Your First Guide to
  ”secure Linux”



        August 12, 2010
       Toshiharu Harada
     haradats@nttdata.co.jp
    NT...
Abstract
There	
  are	
  two	
  types	
  of	
  people	
  in	
  the	
  world.	
  Those	
  who	
  are	
  
security	
  expert...
Prologue
"Whenever people agree with me,
I always feel I must be wrong”
           -- Oscar Wilde
“secure Linux” is a Linux version of
    “OS with enhanced security”
What is “OS with enhanced security”?
You can Google it as always,
  but what you get will be
 much more than you want
 (and hard to understand)
If you ask “security people” ...




You’ll get the same results in 3D
• Tons of information on the net ...
• Open source implementations available ...
• Active and friendly community ...


  W...
Maybe the missing link is the “concept” of
“secure Linux”

So, here I am
Who Am I?




• Project manager of TOMOYO Linux, one of the
  “secure Linux” extensions part of the upstream

• When I lau...
This presentation is




intended to provide you the fundamental
concepts of

 • what “secure OS” is
 • why it has to be d...
What You Get



Understanding the underlying concepts of
“secure Linux” should help you

 • to enlarge your administrative...
“secure Linux” is


• a name for Linux version of “secure OS
  (operating system)”

• Linux has three “secure Linux” exten...
Pros of “secure Linux”


• It can reduce the potential damages to your
  Linux system when it gets exploited

• So, let’s ...
Chap. 1
Exploits
"Give me a place to stand on, and
I will move the Earth.”
          -- Archimedes
Wisdom from Microsoft Security
      Response Center
Law #1

“If a bad guy can persuade you to run
his program on your computer, it’s not
your computer anymore”
 • Actually, a...
What is an “exploit”?
From Wikipedia (as of July 15th, 2010)

 • An exploit is a piece of software, a chunk of
    data, o...
Bad luck aspect of
     computer science

From “10 Immutable Laws of Security by
Microsoft” Law #1

 • “It’s an unfortunat...
Exploits Demo


• Understanding the meaning of
  “exploit” helps you to understand
  what “secure OS” is

• Let’s see thre...
(1) ftp exploit
(2) samba exploit
(3) local exploit
Know Thy Enemy

• Typical procedures of exploits
  1. Connect to a server pretending a normal
     client

  2. Check to s...
Chap.1 Summary

• Exploits are based on vulnerabilities
• Vulnerabilities are common and your
  systems is exposed to many...
Chap. 2
 Linux
Security
“With great power, comes
great responsibility”
      -- Peter Parker
Reviewing Good Old
     Linux Security
• Linux had got “security”, of course
  • it’s called Discretionary Access Control
...
Problem with DAC

• Root user can violate DAC settings
• DAC cannot help when ...
  • your server is exploited
  • a bad g...
What about Firewalls
      and IDS?



Can they compensate DAC shortage?
Firewall and IDS

• Firewall
  • Exploits pretend to be good clients and try
    to connect through opened ports

• IDS
  ...
Click’N See
Buffer Overflow


• We learned that DAC and other traditional
  Linux security are not quite dependable

• Suppose “buffer ...
Click’N See
Buffer Overflow

• What is it?
  • Intentionally cause overflow of “buffer” to
    gain control and execute /bin/sh

• How t...
Chap. 3
 MAC
"Although the world is full of
suffering, it is full also of the
overcoming of it.“
        -- Helen Keller
Origins of secure OS

• In ‘80s, research has been made in the
  USA, to define evaluation criteria for
  trusted computer ...
1985
Amiga 1000 was
released in 1985
TCSEC
 (TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA)


                 Trusted Computer Systems
                       sh...
DAC defined by TCSEC

• “The TCB* shall define and control access
  between named users and named objects in
  the ADP* syst...
DAC


  read             object
 write
execute



          user
                   group    others
          (self)
DAC
                   % chmod 600 my_file


  read                   object
 write
execute



          user
             ...
MAC



• MAC (Mandatory Access Control) can
 improve the situation which DAC
 cannot solve
MAC defined by TCSEC

