System Integrity


Published on

The lecture by Sartakov A. Vasily for Summer Systems School'12.
Brief introduction to System Integrity.
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.


Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

System Integrity

  1. 1. System Integrity Sartakov A. VasilySummer Systems School’12
  2. 2. Software Hardening MethodsCompile-time Run time Process Canaries Virtualization (Dalvik, Java VM) System Virtualization (KVM, Xen, L4) OS (Linux Kernel Ench.) HW support (MMU, Trust Zone)
  3. 3. 1. Compiler time sw hardening 2. Linux operating system extension 1.1 Memory corruption 2.1 Container based os mitigation methods virtualization 2.2 Linux security modules 2.3 Gr security3. Process virtualization and sandboxing 4. System virtualization 3.1 Byte-code 4.1 Hardware translation recruitment 3.2 Sandboxing 4.2 VM and VMMs untrusted native code 4.3 Use cases
  4. 4. 1. Compile-time Software HardeningMemory Corruption Mitigation Methods: Code injection Arc injection Pointer Subterfuge Format String Attacks and Arithmetic Overflows
  5. 5. Code Injectionvoid f1a(void *arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* buffer overrun iflen > 100 */ /* ... */ return;}void f1b(void *arg, size_t len) { char *ptr = malloc(100); if (ptr == NULL) return; memcpy(ptr, arg, len); /* buffer overrun iflen >100 */ /* ... */ return;}
  6. 6. Stackguard ProPolice
  7. 7. Pointer Subterfugevoid SomeFunc() { void SomeFunc() { // do something EncodePointer // do something} } DecodePointertypedef void (*FUNC_PTR )(void); EncodeSystemPointer typedef void (*FUNC_PTR )(void); DecodeSystemPointerint DangerousFunc(char *szString) { int DangerousFunc(char *szString) { char buf[32]; char buf[32]; strcpy(buf,szString); strcpy(buf,szString); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); // Other code // Other code // Other code // Other code (*fp)(); (*fp)(); return 0; return 0;} }
  8. 8. Format String Attacks and Arithmetic OverflowsCrispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.Pointguardtm: protecting pointers from buffer overflowvulnerabilities. In Proceedings of the 12th conference on USENIXSecurity Symposium - Volume 12, pages 7–7, Berkeley, CA,USA, 2003. USENIX Association.Jonathan Pincus and Brandon Baker. Beyond stack smashing:Recent advances in exploiting buffer overruns. IEEE Security andPrivacy, 2:20–27, July 2004.Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan."Return-Oriented Programming: Exploits Without Code Injection".Retrieved 2009-08-12.
  9. 9. 2. Linux operating system extension2.1 Container based os virtualisation Linux-vserver Virtuozzo and openvz Linux containers2.2 Linux security modules SElinux Apparmor Smack Tomoyo Linux2.3 Grsecurity Pax Role based access control
  10. 10. 2.1 Container based os virtualisationLinux-VserverVirtuozzoOpenVZLXC (Linux Container Tools)The core concept of container-based operating system virtualization is to runcompletely isolated virtual servers sharing the same kernel. Compared tosystem virtualization, this reduces the required memory for additionalkernels on the one hand but at the same time it might increase thevulnerability of the system. If an attacker gains full access to the kernel allvirtual servers are compromised. System Virtualization would offer anadditional level of isolation and therefore more security in this case.
  11. 11. Linux-VServer • Security contexts • Segmented routing • Chroot • Extended quotas • Further standard tools • High-performance computing (HPC) clusters • The Grid • Distributed hosting organizations like PlanetLab and Amazon EC2 The Host kernel should be patchedThe system provides a Shared OS Imageconsisting of a root file system and a set ofsystem libraries and executables. This Start/Stop/ResumeShared OS Image together with aprivileged host VM builds the HostingPlatform.
  12. 12. Virtuozzo and OpenVZOpenVZ is operating system virtualization based on theLinux kernel. It is very similar to Linux-VServer. Like Linux-VServer it requires a patched Linux kernel. Here likewiseDebian ships prebuilt kernel images. Unfortunately, thepatches are not provided for each Linux kernel release.OpenVZ is the basis for Parallels Virtuozzo Containers, whichis a commercial product by Parallels.Usage scenarios and evaluation are basically the same asfor the Linux-VServer project.
  13. 13. Linux Containers (LXC)• Namespace isolation• Linux kernel control groups (cgroups)• PID namespace• Network namespace• UTS namespace (hostname)• Mount namespace• IPC namespace• Control (Restart, Freeze, etc.)• Resource limiting (Memory)• Priorization (CPU, I/O)• AccountingThe best solution for lightweight isolation of Linux processes without much inter-processcommunication.
  14. 14. Terminology 1. Access control models * Discretionary access control * Mandatory access control * Role-based access control Subject -- Object
