LAPP/SELinux - A secure web application stack powered by SELinux
Upcoming SlideShare
Loading in...5
×
 

LAPP/SELinux - A secure web application stack powered by SELinux

on

  • 511 views

slides on Japan Linux Symposium 2009

slides on Japan Linux Symposium 2009

Statistics

Views

Total Views
511
Views on SlideShare
510
Embed Views
1

Actions

Likes
0
Downloads
22
Comments
0

1 Embed 1

http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

LAPP/SELinux - A secure web application stack powered by SELinux LAPP/SELinux - A secure web application stack powered by SELinux Presentation Transcript

  • LAPP/SELinuxA secure web application stack powered by SELinux KaiGai Kohei <kaigai@ak.jp.nec.com> NEC OSS Promotion Center
  • Self Introduction▐ KaiGai Kohei has worked at NEC for 7 years, and contributed to SELinux development, such as SMP scalability improvement A series of efforts to port embedded platform Development of SE-PostgreSQL Per thread security context setting support Recently, I have focused on web-systems security. Page 2 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 1. Background2. SE-PostgreSQL3. Apache/SELinux Plus4. LAPP/SELinux
  • Security nightmare in Web systems (Reference: JSOC analysis report of the incursion trend, vol.12, LAC)▐ Attacks to web systems have been rapidly increasing.▐ It is estimated the cause is growth of web-based commerce. Existing security features are really attractive? Page 4 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • LAPP - A typical web application stack▐ LAPP Full OSS web application stack, also knows as LAMP • Linux, Apache, PostgreSQL and PHP/Perl▐ Security concerns Each layer has its own access controls Lack of consistency No individual privileges for users via web-interfaces (Security depends on quality of web-applications in other word) Lack of comprehensiveness Its own access controls Web Applications▐ Keyword ... Analogy Its own access controls (PHP/Perl) .htaccesses Web Server .htaccesses (Apache) Database ACLs Database Server Database ACLs (PostgreSQL) Filesystem permissions Operating System Filesystem permissions (Linux) Page 5 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • An analogy between OS and Database Info Asset System Filesystem call Permission Filesystem SELinux OS (Linux) Info Asset Database SQL ACLs Database RDBMS (PostgreSQL) User Process Request Object manager and Resource▐ Same relationship in user processes and information assets▐ Differences in the way to store and access System call for Filesystem, SQL for Database▐ Access control is to decide what are allowed or disallowed on relationships between certain users and resources. No reason why we cannot apply a common security model. It guarantees consistency of access controls. Page 6 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • An analogy between ssh and web Privilege and sshd Filesystem co m m Shell Shell process Authentication Authentication HTTP Reque st httpd Database WebApp InstanceUser (Human) Requests Daemons User Agent Resource▐ User is a human; an user agent performs instead of himself.▐ The user agent must have correct privilege set of the human. Authentication can identify the human and assign privileges. Httpd launches web-apps without individual privileges. OS/DB cannot distinguish who is behind on the user agent.▐ Need to assign privileges of the human user on the web-apps. Page 7 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • What can we find out from the analogies?▐ SE-PostgreSQL Advanced access controls for SQL queries based on SELinux Consistency in access controls▐ Apache/SELinux Plus Advanced privilege mechanism for web applications based on SELinux Comprehensiveness in web-application security LAPP/SELinux Utilization of SELinux at the LAPP stack Web Applications • SELinux + SE-PostgreSQL (PHP/Perl) + Apache/SELinux Plus Web Server (Apache/SELinux Plus) Database Server (SE-PostgreSQL) Operating System (SELinux) Page 8 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 1. Background2. SE-PostgreSQL3. Apache/SELinux Plus4. LAPP/SELinux
  • Architecture of SE-PostgreSQL User Process SQL Query SQL Processing Database Database ACL SE-PgSQL System Call subsystemUser Space SE-PostgreSQL denied denied Kernel Space Filesystem SecurityFilesystem Routines Server Security Can I allow the Can I allow the Policy given accesses? given accesses? SELinux▐ SELinux hooks system-call processing▐ SE-PostgreSQL also hooks SQL Query processing▐ SELinux makes its decision based on its security policy▐ SE-PostgreSQL controls execution of the SQL query according to the SELinuxs access control decision. It means the security policy controls both of accesses on OS and DB. Page 10 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Decision-making in SELinux security context security context required actions required actions of user agent of user agent Security Allowed or Denied Allowed or Denied security context security context Policy of target object of target object decision decision Input SELinux Output▐ SELinux looks like a function SELinux returns a binary state for the given arguments. Kernel internally gives them to SELinux and follows its decision. Userspace application also can utilize this mechanism, as long as it can provide the pair of security contexts.