Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safety measures in Linux Krzysztof Lichota

Published byJuniper Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "Safety measures in Linux Krzysztof Lichota"— Presentation transcript:

1 Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl

2 Agenda ● Standard Unix security measures: permissions, capabilities, ACLs, chroot ● Linux kernel enhancements – LSM (Linux security modules) – SELinux – AppArmor – grsecurity project – ExecShield – OpenWall ● Other features

3 Standard Unix security measures

4 Standard Unix security model ● Root (uid==0) can do everything ● Files have owner, group, access permissions for user, group and others ● It is possible to pass privileges to executed application using SUID bit ● Hardcoded into Linux kernel

5 POSIX capabilities ● Extension to standard Unix model ● Defined in POSIX draft 1003.1e ● In Linux kernel since version 2.2 ● Defines set of capabilities which can be gained or dropped for greater resolution of privileges, for example: – CAP_NET_RAW – raw network packet sending (ping does not need to be run as root) – CAP_SYS_NICE – change processes priority – CAP_SYS_RAWIO – I/O to ports (X-server)

6 POSIX capabilities (2) ● Implemented in kernel by adding calls: if (capable(CAP_XXX))... ● If capability is not present, standard check for effective user id == 0 is performed ● Example: sched_setscheduler()sched_setscheduler()

7 POSIX ACLs ● Extends file access permissions to use Access Control Lists ● ACLs can define permissions for specific users, groups of users in flexible manner ● ACLs are implemented using Extended Attributes (have to be supported by FS) ● Not very popular in todays systems

8 POSIX ACLs ● Implementation embedded in filesystem code ● Filesystem must define “permission” callback in struct inode_operations ● Uses posix_acl_permission() family calls ● Example: ext3_check_acl()ext3_check_acl()

9 chroot ● Traditional way of limiting process access to files ● Process is run with “/” moved to some subdirectory, so it cannot access files outside of chroot ● In Linux since ages ● Not perfect - there are some ways to get out of chroot

10 FS flags ● Mount flags passed upon mount ● Implementation embedded in filesystem code ● Flags: – ro – read-only – noexec – no executable bits – nosuid – no SUID bits – nodev – no device files

11 Linux kernel security enhancements

12 Linux Security Modules ● Introduced in kernel 2.6 ● Common set of hooks for security modules in Linux kernel ● Exports set of operations which can be intercepted and controlled by various security modules ● Security modules can be “stacked” ● Used by several security improvements, including built-in capabilities and SELinux

13 Linux Security Modules (2) ● Security module defines its own structure with security callback - struct security_operationsstruct security_operations ● Module registers it in stack using mod_reg_security() ● Permissions are checked in proper places in kernel using calls to security_FEATURE_NAME() ● Example: security_settimesecurity_settime

14 SELinux ● SELinux = Security Enhanced Linux ● Security enhancement to Linux kernel developed by NSA ● Now part of Linux 2.6 kernel, patches available for 2.4 kernels ● Adds MAC (Mandatory Access Control) to Linux kernel ● Uses LSM framework in Linux kernel

15 SELinux (2) ● Processes/users get “security context” which defines what they can do, with which files, processes, etc. ● It is possible to specify what can be done with file (e.g. append-only) and by whom ● Daemons get security context with minimal privileges to do the job ● Gaining privileges is also restricted by policy ● Files are labelled with security context using extended attributes

16 SELinux (3) ● Privileges are defined by security policies, not by user id, file access bits, SUID, etc. It is possible to run as root and not be possible to do anything harmful! ● User cannot change privileges of the entity unless he has administrative privileges ● Security privileges for files are based on inodes, not on paths ● Spoils performance (up to 7%)

17 AppArmor ● MAC implementation created by Novell ● Also uses LSM framework ● Uses paths instead of file labels – labelling was seen by administrators as very burdensome and hard to maintain ● Does not require extended attributes support in filesystem ● Makes creating policies for programs much easier by providing tools to trace program usage

18 AppArmor ● Has lover overhead than SELinux (0%-2%) ● Currently available as patches, not included in main kernel line ● Slowly gets into popular distributions: OpenSuse, Ubuntu, Mandriva

19 RSBAC ● RSBAC = Rule Set Based Access Control ● Framework which allows implementing specific access control models ● Currently implemented, for example: – Role based module – ACL module – MAC module – On access antivirus scanning (Dazuko) – Jail module – File flags (no delete, execute only, append)

20 RSBAC (2) ● Other interesting features: – In-kernel user management (no /etc/passwd) – Symlink redirection based on role – Secure deletion – Hiding processes – Freezing changes to access controls until reboot – Disabling standard DAC Linux controls ● Available as patches, does not use LSM framework

21 grsecurity ● Set of various patches for Linux kernel improving security ● Also available for 2.4 kernels (still used on many production systems) ● Role Based Access Control support ● Chroot improvements ● PaX – address space modification protection ● Auditing of important system calls

22 grsecurity (2) ● /proc improvements preventing data leaking which can be used for attack ● carrying IP of remote user through operations for identification ● Symlink/hardlink restrictions to prevent races ● IPC restrictions and logging

23 PaX ● Set of various patches for address space execution and modification protection – prevent attacks by running code supplied by attacker (on heap, on stack, by jump) ● Noexec – prevent writable-and-executable mappings in address space, implemented using Mprotect and Pageexec or Segmexec ● Mprotect – change mmap() family of calls to prevent creating writable+executable mappings in any way

