Editor’s Note: This CTOvision.com post was written by DaveWalker, a highly regarded security professional and inventor in the UK with a focus on design and implementation of multilevel and cross-domain IT security (“MLS”)-bg.
This is something I posted to a Sun internal discussion group a while back; it stirred a little interest back then, but given the way that the world has moved on, I figured it would be worth revising and reprising it here.
The issue of identity has been bothering me for a while. While identity can clearly be applied to human consumers of services – and expressed as a subset of information held about them in various places – I also wonder how the concept of identity could be used for various other entities, and indeed how the properties of identity as applied to humans could potentially be mapped onto them.
Hence the table below, which is a first attempt at making this mapping in the context of servers and services, for files, running processes, OS instances, Solaris zones (and to some degree BSD jails and IBM LPARs), hardware domains and services. Cells with question marks in them are areas where I currently don’t see a mapping – this could mean that a mapping is not appropriate, or that an appropriate technology does not exist today, and could point the way for a bit of fundamental research.
I suspect I’m heading down a path which has been well-trodden already, but you might find some parts of this interesting and thought-provoking. For clarity, FMRIs (Fault Management Resource Identifiers) are Solaris Service Management Framework constructs resembling URLs, which uniquely describe an instance of a service in terms of processes needed to provide the service and their dependencies. For more info, see http://www.oreillynet.com/pub/a/sysadmin/2006/04/13/using-solaris-smf.html .
Also, labels refer to the data structures in Solaris Trusted Extensions, which are usually mapped to protective markings.
Anyway:
Human | File | Process | OS Instance | Zone | Host / Domain | Service |
Name | Leafname | pid | Nodename | Zonename | Hostid | Nodename, [port|app] |
Address | Full pathname, maybe hostname too | pid, ppid, tracked back to init (or zsched) process – maybe zone / hostname too | ? | Hostname of global zone? | ? | FMRI with host / zonename prefixed |
Family tree | OS instance / zone and pathname / elfsign signature | pid, ppid, tracked back to init (or zsched) process | ? | Hostname of global zone? | ? | FMRI with host / zonename prefixed |
Biometrics | Strong checksum / elfsign signature | Strong checksum of code pages (Harvard arch only) | Solaris Fingerprint Database checksum | Solaris Fingerprint Database checksum | Hostid | Strong checksum of available content? |
UserIDs / passwds | Owner | Owner | ? | ? | ? | Same as process? |
Certs / keys | ? | TCG attestation pass | Key (WANBoot miniroot), TCG attestation pass | ? | TPM key | Certs / keys |
Kerberos principals | ? | ? | Kerberos host principal | Kerberos host principal | ? | Kerberos service principal |
Govt baggage (social sec no, driving licence no, etc) | Signed metadata trackable to root CA | TCG attestation pass(?) | Accreditation (Common Criteria etc?) | ? | ? | Certificate trackable to root CA |
Privileges | Privileges (forced, allowed) | Privileges (inherited, saved, effective, permitted) | all | Zone-restricted limit set | all (/ TCG?) | Privileges of serving process |
Clearances | Label | Labels / polyinstantiation | label_encodings | Label (1 per zone) | ? | Labels / polyinstantiation |
Noting the appearance of Trusted Computing technology (attestation, Trusted Platform Modules) in several places, this gives further weight to the sound (but currently unofficial) advice from Bromium, to the effect of “don’t buy any more servers that don’t have TPMs in them”.