KernelapproachforSecurity - PDF document

KernelapproachforSecurity—OpenSourceDeveloppers'EuropeanMeetingPhilippeBiondi—WebmotionInc.2février2001 Outline1AimContextTrustfulnessConclusionTechnicaldescriptionDesignUntamperabilityUnbypassabilityExistingprojectsOpenwall,Medusa,RSBAC,NSASELinux,LIDSConclusionGACIWebMotionInc Outline2AimContextTrustfulnessConclusionTechnicaldescriptionDesignUntamperabilityUnbypassabilityExistingprojectsOpenwall,Medusa,RSBAC,NSASELinux,LIDSConclusionGACIWebMotionInc AimContext|Trustfulness|Conclusion3WearefacingFun/hack/defacingTamperingResourcestealingDatastealingDestroyingDoS...WebMotionInc AimContext|Trustfulness|Conclusion4WemustensureCondentialityDataintegrityAvailabilityWhatwemustdotoensureallofthis:Wedeneasetofrulesdescribingthewaywehandle,protectanddistributeinformation.Thisiscalledasecuritypolicy.WebMotionInc AimContext|Trustfulness|Conclusion5Toenforceoursecuritypolicy,wewillusesomesecuritycodeTripwire,AIDE,fordataintegritySSH,SSL,IP-SEC,cryptographyforcondentialityPassword,securebadge,biometricaccesscontrols...Canwetrustthem?WebMotionInc AimContext|Trustfulness|Conclusion6Thefortressbuiltuponsand—D.Baker–ProceedingsoftheNewSecurityParadigmsWorkshopUserspaceisuntrustedandcantakecontrolofthekernelspace(moduleinsertion,/dev/kmem,...)kernelspaceisalsountrusted:trustedhardwarekernel spaceuntrustedspaceusersendmailtripwiresshWebMotionInc AimContext|Trustfulness|Conclusion6Thefortressbuiltuponsand—D.Baker–ProceedingsoftheNewSecurityParadigmsWorkshopUserspaceisuntrustedandcantakecontrolofthekernelspace(moduleinsertion,/dev/kmem,...)kernelspaceisalsountrusted:trustedhardwarekernel spaceuntrustedspaceusersendmailtripwiresshWebMotionInc AimContext|Trustfulness|Conclusion7Securitymustbebuiltlayerbylayer.Eachlayerisbuiltwiththehypothesistheunderlayeristrusted.ItisnotworthbuildingsecurityapplicationsonuntrustedlayersWeneed:trusteduntrustedhardwareuser spacekernel spaceWhydon'twewantuserspacetobetrusted?WebMotionInc AimContext|Trustfulness|Conclusion8ThemiceandthecookiesFacts:WehavesomecookiesinahouseWewanttopreventthemicefromeatingthecookiesWebMotionInc AimContext|Trustfulness|Conclusion9ThemiceandthecookiesSolution1:weprotectthehousetoomanyvariablestocopewith(lotsofwindows,holes,...)wecan'tknowalltheholestolockthem.wecan'tbesurethereweren'tanymicebeforeweclosedtheholesThisprotectioncan'tbetrusted.Solution2:weputthecookiesinametalboxwecangrasptheentireproblemifwetrustthemetalbox,thissolutionhasagoodtrustinglevelthecookiesdon'tcarewethermicecanbreakintothehouseThisprotectioncanbetrustedWebMotionInc AimContext|Trustfulness|Conclusion10Toenforceoursecuritypolicy,weneedtoaddcodetoprotectthekernelandthecodeitselftrustedkernelspaceuntamperabilityprotectothercode/datainvolvedinthesecuritypolicymandatorycontrolsunbypassabilityWebMotionInc Outline11AimContextTrustfulnessConclusionTechnicaldescriptionDesignUntamperabilityUnbypassabilityExistingprojectsOpenwall,Medusa,RSBAC,NSASELinux,LIDSConclusionGACIWebMotionInc TechnicsDesign|Untamperability|Unbypassability12So,weneedtomakethekernelspacetrustedweprotectthekernelandthecodeitselfwemustblockeverythingcomingfromuserspaceprotectothercode/datainvolvedinthesecuritypolicywerelyonthefactthatwetrustkernelspaceweaddcontrolsonuserspacemakeourcodeamandatorywayWebMotionInc TechnicsDesign|Untamperability|Unbypassability13Whyshouldthelastlayerbethekernelspace?BecauseofthedesignoftheCPU(PMMU),wehavefewentrypointsuntamperabilitywecanforceeverythingtogothroughkernelspaceunbypassabilityWebMotionInc TechnicsDesign|Untamperability|Unbypassability14ThekernelspaceisunreachablebyuserspacecodeTheexecutionofsomedenedkernelcodecanbetriggeredsystemcallsdevicesprocfshardwareinterruptionsFewentrypoints,openedbythekernelside/dev/mem,/dev/kmem/dev/port,iopermandioplinsmodandrmmodrebootandhaltWebMotionInc