▐ Security context A SELinux specific identifier of processes and any other objects The kernel manages security context of the kernel objects. Applications must manage security context of the userspace objects. Page 11 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • "security_context" system column security context of the regular relation postgres=# SELECT security_context, * FROM drink; postgres=# SELECT security_context, * FROM drink; security_context security_context | id | name | price | id | name | price -----------------------------------------+----+-------+------- -----------------------------------------+----+-------+------- system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | 3 | juice | | 3 | juice | 130 130 system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | 4 | cofee | | 4 | cofee | 180 180 system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240 240 system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320 320 system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | 380 380 system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea | | 140 140 (6 rows) (6 rows) System catalog security context of the system relation postgres=# SELECT security_context, attname, attnum FROM pg_attribute postgres=# SELECT security_context, attname, attnum FROM pg_attribute WHERE attrelid = drink::regclass AND attnum > 0; WHERE attrelid = drink::regclass AND attnum > 0; security_context security_context | attname | attnum | attname | attnum -----------------------------------------+---------+-------- -----------------------------------------+---------+-------- system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | id | id | | 11 system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | name | name | | 22 system_u:object_r:sepgsql_ro_table_t:s0 | price system_u:object_r:sepgsql_ro_table_t:s0 | price | | 33 (3 rows) (3 rows) Page 12 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Privileges of the client▐ SE-PostgreSQL applies the security context of peer process. It does NOT depend on database authentication. SELinux provides an API to obtain the security context of peer process. • See the getpeercon(3)▐ Labeled IPsec It enables to deliver the security context of remote processes An enhancement of IPsec, available at kernel-2.6.18 or later [ymj@saba ~]$ id -Z [ymj@saba ~]$ id -Z uid=1002(ymj) gid=100(users) groups=100(users) ¥ uid=1002(ymj) gid=100(users) groups=100(users) ¥ context=staff_u:staff_r:staff_t:s0-s0:c0.c15 context=staff_u:staff_r:staff_t:s0-s0:c0.c15 [ymj@saba ~]$ psql -q postgres -U dbguest [ymj@saba ~]$ psql -q postgres -U dbguest postgres=> SELECT sepgsql_getcon(), current_user; postgres=> SELECT sepgsql_getcon(), current_user; sepgsql_getcon sepgsql_getcon | current_user | current_user --------------------------------------+-------------- --------------------------------------+-------------- staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest (1 row) (1 row) Page 13 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Usage of SE-PostgreSQL (1/2) Row level access controlpostgres=# SELECT security_context, * from drink;postgres=# SELECT security_context, * from drink; security_context security_context | id | name | price | id | name | price---------------------------------------------------+----+--------+----------------------------------------------------------+----+--------+------- system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | 100 100 system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke | | 120 120 system_u:object_r:sepgsql_table_t:Unclassified system_u:object_r:sepgsql_table_t:Unclassified | 3 | juice | | 3 | juice | 130 130 system_u:object_r:sepgsql_table_t:Unclassified system_u:object_r:sepgsql_table_t:Unclassified | 4 | coffee | | 4 | coffee | 180 180 system_u:object_r:sepgsql_table_t:Classified system_u:object_r:sepgsql_table_t:Classified | 5 | beer | 5 | beer | | 240 240 system_u:object_r:sepgsql_table_t:Classified system_u:object_r:sepgsql_table_t:Classified | 6 | sake | 6 | sake | | 320 320 staff_u:object_r:sepgsql_table_t:Unclassified staff_u:object_r:sepgsql_table_t:Unclassified | 7 | soda | 7 | soda | | 150 150▐ when SELECT? The Classified tuples are invisible for Unclassified clients.▐ when UPDATE/DELETE? It also prevents to update Read-Only (sepgsql_ro_table_t) tuples. But, Classified client can update Read-Writable and Classified tuples.