• “The TCB shall enforce a mandatory access
  control policy over all subjects and storage
  objects ...
MAC

subject     grant or reject    object
  A                              B




label for                     label for
...
NSA SELinux FAQ


Security of Linux system depends ...
 1. Unmodified Linux system
 2. Linux system with MAC
Security of
“Unmodified Linux System”


            se curity


            privileged
           applications



       co...
Security of
“Linux System with MAC”


           security



        security policy


      correctness of the
          ...
How MAC can help? (samba
   exploit vs. TOMOYO)
Differences
Unchanged (Things you cannot change)

 • exploit has occurred
 • a bad guy obtained “root” shell without
   lo...
Click’N See
Chap. 4
“Policy”
God, give us grace to accept with serenity
the things that cannot be changed,
Courage to change the thing...
“secure Linux” needs
        “policy”

• MAC is an “instrument” to restrict invalid
  accesses, not a “brain”

• You (secu...
Importance of “policy”

The goal is very simple

 • Grant access if it’s correct (or needed)
 • Reject everything else
If ...
The Serenity Prayer

O God, give us

grace to accept with serenity the things that
cannot be changed,

Courage to change t...
The Security Prayer
   (with my deepest respects for Reinhold Niebuhr)



O God, give us

grace to accept with serenity th...
Where to find the
        wisdom?
SELinux has a “reference policy”

 • “that embodies the built-up knowledge over
    the y...
“Domain”


• No program is always good or always bad
• Therefore, security policies are the set of
  security contexts (co...
“Domain”

“Granularity” of MAC policy is determined by
two factors

 • “domain” granularity
 • access control granularity ...
userspace




 kernel
Managing Policy

What and When

 • Give permissions only when they are needed
 • Delete permissions if they turned out to ...
Managing Policy
Cautions

 • a policy “error” is detected/defined when a
   access occurs but its definition is missing
   a...
“Policy Auto Learning”

What is it?

 • Feature available with AppArmor and
    TOMOYO

How it works?

 • Observing execut...
Results of policy auto learning

 • can never be perfect
 • has no logics
 • should be considered as a starting point
Auto...
References
Live as if you were to die tomorrow.
Learn as if you were to live forever.
          -- Mahatma Gandhi
For Comprehensive Understanding
       of Linux Security
Ideal reference by James Morris, who is the Linux kernel
security...
Linux Kernel Security Wiki
 Best place to find Linux kernel security
 related projects
To Know Your Enemy

• “Apache.org services attacked” (April 13, 2010)
  http://lwn.net/Articles/383260/




• “Changes to ...
Find the Code
Linux Cross Reference
TCSEC to ISO/IEC 15408

• TCSEC has expired and the current standard
  is ISO/IEC 15408

• Functional requirements have be...
Standards
• National Security Institute -
  5200.28-STD Trusted
  Computer System Evaluation
  Criteria

• ISO/IEC 15408
 ...
RHEL Certifications
Other Topics
Secure Embedded Linux
Characteristics of embedded devices

 • Dedicated for usages and built with minimum
    resources

 ...
Secure Embedded Linux
Google’s Android and Chromium OS are adding
unique modifications to improve security
Secure Embedded Linux
“Cloud”

• Guest OS runs as a process from host OS /
  hypervisor

• Internal activities of guest OS are
  translated, so ...
“Cloud”
Commonly used virtualization library
“libvirt” has been incorporated the results
of “sVirt (secure virtualization)”
Congratulations


• You’ve just learned the most difficult part of
  Linux security, “understanding the concept”

• Everyth...
“Loving can cost a lot, but not loving always
costs more.”
                -- Merle Shain
Why not starting today?
The Serenity Prayer
           by Reinhold Niebuhr (1892-1971)


God, give us grace to         Taking, as Jesus did, This
...
Contact Information

I would like to make these slides useful for future
readers, so please send your comments and
correct...
The latest version of these slides can be found at SlideShare



Acknowledgements

     Special thanks to Giuseppe La Tona...
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
Upcoming SlideShare
Loading in...5
×

Your First Guide to "secure Linux"

3,866

Published on

LinuxCon 2010 presentation slides

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,866
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
52
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Your First Guide to "secure Linux"

