[ Contents ]

   1.  Introduction
   2.  Overview of UMIP Design
   3.  Installation
   4.  Using the Module
   5.  Policy Specification

For questions and comments, please write to zmao@purdue.edu

[1. Introduction]

This is the implementation of UMIP (Usable Mandatory Integrity Protection) for
Fedora Core 5, kernel 2.6.15. UMIP is implemented as a Loadable Kernel Module
(LKM) - no kernel recompilations or changes to existing applications are
required.

For the description of the design and more technique details, please refer to
the paper "Usable Mandatory Integrity Protection for Operating Systems" (IEEE
S&P 2007).


[2. Overview of UMIP Design]

The design of the UMIP model can be divided into three parts.

The first part is the integrity-tracking of processes.  Each process is
associated with one bit that denotes its integrity level. When a process is
created, it inherits the integrity level of the parent process. When a process
performs an operation that makes it potentially contaminated, it drops its
integrity. Such operations include receiving remote traffic from network,
receiving IPC traffic from a low-integrity process and read a low-integrity
file. Low-integrity files are files that have been modified by a low-integrity
process, which means we need to do integrity-tracking for files.

The second part is to identify sensitive operations and then to restrict
low-integrity processes from performing those operations. We classify
sensitive operations into two categories, file operations and non-file
operations. For file operations, we use DAC information to identify
read-protected files and write-protected files. The files owned by system
accounts and not readable by the world are identified as read-protected files.
The files that are not writable by the world (including user-owned files) are
identified as write-protected files. Low-integrity processes are not allowed 
to read from read-protected files and write to write-protected files. We use 
the capability system in Linux to identify non-file sensitive operations. 
Low-integrity processes are not allowed to execute any capability.

The first two parts compose the default policy of UMIP. The third part is to
define exceptions to make the system usable. There are two classes of
exceptions that can be specified for programs. The first class allows a program
binary to be identified as one or more of: RAP (Remote Administration Point),
LSP (Local Service Point), and FPP (File Processing Program). Such exceptions
allow a process running the binary to maintain its integrity level when certain
events that normally would drop the process’s integrity occur. In the second
class, a program binary can be given special privileges (e.g., using some
capabilities, reading/writing certain protected files) so that a process running
the program can have these privileges even in low integrity.


[3. Installation]

The installation procedure should be performned with root privileges as follows.

1.  UMIP needs the header files which come with the Linux kernel source. In
    fedora distributions, the kernel source resides in /usr/src/kernels/.  If
    you do not have that directory, you must find the kernel-source package with
    the same version number as your kernel, and install it.

2.  Go to the directory contains UMIP files and execute "make". This will
    compile the module and create a working directory "/etc/umip/". It will also
    generate a script file in the directory
    "/etc/sysconfig/modules/umip.modules", which loads the UMIP module when
    system boots.

3.  The UMIP module will be enabled after the system reboots.

To uninstall the module, simply remove the file
"/etc/sysconfig/modules/umip.modules".


[4. Using the Module]

All utility tools are in the directory "/etc/umip/".

1.  If you want to unload the module, execute the script "unreg.sh".

2.  If you want to examine the log file, execute the program "tail", which will
    generate the logs in the file "log".

3.  If you want to manually upgrade the integrity level of a file, use the
    script "upgrade".

    Upgrade a single file: 			./upgrade FILE
    Upgrade all files in a directory:		./upgrade -r DIRECTORY

4.  You can use the program "um" to examine the integrity level of a specific
    process and to drop the integrity level of a specific process to low.

    Examine the integrity level of a process:		./um -p PID
    Drop the integrity level of a process to low:	./um -d PID

5.  You can switch between the auditing mode and enforcing mode by using the
    program "um".

    Switch to auditing mode:		./um -e 0
    Switch to enforcing mode:		./um -e 1

    In enforcing mode, the unauthorized accesses will be denied. In auditing
    mode, the unauthorized accesses will not be denied, but will be logged.


[5. Policy Specification]

There are three kinds of policy files in UMIP.

1.  File system configurations: /etc/umip/fs_policy.conf

    Each line specifies one file system. For each file system, it specifies the
    path of the device file, the mount point relative to the root filesystem,
    and the type of the filesystem. The type can take value TRUSTED, PROTECTED
    or UNPROTECTED.

    The files in a TRUSTED filesystem are protected by the module, and are
    considered as high-integrity initially. The files in a PROTECTED filesystem
    are protected by the module, and are considered as low-integrity initially.
    The files in a UNPROTECTED filesystem are nor protected by the module, and
    are considered as low-integrity initially.

    The filesystems that are not specified are treated as UNPROTECTED by
    default.

    Normally you don't need to change the sample filesystem configuration file.

2.  Global exception configurations: /etc/umip/global_policy.conf

    Each entry in the file specifies exceptions for one program, starting with
    the tag "ProgramPath".
    The syntax of one entry is the following.

    ProgramPath 		(the path of the binary executable)
    RemoteAdmPoint		(yes | no)
    LocalServicePoint		(yes | no)
    FileProcessPoint		(yes | no)
    CapException		(an authorized capability)
    FileException		(the path of the file / directory) 	(r | w |
                                 r_recursive | w_recursive)	(drop | stay)

    The field "ProgramPath" can takes the value "*", which grants exceptions to
    all programs.

    The field "RemoteAdmPoint", "LocalServicePoint" and "FileProcessPoint" can
    take value either
    "yes" or "no". If those fiedls are not present, the default value is "no".

    The field "CapException" takes a string value, which represents a authorized
    capability.

    There can be multiple "FileException" fields. A file exception specifies the
    path of the file or directory, the access mode (read, write, read_recursive
    or write_recursive) and the effect of the write access (whether the
    integrity level of the file will drop to low or stay unchanged).

    The distribution contains a sample exception specification, which is
    sufficient for most situations.

3.  User-specific exception configurations: %HOME%/umip/user_policy.conf

    Each user can specify exceptions for their own files. The syntax is the same
    as the global exception.

    The distribution contains a sample exception specification, which includes
    exceptions specified for Firefox, Thunderbird and Gaim. You need to copy the
    sample file to the directory "%HOME%/umip/" and change the path of the files
    in the policy.