Linux Kernel Security

Adapting 1960s Technology to
          st
 Meet 21 Century Threats

          James Morris
        ...
Fig. 1




History
“The first fact to face is that UNIX was not
  developed with security, in any realistic
sense, in mind; this fact alone g...
Fig. 2




Unix DAC
DAC is “simple” and somewhat effective, but
    inadequate for modern environment:


Does not protect against flawed or ma...
Fig. 3




(Actually, DAC is not simple)
“It must be recognized that the mere notion of a
super-user is a theoretical, and usually practical,
      blemish on any ...
Fig. 4




Enhanced DAC
POSIX Capabilities (privileges)


 Access Control Lists (ACLs)
Fig. 5




Namespaces
Network Access Control



                          Netfilter

                          iptables

                       ...
Fig. 7




Cryptography
Disk Encryption:

     dm-crypt
     ecryptfs



Network Encryption:

      IPsec
System Hardening

ASLR

NX

GCC

/dev/mem


Kernel pointers
                                Fig. 8
Fig. 9



    The Inevitability of Failure
The Flawed Assumption of Security in Modern
         Computing Environments
Mandatory security


Trusted / protected path


      Assurance
Linux Security Modules



READ        LSM Hook




           LSM Module
SELinux


Generalized MAC

Very fine-grained

 Policy-flexible
Simplified Mandatory Access
  Control Kernel (SMACK)


     Simple label-based MAC


    Policy is written as triples:

  ...
TOMOYO


         Path-based MAC scheme

   Automatic real-time policy generation

Policy applied to trees of process invo...
AppArmor


   Pathname access control scheme


Security usability via familiar abstractions
Extending MAC


                Netlabel

                Secmark

                 NFSv4

                   sVirt
Audit


         Required for certification

Monitor syscall, LSM & misc. security events

            Actually quite usef...
Integrity & Platform Security


            TPM

          IMA / EVM

            TXT

            VT-d
Anti Malware


     Best done in userland

... but, file scanning still desired

             fsnotify

             fanot...
Seccomp


Extremely lightweight sandboxing

    Reduces attack surface
Current Status


Meets extremely wide range of security goals


     Security features now mainstream


 Better equipped t...
Ongoing Challenges



    Continued refinement & hardening

Multiple security models hindering adoption

      Threats wil...
How to Help



                  Enable features

                 Report problems

                 Share knowledge



  ...
Resources


Linux Kernel Security Wiki

     LSM Mailing List

   LWN Security page
Questions ?
Useful URLs
Kernel Security Wiki
    http://security.wiki.kernel.org/

LSM Mailing List
    http://vger.kernel.org/vger-li...
Useful URLs ...
SELinux
    http://selinuxproject.org/
“Have You Driven an SELinux Lately?” (OLS paper on current state)
 ...
Useful URLs ...
"Implementing Native NFSv4 ACLs in Linux"
    http://lca2009.linux.org.au/slides/79.tar.gz

“Applying moun...
Image Credits
1. Bell Labs
2. Duke University Ad*Access
3. Hao Chen, David Wagner, and Drew Dean.
4. “nofeel” (flickr)
5. ...
Upcoming SlideShare
Loading in...5
×

Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats

1,428

Published on

Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:

* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,428
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats"