▐ when INSERT a tuple? A default security context is assigned on the new tuple. Page 14 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Usage of SE-PostgreSQL (2/2) Table/Column level access control It allows to assign an individual security It allows to assign an individual security postgres=# CREATE TABLE customer ( postgres=# CREATE TABLE customer ( cid integer primary key, context on a certain table/column. context on a certain table/column. cid integer primary key, cname cname varchar(32), varchar(32), ccredit varchar(32) ccredit varchar(32) SECURITY_CONTEXT = system_u:object_r:sepgsql_secret_table_t:s0 SECURITY_CONTEXT = system_u:object_r:sepgsql_secret_table_t:s0 ); ); CREATE TABLE CREATE TABLE postgres=> SELECT * FROM customer; postgres=> SELECT * FROM customer; LOG: SELinux: denied { select } ¥ LOG: SELinux: denied { select } ¥ scontext=staff_u:staff_r:staff_t:Unclassified ¥ scontext=staff_u:staff_r:staff_t:Unclassified ¥ tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥ tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥ tclass=db_column name=customer.ccredit tclass=db_column name=customer.ccredit ERROR: SELinux: security policy violation ERROR: SELinux: security policy violation postgres=> SELECT cid, cname FROM customer; postgres=> SELECT cid, cname FROM customer; cid | cname cid | cname -----+------- -----+------- SE-PostgreSQL prevent unprivileged SE-PostgreSQL prevent unprivileged 10 | jack 10 | jack client to access to the column labeled client to access to the column labeled 13 | adam 13 | adam 14 | liza as "Secret". as "Secret". 14 | liza (3 rows) (3 rows) Page 15 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Performance - SE-PostgreSQL comparison of pgbench results PostgreSQL v8.4.1 SE-PostgreSQL v8.4.1 450 400 350 transaction per second 300 250 200 150 100 50 0 20 40 60 80 100 120 140 160 180 200 database size (scaling factor)▐ 2~4% of trade-off in performance userspace AVC minimizes the number of kernel invocations▐ Environments CPU Xeon (2.33GHz) Dual, Mem: 2GB (shared_buffer=512m) measured by pgbench -c 2 -t 200000 Page 16 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • System image: system-wide consistency in access control Classified User Login Process Consistent Consistent access controls access controls Information Information Assets Security Assets Inter-process Inter-process Policy communication communication SELinux Filesystem Networks IPC Objects Database channels channels Login User Process Unclassified▐ SELinux controls ANY inter-processes communication channels. No read-up, No write-down▐ SE-PostgreSQL allows to deploy RDBMS in this scheme. No differences in FS and DB from the viewpoint of access control Page 17 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 1. Background2. SE-PostgreSQL3. Apache/SELinux Plus4. LAPP/SELinux
  • Web system overview No individual No individual privileges set privileges set Authentication Authentication Filesystem HTTP Request HTTP Response User (human) Web-app Database Apache/httpd instance▐ Steps to handle users request 1. User sends HTTP request. 2. Apache/httpd may (not) apply HTTP authentication. 3. It launches a web-app instance which performs as an user agent. But its privilege set is identical to the web-server process. 4. Apache/httpd replies HTTP response.▐ Our headache and prescription OS/DB cannot apply valid access controls on user agents. Need to assign correct privileges prior to launch web-apps. Apache/SELinux Plus module does it. Page 19 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Apache/SELinux Plus (1/2) Apache without SELinux support1. HTTP request from users2. HTTP authentication may be applied3. Required contents handler is invoked with server processs privileges It works off the burden of access controls to web applications. Parse HTTP Request OS/DB cannot distinguish OS/DB cannot distinguish users privileges. users privileges. HTTP Authentication HTTP Request Accept .html connection HTTP Invoke Response Contents Handler .php .cgi Send HTTP Response Apache/httpd Page 20 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Apache/SELinux Plus (2/2) Apache/SELinux Plus1. HTTP request from users2. HTTP authentication may be applied3. Creation of one-time worker thread4. The worker assigns users privileges on itself, then invokes the handler Web-apps can perform with the least privilege set Parse HTTP Request Set users privileges first Set users privileges first HTTP Authentication HTTP Request Accept Create worker thread Change Security context .html connection HTTP Response Invoke Contents Handler .php Join worker thread Exit worker thread .cgi Apache/SELinux Plus Send HTTP Response Apache/httpd Page 21 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Performance - Apache/SELinux Plus $$ab -c 88-t 60 -A <user:password> <URL> ab -c -t 60 -A <user:password> <URL> 700 CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12 CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12 600 TEST1) Regular HTML file TEST1) Regular HTML file # of requests per second TEST2) PHP Script TEST2) PHP Script 500 TEST3) PHP Script with DB connection TEST3) PHP Script with DB connection 400 TEST4) CGI Program TEST4) CGI Program 300 200 100 0 .html file .php script .php with DBconn .cgi program Apache (normal) Apache/SELinux Plus▐ The cost to assign privileges is relatively large in lightweight request.