  1. 1. Your First Guide to ”secure Linux” August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp NTT DATA CORPORATION
  2. 2. Abstract There  are  two  types  of  people  in  the  world.  Those  who  are   security  experts,  and  the  remainder  of  the  world.  In  most  cases,   security  experts  are  willing  to  provide  technical  assistance  to   people,  but  this  does  not  always  work  as  the  information  can  be   highly  technical  and  confusing  if  you  are  not  comfortable  with   the  fundamentals  of  Linux  security. Toshiharu  Harada,  Project  Manager  for  TOMOYO  Linux  at  NTT   DATA  CORPORATION  will  share  the  fundamental  concepts  of   "secure  Linux"  for  managers  and  end  users  who  have  little  or  no   familiarity  with  security.  This  session  does  not  require  any   special  skills  or  knowledge,  and  is  *not*  designed  for  security   experts.
  3. 3. Prologue "Whenever people agree with me, I always feel I must be wrong” -- Oscar Wilde
  4. 4. “secure Linux” is a Linux version of “OS with enhanced security”
  5. 5. What is “OS with enhanced security”?
  6. 6. You can Google it as always, but what you get will be much more than you want (and hard to understand)
  7. 7. If you ask “security people” ... You’ll get the same results in 3D
  8. 8. • Tons of information on the net ... • Open source implementations available ... • Active and friendly community ... What’s the missing link?
  9. 9. Maybe the missing link is the “concept” of “secure Linux” So, here I am
  10. 10. Who Am I? • Project manager of TOMOYO Linux, one of the “secure Linux” extensions part of the upstream • When I launched TOMOYO project in 2003, I started investing of the existing projects • Thanks to many people, TOMOYO has been incorporated in the mainline Linux kernel
  11. 11. This presentation is intended to provide you the fundamental concepts of • what “secure OS” is • why it has to be developed
  12. 12. What You Get Understanding the underlying concepts of “secure Linux” should help you • to enlarge your administrative knowledge and experience • to make a good decision on when and how you need it • to protect your system (someday)
  13. 13. “secure Linux” is • a name for Linux version of “secure OS (operating system)” • Linux has three “secure Linux” extensions: SELinux, SMACK and TOMOYO currently, and AppArmor (to be merged for 2.6.36)
  14. 14. Pros of “secure Linux” • It can reduce the potential damages to your Linux system when it gets exploited • So, let’s start with “exploits”
  15. 15. Chap. 1 Exploits "Give me a place to stand on, and I will move the Earth.” -- Archimedes
  16. 16. Wisdom from Microsoft Security Response Center
  17. 17. Law #1 “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore” • Actually, a bad guy can run his program on your computer without persuading “you” • That’s what we call an “exploit”
  18. 18. What is an “exploit”? From Wikipedia (as of July 15th, 2010) • An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). • This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.
  19. 19. Bad luck aspect of computer science From “10 Immutable Laws of Security by Microsoft” Law #1 • “It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful.”
  20. 20. Exploits Demo • Understanding the meaning of “exploit” helps you to understand what “secure OS” is • Let’s see three examples
  21. 21. (1) ftp exploit
  22. 22. (2) samba exploit
  23. 23. (3) local exploit
  24. 24. Know Thy Enemy • Typical procedures of exploits 1. Connect to a server pretending a normal client 2. Check to see if a server is a vulnerable one 3. Cause “misbehavior” by buffer overflow and other technique • Their goal is gaining the root privilege
  25. 25. Chap.1 Summary • Exploits are based on vulnerabilities • Vulnerabilities are common and your systems is exposed to many risks • Exploits aim to obtain root privilege of your system in the most cases
  26. 26. Chap. 2 Linux Security “With great power, comes great responsibility” -- Peter Parker
  27. 27. Reviewing Good Old Linux Security • Linux had got “security”, of course • it’s called Discretionary Access Control (DAC, for short) • “Owners” (and root) can define access permissions through “chmod” command • Any problem with that? • Yes, unfortunately
  28. 28. Problem with DAC • Root user can violate DAC settings • DAC cannot help when ... • your server is exploited • a bad guy manages to login your server as root • It’s useless against exploits
  29. 29. What about Firewalls and IDS? Can they compensate DAC shortage?
  30. 30. Firewall and IDS • Firewall • Exploits pretend to be good clients and try to connect through opened ports • IDS • IDS can’t recognize unknown/future attacks and vulnerabilities