  15. 15. 2.2 Linux security modulesThe Linux Security Modules (LSM)framework is part of the LinuxKernel. It provides lightweight,general support for accesscontrol by allowing modules todefine security hooks:• Task Hooks• Program Loading Hooks• IPC Hooks• Filesystem Hooks• Network Hooks• Module hooks (e.g. moduleinitialization)• System hooks (e.g. hostnamesetting) • AppArmor • SELinux • Smack • TOMOYO Linux
  16. 16. Security-Enhanced Linux MAC Part of Linux
  17. 17. Smack TOMOYO Linux TOMOYO Linux is another pathname-basedSmack is the abbreviation for access control system for Linux. It alsoSimplified Mandatory Access implements Mandatory Access Control, butControl Kernel for Linux. It is part of additionally it is stated to be useful as a purethe MeeGo Security Architecture, system analysis tool. Like e.g. AppArmor,but not exclusively dedicated to it. TOMOYO Linux also provides tools for automatic policy generation and it is designedAs the name already suggest, to be easy to use with a simple syntax forSmack provides Mandatory Access policies.Control in a simpler way than e.g.SELinux. The author states thatsimplicity is the primary design goal AppArmorof Smack. AppArmor is an alternative to SELinux. It is aLike AppArmor, Smack requires pathname-based access control system andextended file attributes. There it requires a file system with extended attributesstores labels for files which must support. The originally goal was to provide amatch labels associated with SELinux like Mandatory Access Controlprocesses to grant access. mechanism, which is simpler to manage forAdditionally, special rules can be the typical user. Therefore, AppArmoradded for file labels and process implements a learning mode to create profiles of the typical programs behavior.labels that do not match. While AppArmor is a simple and powerful solution for end-users, it seems that SELinux is more powerful to implement advanced security concepts on top of it.
  18. 18. 2.3 GrsecurityGrSecurity is a set of security related patches forthe Linux kernel. Some major securityenhancements are:• Stack and Heap modification protection (PaX)• Role-based Access Control (RBAC)• Chroot restrictions• Auditing Pax RBACPaX is a major component of GrSecurity.Amongst other things, the patch adds three While PaX implements the principlememory protection mechanisms: of least privileges for memory• Data memory is flagged as non-executable (NX management, another component ofbit) GrSecurity (RBAC) implements it for• Program memory is flagged as non-writable users and processes. This means• Program memory is randomly arranged, known that users and processes get onlyas address space layout randomization (ASLR) the privileges which are required toRecent mainline kernel versions added some work correctly. It should be noted,similar protection mechanisms for suitable that besides this implementationmemory regions on x86 systems. aspect, the RBAC concept can be applied in very different fields of applications.
  19. 19. 3. Process virtualization and sandboxing Skip
  20. 20. 4. System Virtualization4.1 Hardware recruitment4.2 VM and VMMs Linux KVM Hypervisor Xen Hypervisor L4 Microkernel based4.3 Use cases
  21. 21. 4.1 Hardware recruitment* HW support:Johannes Winter. Trusted computing building blocks for embeddedlinux-based arm trustzone platforms. In Proceedings of the 3rd ACMworkshop on Scalable trusted computing, STC’08, pages 21–30, NewYork, NY, USA, 2008. ACM.* Intel VT-x* AMD-V* ARM TrustZone* ARM Cortex-A15 including full hardware virtualization* DMA and IOMMU
  22. 22. Terminology 2. Virtualization, Virtual machines* System virtualization or hardware virtualizationallows to run multiple operating systems on onephysical machine.* Guest and Host OS* VMM / hypervisor* Type 1 / Native – Bare Metal* Type 2 / Hosted – on top of OS* Paravirtualization – VMM doesnt provide aninterface that is identical to real hardware
  23. 23. Linux KVM Hypervisor * Part of Linux kernel * QEMU * VT-x AMD-V extension * Big trusted computing base (TCB) * Low overhead
  24. 24. Xen hypervisor Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM. Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis, Leendert Van Doorn, Asit Mallick, Jun Nakajima, and Elsie Wahlig. Utilizing iommus for virtualization in linux and xen. In Proceedings of the 2006 Ottawa Linux Symposium (OLS 2006), 2006. Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon Caceres, and Reiner Sailer. Shamon: A system for distributed mandatory access control. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 23–32, Washington, DC, USA, 2006. IEEE Computer Society.
  25. 25. L4 microkenel* User-level components* Address spaces (tasks)* Threads* Scheduling* Inter-process communication* Reusing* TCB L4Linux L4Linux app Moe Mag Ned IO Fiasco.OC
  26. 26. 4.3 Use Case Crypto L4Linux L4Linux (eth0) (eth1) app Moe Mag Ned IO Fiasco.OC