TechnicsDesign|Untamperability|Unbypassability15Becauseofprotectedmodemechanisms,kernelcodersdon'tdobufferoverowsprogrammingfaults(?).linux/drivers/char/rtc.cstaticintrtc_ioctl(structinode*inode,structfile*file,unsignedintcmd,unsignedlongarg){unsignedlongflags;structrtc_timewtime;switch(cmd){[...]caseRTC_ALM_SET:/*Storeatimeintothealarm*/{unsignedcharhrs,min,sec;structrtc_timealm_tm;if(copy_from_user(&alm_tm,(structrtc_time*)arg,sizeof(structrtc_time)))return-EFAULT;WebMotionInc TechnicsDesign|Untamperability|Unbypassability16/dev/mem,/dev/kmemand/dev/portprotection:staticintopen_port(structinode*inode,structfile*filp){returncapable(CAP_SYS_RAWIO)?0:-EPERM;}WebMotionInc TechnicsDesign|Untamperability|Unbypassability17Moduleinsertioncontrol:asmlinkageunsignedlongsys_create_module(constchar*name_user,size_tsize){char*name;longnamelen,error;structmodule*mod;if(!capable(CAP_SYS_MODULE))return-EPERM;[...]WebMotionInc TechnicsDesign|Untamperability|Unbypassability18Reboot/haltcan'tbeforbidden:UPSmustbeabletoshutdownRebootismostlyuserspacestuff,thekerneljustreboottheCPUNodifferencewitharunlevelchangeWeneedtoguaranteeasafebootsequence,whichisahugeproblemWebMotionInc TechnicsDesign|Untamperability|Unbypassability19BootsequencePOSTConsolevulnerableBootloaderConsolevulnerable/relyonbootdiskKernelRelyonbootdisk(kernelimage)bootingprocess(init,rcscripts,daemons,...)workingstateWebMotionInc TechnicsDesign|Untamperability|Unbypassability20Whatmustweprotect?WhatisinmemoryProcessesKernelconguration(rewallrules,etc.)WhatisondisksortapesFilesMetadata(lesystems,partitiontables,bootloaders,...)HardwareEPROMs,congurablehardware,...WebMotionInc TechnicsDesign|Untamperability|Unbypassability21Userspacecan'taccesstheseitemswithoutaskingthekernelsystemcallsareaplaceofchoiceforcontrollingaccessesWebMotionInc TechnicsDesign|Untamperability|Unbypassability22We'lluseamodulararchitecturetocontrolsyscalls:therewillbeAnenforcercomponentAdecidercomponentLotsofaccesscontrolpolicies(DAC,MAC,ACL,RBAC,IBAC,...)syscallappcomponentdecidercomponentenforcerWebMotionInc TechnicsDesign|Untamperability|Unbypassability23Howtoaddtheenforcercodetothesyscalls?SyscallinterceptionSyscallmodicationSystemcallanatomy:kill()open()chmod()execve()socketcall()codedispatchingkernel spaceappappuser spaceuser spacedispatchingcodeWebMotionInc TechnicsDesign|Untamperability|Unbypassability24Syscallinterceptionexample:MedusaDS9linux/arch/i386/kernel/entry.S[...]GET_CURRENT(%ebx)cmpl$(NR_syscalls),%eaxjaebadsys#ifdefCONFIG_MEDUSA_SYSCALL/*cannotchange:eax=syscall,ebx=current*/btl%eax,med_syscall(%ebx)jnc1fpushl%ebxpushl%eaxcallSYMBOL_NAME(medusa_syscall_watch)cmpl$1,%eaxpopl%eaxpopl%ebxjc3fjne2f1:#endiftestb$0x20,flags(%ebx)#PF_TRACESYSjnetracesys[...]WebMotionInc TechnicsDesign|Untamperability|Unbypassability25SyscallinterceptionadvantagesgeneralsystemlowcostpatchDrawbackskindofduplicationofeverysyscallneedtoknowandinterpretparametersforeachdifferentsyscallarchitecturedependentWebMotionInc TechnicsDesign|Untamperability|Unbypassability26Syscallmodicationexample:LIDSlinux/fs/open.casmlinkagelongsys_utime(char*filename,structutimbuf*times){interror;structnameidatand;structinode*inode;structiattrnewattrs;error=user_path_walk(filename,&nd);if(error)gotoout;inode=�nd.dentry-d_inode;error=-EROFS;if(IS_RDONLY(inode))gotodput_and_out;#ifdefCONFIG_LIDSif(lids_load&&lids_local_load){if(lids_check_base(nd.dentry,LIDS_WRITE)){lids_security_alert("Trytochangeutimeof%s",filename);gotodput_and_out;}}#endif/*Don'tworry,thechecksaredoneininode_change_ok()*/newattrs.ia_valid=ATTR_CTIME|ATTR_MTIME|ATTR_ATIME;if(times){WebMotionInc TechnicsDesign|Untamperability|Unbypassability27SyscallmodicationadvantagesSyscallparametersalreadyinterpretedandcheckedGreattuningpower.Wecanalterthepartofthesyscallwewant.DrawbacksEachofthesyscallmustbealtered(near200syscalls)WebMotionInc