  31. 31. Click’N See
  32. 32. Buffer Overflow • We learned that DAC and other traditional Linux security are not quite dependable • Suppose “buffer overflow” is a typical approach of attacks, can we prevent them causing “buffer overflow”?
  33. 33. Click’N See
  34. 34. Buffer Overflow • What is it? • Intentionally cause overflow of “buffer” to gain control and execute /bin/sh • How to protect? • Various tools and technologies have been invented, but not guarantee safe
  35. 35. Chap. 3 MAC "Although the world is full of suffering, it is full also of the overcoming of it.“ -- Helen Keller
  36. 36. Origins of secure OS • In ‘80s, research has been made in the USA, to define evaluation criteria for trusted computer systems • DoD unveiled “Trusted Computer Systems Evaluation Criteria” (TCSEC, aka “Orange Book”) in 1985
  37. 37. 1985
  38. 38. Amiga 1000 was released in 1985
  39. 39. TCSEC (TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA) Trusted Computer Systems should have ... Division A and “Verified Protection” Division B and “Mandatory Protection” Division C “Discretionary Protection” Division D “Minimal Protection”
  40. 40. DAC defined by TCSEC • “The TCB* shall define and control access between named users and named objects in the ADP* system.” • “The enforcement mechanism shall allow users to specify and control sharing of those objects by named individuals or defined groups or both.” • TCB: Trusted Computing Base, ADP: automatic data processing ( you don’t have to remember these terms, I think)
  41. 41. DAC read object write execute user group others (self)
  42. 42. DAC % chmod 600 my_file read object write execute user group others (self)
  43. 43. MAC • MAC (Mandatory Access Control) can improve the situation which DAC cannot solve
  44. 44. MAC defined by TCSEC • “The TCB shall enforce a mandatory access control policy over all subjects and storage objects under its control.” • “These subjects and objects shall be assigned sensitivity labels that are a combination of hierarchical classification levels and non- hierarchical categories, and the labels shall be used as the basis for mandatory access control decisions.”
  45. 45. MAC subject grant or reject object A B label for label for A B
  46. 46. NSA SELinux FAQ Security of Linux system depends ... 1. Unmodified Linux system 2. Linux system with MAC
  47. 47. Security of “Unmodified Linux System” se curity privileged applications correctness of the kernel
  48. 48. Security of “Linux System with MAC” security security policy correctness of the kernel MAC
  49. 49. How MAC can help? (samba exploit vs. TOMOYO)
  50. 50. Differences Unchanged (Things you cannot change) • exploit has occurred • a bad guy obtained “root” shell without logging in Changed (Things you can change with MAC) • some commands failed despite of “root” privilege (MAC introduced a new layer of security)
  51. 51. Click’N See
  52. 52. Chap. 4 “Policy” God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. -- Reinhold Niebuhr
  53. 53. “secure Linux” needs “policy” • MAC is an “instrument” to restrict invalid accesses, not a “brain” • You (security admin) do instruct MAC system about good and bad accesses by defining a “policy” (AppArmor calls it “profile”)
  54. 54. Importance of “policy” The goal is very simple • Grant access if it’s correct (or needed) • Reject everything else If you make mistakes in your policy • system might fail to work properly • system might not be protected
  55. 55. The Serenity Prayer O God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other
  56. 56. The Security Prayer (with my deepest respects for Reinhold Niebuhr) O God, give us grace to accept with serenity the things that are needed, Courage to reject the things which are not necessary, and the Wisdom to distinguish the one from the other
  57. 57. Where to find the wisdom? SELinux has a “reference policy” • “that embodies the built-up knowledge over the years about what accesses are in fact required for a large body of software” • novice users can start with “Boolean” and power users can maintain their own foundation TOMOYO and SMACK • “Do it yourself”
  58. 58. “Domain” • No program is always good or always bad • Therefore, security policies are the set of security contexts (conditions) • SELinux and TOMOYO call them “domains” (AppArmor call them “profiles”)
  59. 59. “Domain” “Granularity” of MAC policy is determined by two factors • “domain” granularity • access control granularity for each domain Both live in the kernel space, not in the userspace
  60. 60. userspace kernel