▐ Less differences in our major target (Web+DB applications) Database-queries need higher cost than creation of worker threads. Page 22 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • System image (1/2) : Per web-user privilegesValid access controlsValid access controlsusing OS/DB based onusing OS/DB based onper-user privileges.per-user privileges. • HTTP Authentication • HTTP Authentication • Launch one-time worker thread • Launch one-time worker thread Database • Set its own security context • Set its own security context corresponding to the username. corresponding to the username. Filesystem Page 23 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • System image (2/2) : Per virtual host separation ▐ SELinux performs as a logical-wall separating system resources. Filesystem ▐ MCS policy will be suitable. red Database http://red.example.com/ Filesystem http://blue.example.com/ http://green.example.com/ Database blue A logical-wall: A logical-wall: SELinux prevent to access an user agent SELinux prevent to access an user agent Filesystem to the objects within other categories. to the objects within other categories. green Contents handler of Contents handler of Database the "green" virtual host the "green" virtual host Page 24 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 1. Background2. SE-PostgreSQL3. Apache/SELinux Plus4. LAPP/SELinux
  • SELinux has expanded its coverage Web Applications Web Applications Web Applications (PHP/Perl) (PHP/Perl) (PHP/Perl) Web Server Web Server Web Server (Apache) (Apache/SELinux Plus) (Apache/SELinux Plus) Database Server Database Server Database Server (PostgreSQL) (SE-PostgreSQL) (SE-PostgreSQL) Operating System Operating System Operating System (SELinux) (Linux) (SELinux) (SELinux) Prehistory Past Today Future▐ Prehistory, we have no MAC security.▐ God said "let there be SELinux". SELinux applies MAC policy on the operating system.▐ Today, it expanded its sphere of life. SE-PostgreSQL, Apache/SELinux Plus, XACE/SELinux, sVirt, ...▐ Future, it will cover whole of the web application stack. Page 26 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Conceptual diagram of LAPP/SELinux Classified User HTTP Req Process Consistent Consistent access controls access controls Information Information Assets Security Assets Inter-process Inter-process Policy communication communication SELinux Filesystem Networks IPC Objects Database channels channels HTTP Req User Process Unclassified▐ SE-PostgreSQL provides system-wide consistency in access controls.▐ Apache/SELinux plus enables web-apps to perform correct privileges. The LAPP/SELinux enables us to set up web systems with consistent and comprehensive access controls. Page 27 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • LAPP/SELinux applicability: threats by malicious insider▐ Database Administrator (DBA) In normally, he is allowed anything on databases. Need to prevent accesses unnecessary information, including backups. Consistent access controls using SELinux, prevent information leaks. HTTP Req HTTP Req SE-PostgreSQL Database DDL statement DBA SQL customer Dump the table backup Execute command utils Audit Web Log server Database Read the file backup Page 28 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Our principle Price of Notebook : $8.00 Price of Privacy: priceless▐ Worth of information asset It depends on the contents, not the way to store them Need to apply consistent access control on the same relationship▐ Purpose of access controls It decides what are allowed and disallowed on the relationship of a certain human-user and information asset Again, it is a relationship between a human and information▐ Principle in LAPP/SELinux Common security identifier Common access control decision Utilization of the platform features in maximum Page 29 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Project status & history▐ Status Now, kernel supports all the needed features of LAPP/SELinux Now, Fedora includes sepostgresql and mod_selinux package SE-PostgreSQL is now discussed in the pgsql community▐ History 06/09 launched to develop SE-PostgreSQL 07/03 SELinux Symposium & Developer Summit 2007 (Baltimare, USA) 07/08 Fedora merged SE-PostgreSQL package (F8 or later) 07/11 IPA gave an award due to the development of SE-PostgreSQL 08/03 The PostgreSQL conference 2008 (Ottawa, CA) 08/05 SE-PostgreSQL was proposed to pgsql-8.4.x development. 08/12 Bounds domain feature got merged (2.6.28 or later) 09/04 Fedora merged Apache/SELinux Plus (F11 or later) 09/07 SE-PostgreSQL was proposed to pgsql-8.5.x development. 09/10 Japan Linux Symposium 2009 Page 30 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • Any Questions?
  • Thank you!