Outline28AimContextTrustfulnessConclusionTechnicaldescriptionDesignUntamperabilityUnbypassabilityExistingprojectsOpenwall,Medusa,RSBAC,NSASELinux,LIDSConclusionGACIWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS29Collectionofsecurity-relatedfeaturesfortheLinuxkernel.Non-executableuserstackareaRestrictedlinksin/tmpRestrictedFIFOsin/tmpRestricted/procSpecialhandlingoffd0,1,and2EnforceRLIMIT_NPROConexecveWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS30MedusaDS9Authors:MarekZelemMilanPikulaMartinOckajakWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS31ExtendingthestandardLinux(Unix)securityarchitecturewithauser-spaceauthorizationserver.layer1Hooksintheoriginalkernelcodelayer2kernelspacecodecalledfromhooks.dobasicpermissioncheckscheckforcachedpermissionscallthecommunicationlayerifnecessarylayer3communicationlayercommunicatewithauserspacedaemonWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS32UserspacedaemondecidercomponentMiscellaneoussyscallinterceptioncanforcecodetobeexecutedafterasyscallWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS33RSBACAuthors:AmonOtt,SimoneFischer-Hübner,MortonSwimmerWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS34RuleSetBasedAccessControlItisbasedontheGeneralizedFrameworkforAccessControl(GFAC)Allsecurityrelevantsystemcallsareextendedbysecurityenforcementcode.DifferentaccesscontrolpoliciesimplementedaskernelmodulesMAC,ACL,RC(rolecontrol),FC(FunctionalControl),MS(MalwareScan),...WebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS35SELinuxWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS36NSASecurityEnhancedLinuxItisbasedontheFlaskarchitecture(Flexiblearchitecturesecuritykernel)Enforcer/decidercomponentsPaysalotofattentiontothechangeoftheaccesscontrolpolicy(revocation)WebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS37LIDSAuthors:XieHuangang,PhilippeBiondiWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS38LinuxIntrusionDetectionSystemSelf-protectionFilesprotectionProcessesprotectionOnlineadministrationSpecialfeaturesDedicatedmailerinthekernelScandetectorinthekernelWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS39Self-protectionModulesinsertion/deletion,/dev/mem,...,ioperm/iopllteredBootprocessprotectedCanforbidtheexecutionofnon-protectedprograms(notawless)Sealingmecanismfsckorinsmodcanrunwhenbootingnohumaninterventionisneededtosealtheprotectionaftertheseal,weareintheworkingstate.EverythingislockedWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS40FilesprotectionMAC-likeapproach:lidsadm-A-s/usr/sbin/httpd-o/home/httpd-jREADFilesidentiedbyVFSdevice/inodeworksoneveryfsWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS41ProcessesprotectionRelyonthelinuxcapabilitiesboundingsetHardwareprotectionProcessesprivacy(ptrace,promiscuousmode,...canbeforbidden)NetworkadministrationlockedDaemonscanbemadeunkillableProcessescanbemadeinvisibleWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS42OnlineadministrationLIDScanbedisabledgloballyLIDScanbereconguredontheyLIDScanbetotallydisabledonlyforashellanditschildrenWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS43SpecialfeaturesMailerinthekernelCanmakeanetworkconnection(TCPorUDP)Cansendascriptablesession(mail,syslog,...)DoesnotrelyonanythinginuserspaceScandetectorinthekernelkind-ofinterruptdrivennoloadatalldoesnotneedthepromiscuousmodeworksoneveryinterfaceWebMotionInc ProjectsOpenwall|Medusa|RSBAC|SELinux|LIDS44LIDSgeneralarchitectureKernel imageworking stuffsyslogBoot stuffinit, rc, daemonsLIDS AC datalidsadmprocfs stuffinit codedecider componentstuffLoggingAC dataenforcer componentscandetectorKernelMailersyscallsWebMotionInc Outline45AimContextTrustfulnessConclusionTechnicaldescriptionDesignUntamperabilityUnbypassabilityExistingprojectsOpenwall,Medusa,RSBAC,NSASELinux,LIDSConclusionGACIWebMotionInc ConclusionGACI46GeneralAccessControlInterfaceVeryyoungproject,attheverybeginningAimstobethesecurityinterfaceforLinux2.5GatherscodersfromMedusa,RSBACandLIDSWebMotionInc