  61. 61. Managing Policy What and When • Give permissions only when they are needed • Delete permissions if they turned out to be unnecessary How • Carefully monitor the logs
  62. 62. Managing Policy Cautions • a policy “error” is detected/defined when a access occurs but its definition is missing among policy rules • you can add such an error definition to the policy, in fact transforming it into policy rule, so that the same error will not occur anymore • if you repeat this step thoughtlessly, you will lose control
  63. 63. “Policy Auto Learning” What is it? • Feature available with AppArmor and TOMOYO How it works? • Observing executions of system call • Transform results into the policy rule (like audit2allow does for SELinux)
  64. 64. Results of policy auto learning • can never be perfect • has no logics • should be considered as a starting point Auto learning feature can be used as an analysis tool or an educational tool
  65. 65. References Live as if you were to die tomorrow. Learn as if you were to live forever. -- Mahatma Gandhi
  66. 66. For Comprehensive Understanding of Linux Security Ideal reference by James Morris, who is the Linux kernel security subsystem maintainer; author of the kernel cryptographic API; and a leading contributor to the SELinux, Linux Security Module, Netfilter and IPsec projects.
  67. 67. Linux Kernel Security Wiki Best place to find Linux kernel security related projects
  68. 68. To Know Your Enemy • “Apache.org services attacked” (April 13, 2010) http://lwn.net/Articles/383260/ • “Changes to LoCo Server Policy” (August 11, 2007) https://lists.ubuntu.com/archives/loco-contacts/ 2007-August/001510.html • “Debian server compromise” (July 12, 2006) http:// www.debian-administration.org/articles/417
  69. 69. Find the Code Linux Cross Reference
  70. 70. TCSEC to ISO/IEC 15408 • TCSEC has expired and the current standard is ISO/IEC 15408 • Functional requirements have been described as “protection profile” • LSPP (Labeled Security Protection Profile) succeeds MAC in TCSEC
  71. 71. Standards • National Security Institute - 5200.28-STD Trusted Computer System Evaluation Criteria • ISO/IEC 15408 • CAPP: “Controlled Access” protection profile • LSPP: “Labeled Security” protection profile
  72. 72. RHEL Certifications
  73. 73. Other Topics
  74. 74. Secure Embedded Linux Characteristics of embedded devices • Dedicated for usages and built with minimum resources • Mass production affects cost (recall for millions, for instance) • Network/HD/Updates might not always be available Linux has been spreading for embedded devices
  75. 75. Secure Embedded Linux Google’s Android and Chromium OS are adding unique modifications to improve security
  76. 76. Secure Embedded Linux
  77. 77. “Cloud” • Guest OS runs as a process from host OS / hypervisor • Internal activities of guest OS are translated, so host OS can hardly monitor and confine them • Guest OS share the NIC, HD and other devices, so physically reachable each other
  78. 78. “Cloud” Commonly used virtualization library “libvirt” has been incorporated the results of “sVirt (secure virtualization)”
  79. 79. Congratulations • You’ve just learned the most difficult part of Linux security, “understanding the concept” • Everything else is waiting for you to begin • If you understand “secure Linux”, you will find it as an invaluable tool
  80. 80. “Loving can cost a lot, but not loving always costs more.” -- Merle Shain
  81. 81. Why not starting today?
  82. 82. The Serenity Prayer by Reinhold Niebuhr (1892-1971) God, give us grace to Taking, as Jesus did, This accept with serenity the sinful world as it is, Not as things that cannot be I would have it, changed, Trusting that You will Courage to change the make all things right, If I things which should be surrender to Your will, changed, and the Wisdom to distinguish the one from So that I may be the other. reasonably happy in this life, And supremely happy Living one day at a time, with you forever in the Enjoying one moment at a next. time, Accepting hardship as a pathway to peace, Amen
  83. 83. Contact Information I would like to make these slides useful for future readers, so please send your comments and corrections to haradats@gmail.com Open source is a mutual benefit society, so I’m sharing my own experiences as TOMOYO Linux project manager as well as selected technical slides
  84. 84. The latest version of these slides can be found at SlideShare Acknowledgements Special thanks to Giuseppe La Tona, Tetsuo Handa for reviewing and Stephen Smalley for correcting SELinux related information Trademarks Linux is a registered trademark of Linus Torvalds in the United States and other countries TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×