_key}} + +
+ +
+ +{{!-- citation --}} + +[{{citation_key}}] - {{#if authors}}{{authors}} - {{/if}}{{#if title}}{{#if url}}{{/if}}{{title}}{{#if url}}{{/if}}.{{/if}} - {{#if pub_year}}{{pub_year}}.{{/if}} + + +{{!-- summary/abstract --}} +{{#if summary}} +
+

Summary/Abstract

+
{{summary}}
+
+{{/if}} + +
+ +
+ +
+ +{{/if}} \ No newline at end of file diff --git a/capable/src/main.rs b/capable/src/main.rs index a3c3725..fd82096 100644 --- a/capable/src/main.rs +++ b/capable/src/main.rs @@ -172,7 +172,10 @@ where let mut graph = std::collections::HashMap::new(); let mut init = CapSet::empty(); for key in capabilities_map.keys() { - let pid = key?; + let pid = key.inspect_err(|err| { + eprintln!("Failed to get pid : {:?}", err.to_string()); + exit(-1); + })?; let pinum_inum = pnsid_nsid_map.get(&pid, 0).unwrap_or(0); let child = pinum_inum as u32; let parent = (pinum_inum >> 32) as u32; diff --git a/dependencies.sh b/dependencies.sh index 13828b7..3c54129 100755 --- a/dependencies.sh +++ b/dependencies.sh @@ -66,6 +66,5 @@ fi # ask for user to install bpf-linker cargo install --force bpf-linker bindgen-cli cargo install --git https://github.com/aya-rs/aya -- aya-tool -PATH=$PATH:/usr/sbin aya-tool generate task_struct > capable-ebpf/src/vmlinux.rs echo "dependencies installed. Ready to compile."