24 PaX (2) ● Creating readable and non-executable pages is a problem on x86 architecture as read permission implies execute permission ● In newer CPUs NX bit for this purpose has been introduced ● Pageexec – uses NX bit or TLB split between instructions and data to distinguish between read and execute by protecting pages and intercepting page fault

25 PaX (3) ● Segmexec – uses x86 segmentation logic to simulate readable, non-executable pages by splitting linear address space into 2 halves and modifying CS register (used for code addressing) to use different half than data accesses (executable virtual memory areas must be mirrored in both halves)

26 PaX (4) ● ASLR (address space layout randomization) – prevents attacks by jump/modification to known location by randomizing addresses of memory regions, implemented by modifying ELF loader in kernel, consists of heap randomization, stack randomization, kernel stack randomization, executable randomization and mmap randomization

27 ExecShield ● Patches from RedHat to implement non- executable memory areas ● Non-executable stack and heap is forced by limiting size of code segment ● Can also use NX bit if supported by CPU ● Also adds address space randomization

28 OpenWall patches ● Another set of patches improving some security issues for kernels 2.2 and 2.4: – Non-executable stack – Restricted access to 8086 emulation mode – Restricted zero page mappings – prevents triggering information leaks from kernel in some situations – Restricted links and FIFOs in /tmp – Restricted /proc –...

29 Other security kernel patches ● Non-executable kernel pages ● No direct access to userspace memory from kernel ● Executable cryptographic signature verification ● Filesystem operations auditing

30 Other Linux kernel features ● Linux kernel includes other features useful for security: – Generating true random numbers (important problem on embedded, isolated systems) – Built-in generic encryption libraries used by kernel modules – Block device and swap encryption – Timekeeping also using external sources (for example important for Kerberos) ● Immutable, secure delete and append-only bits in ext3

31 Final notes ● Hardened distros: – Hardened Gentoo – Engarde Secure Linux –...

32 Summary ● Security is complex subject and consists of many different techniques in Linux: – Access controls – Privacy/confidentiality issues (encryption, signing) – Information leaking prevention – Prevention of exploiting bugs – Kernel protection – Auditing and logging

33 Bibliography ● http://www.gentoo.org/proj/en/hardened/primer. xml http://www.gentoo.org/proj/en/hardened/primer. xml ● http://www.ibm.com/developerworks/linux/librar y/l-sppriv.html http://www.ibm.com/developerworks/linux/librar y/l-sppriv.html ● man 7 capabilities ● http://www.securityfocus.com/infocus/1400 http://www.securityfocus.com/infocus/1400 ● http://www.suse.de/~agruen/acl/linux- acls/online/ http://www.suse.de/~agruen/acl/linux- acls/online/ ● http://www.rsbac.org/documentation/rsbac_han dbook/security_models http://www.rsbac.org/documentation/rsbac_han dbook/security_models ● http://www.usenix.org/event/sec02/full_papers/ wright/wright_html/index.html http://www.usenix.org/event/sec02/full_papers/ wright/wright_html/index.html

34 Bibliography (2) ● http://gentoo- wiki.com/Access_Control_Comparison_Table http://gentoo- wiki.com/Access_Control_Comparison_Table ● http://www.nsa.gov/selinux/ http://www.nsa.gov/selinux/ ● http://www.crypt.gen.nz/selinux/faq.html http://www.crypt.gen.nz/selinux/faq.html ● http://en.opensuse.org/AppArmor http://en.opensuse.org/AppArmor ● http://developer.novell.com/wiki/index.php/Appa rmor_FAQ http://developer.novell.com/wiki/index.php/Appa rmor_FAQ ● http://www.rsbac.org/ http://www.rsbac.org/ ● http://www.rsbac.org/documentation/rsbac_han dbook/introduction/features http://www.rsbac.org/documentation/rsbac_han dbook/introduction/features ● http://www.rsbac.org/doc/media/piwo- MPurzynski.pdf http://www.rsbac.org/doc/media/piwo- MPurzynski.pdf

35 Bibliography (3) ● http://www.grsecurity.net/ http://www.grsecurity.net/ ● http://en.wikipedia.org/wiki/PaX http://en.wikipedia.org/wiki/PaX ● http://pax.grsecurity.net/docs/ http://pax.grsecurity.net/docs/ ● http://www.redhat.com/f/pdf/rhel/WHP0006US_ Execshield.pdf http://www.redhat.com/f/pdf/rhel/WHP0006US_ Execshield.pdf ● http://openwall.com/linux/README.shtml http://openwall.com/linux/README.shtml ● man chattr

Download ppt "Safety measures in Linux Krzysztof Lichota"

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
MACHINE-INDEPENDENT VIRTUAL MEMORY MANAGEMENT FOR PAGED UNIPROCESSOR AND MULTIPROCESSOR ARCHITECTURES R. Rashid, A. Tevanian, M. Young, D. Golub, R. Baron,

MACHINE-INDEPENDENT VIRTUAL MEMORY MANAGEMENT FOR PAGED UNIPROCESSOR AND MULTIPROCESSOR ARCHITECTURES R. Rashid, A. Tevanian, M. Young, D. Golub, R. Baron,
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
File System Implementation

File System Implementation
Security Improvements in Linux Using Capabilities

Security Improvements in Linux Using Capabilities
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
Lecture 7 Access Control

Lecture 7 Access Control
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Process Description and Control Chapter 3. Major Requirements of an OS Interleave the execution of several processes to maximize processor utilization.

Process Description and Control Chapter 3. Major Requirements of an OS Interleave the execution of several processes to maximize processor utilization.
Address Space Layout Permutation

Address Space Layout Permutation
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Similar presentations

Ads by Google