[PATCH 00/13] Implement Trusted Security Event Modeling.

[Dr. Greg]

On Mon, Jul 31, 2023 at 10:38:42AM -0400, Stephen Smalley wrote:

Good morning Stephen, I hope this note finds your day starting well.

It has been awhile since we have spoken, the Linux Security Summit in
2015 if I remember correctly.

> I have no stake in this, but just wondering whether you considered
> using the BPF LSM to implement your logic via eBPF programs. The BPF
> LSM allows one to attach eBPF programs to any/all LSM hooks. That
> would allow your security model to be used on any kernel >= 5.7. If
> I were writing a LSM from scratch today, that's what I would do...

An interesting and relevant observation.

We have some initial eBPF work completed, but that work suggests that
TSEM is a vehicle for implementation of eBPF functionality, rather
than a candidate for replacement by eBPF.  It is unclear, at least
from our pespective, perhaps we are misinformed as to eBPF capability,
as to how eBPF would replace TSEM functionality.

A rather fundamental premise of TSEM, and a large part of its
implementation, is the notion of security modeling namespaces.  We've
probably spent as much time as anyone on working with the mathematical
modeling of security behavior and it seems unlikely that relevant
models can be developed without isolating the model to the
characteristics of a specific workload.

The ability to externally model the security behavior of a workload is
also important with respect to the use of trust roots such as SGX
enclaves, other TEE's and hardware trust implementations.  For
example, with SGX an implementation has to be done in userspace, I
also wouldn't envision machine learning implementations as being
acceptable for inclusion in the kernel proper.

The value that we see with eBPF, in respect to TSEM, is as a means of
implementing Quasi-Deterministic Models (QDM's) with an in-kernel
Trusted Modeling Agent (TMA) implementation.  In QDM's, eBPF programs
would be used to implement 'parameter leveling' prior to the
generation of the security state coefficients.  This provides a path
for a single kernel modeling implementation to support multiple model
definitions.

An in-kernel TMA is a significant consumer of the kernel cryptographic
functionality, both for the generation of security state coefficients
and the cryptographic checksumming of files and executable code.

With respect to these issues, would IMA be considered as a candidate
for replacement with eBPF functionality?  We would be extremely
interested in community sentiment on this issue.

Have a good day.

As always,
Dr. Greg

The Quixote Project - Flailing at the Travails of Cybersecurity