  1. 1. Linux Kernel Security Adapting 1960s Technology to st Meet 21 Century Threats James Morris Red Hat LinuxCon Boston 2010
  2. 2. Fig. 1 History
  3. 3. “The first fact to face is that UNIX was not developed with security, in any realistic sense, in mind; this fact alone guarantees a vast number of holes.” Dennis Ritchie, “On the Security of UNIX”, 1979
  4. 4. Fig. 2 Unix DAC
  5. 5. DAC is “simple” and somewhat effective, but inadequate for modern environment: Does not protect against flawed or malicious code
  6. 6. Fig. 3 (Actually, DAC is not simple)
  7. 7. “It must be recognized that the mere notion of a super-user is a theoretical, and usually practical, blemish on any protection scheme.” (also from Ritchie 1979)
  8. 8. Fig. 4 Enhanced DAC
  9. 9. POSIX Capabilities (privileges) Access Control Lists (ACLs)
  10. 10. Fig. 5 Namespaces
  11. 11. Network Access Control Netfilter iptables ebtables Fig. 6
  12. 12. Fig. 7 Cryptography
  13. 13. Disk Encryption: dm-crypt ecryptfs Network Encryption: IPsec
  14. 14. System Hardening ASLR NX GCC /dev/mem Kernel pointers Fig. 8
  15. 15. Fig. 9 The Inevitability of Failure The Flawed Assumption of Security in Modern Computing Environments
  16. 16. Mandatory security Trusted / protected path Assurance
  17. 17. Linux Security Modules READ LSM Hook LSM Module
  18. 18. SELinux Generalized MAC Very fine-grained Policy-flexible
  19. 19. Simplified Mandatory Access Control Kernel (SMACK) Simple label-based MAC Policy is written as triples: subject object [–rwxa]
  20. 20. TOMOYO Path-based MAC scheme Automatic real-time policy generation Policy applied to trees of process invocation
  21. 21. AppArmor Pathname access control scheme Security usability via familiar abstractions
  22. 22. Extending MAC Netlabel Secmark NFSv4 sVirt
  23. 23. Audit Required for certification Monitor syscall, LSM & misc. security events Actually quite useful
  24. 24. Integrity & Platform Security TPM IMA / EVM TXT VT-d
  25. 25. Anti Malware Best done in userland ... but, file scanning still desired fsnotify fanotify
  26. 26. Seccomp Extremely lightweight sandboxing Reduces attack surface
  27. 27. Current Status Meets extremely wide range of security goals Security features now mainstream Better equipped to address modern threats
  28. 28. Ongoing Challenges Continued refinement & hardening Multiple security models hindering adoption Threats will continue to evolve
  29. 29. How to Help Enable features Report problems Share knowledge Fig. 10
  30. 30. Resources Linux Kernel Security Wiki LSM Mailing List LWN Security page
  31. 31. Questions ?
  32. 32. Useful URLs Kernel Security Wiki http://security.wiki.kernel.org/ LSM Mailing List http://vger.kernel.org/vger-lists.html#linux-security-module LWN Security Page http://lwn.net/Security/ “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments” http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf LSM Usenix Paper http://www.usenix.org/event/sec02/wright.html Kernel Memory Protection http://lwn.net/Articles/329787/ Linux Security Model Comparison http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison
  33. 33. Useful URLs ... SELinux http://selinuxproject.org/ “Have You Driven an SELinux Lately?” (OLS paper on current state) http://namei.org/ols-2008-selinux-paper.pdf “Anatomy of Fedora Kiosk Mode” http://namei.org/presentations/fedora-kiosk-mode-foss-my-2008.pdf “SELinux Memory Protection Tests” http://people.redhat.com/drepper/selinux-mem.html “A seatbelt for server software: SELinux blocks real-world exploits” http://www.linuxworld.com/news/2008/022408-selinux.html SMACK http://schaufler-ca.com/ AppArmor http://en.opensuse.org/Apparmor TOMOYO http://tomoyo.sourceforge.jp/ “POSIX file capabilities: Parceling the power of root” http://www.ibm.com/developerworks/library/l-posixcap.html “POSIX Access Control Lists on Linux” http://www.suse.de/~agruen/acl/linux-acls/online/
  34. 34. Useful URLs ... "Implementing Native NFSv4 ACLs in Linux" http://lca2009.linux.org.au/slides/79.tar.gz “Applying mount namespaces” http://www.ibm.com/developerworks/linux/library/l-mount-namespaces.html “Disk encryption in Fedora: Past, present and future” http://is.gd/16012 “Limiting buffer overflows with ExecShield” (2005) http://www.redhat.com/magazine/009jul05/features/execshield/ “Linux Kernel Heap Tampering Detection” http://phrack.org/issues.html?issue=66&id=15#article “System integrity in Linux” http://lwn.net/Articles/309441/ “Linux kernel integrity measurement using contextual inspection” (LKIM) http://portal.acm.org/citation.cfm?id=1314354.1314362 Intel TXT Site http://www.intel.com/technology/security/ IBM TCPA Resources http://www.research.ibm.com/gsal/tcpa/tcpa_rebuttal.pdf Invisible Things Labs http://theinvisiblethings.blogspot.com/
  35. 35. Image Credits 1. Bell Labs 2. Duke University Ad*Access 3. Hao Chen, David Wagner, and Drew Dean. 4. “nofeel” (flickr) 5. Unknown 6. Ian Lloyd (flickr) 7. James Morris 8. Steve Jurvetson (flickr) 9. Michael Scott (flickr) 10. Alfred T Palmer (LoC)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×