Integrity and Security in Filesystems


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Integrity and Security in Filesystems

  1. 1. Security and Integrity in Linux Filesystems. Alejandro Sanchez Acosta
  2. 2. Linux Introduction.
  3. 3. Introduction.● Whats free software?● What is the Linux kernel?● A little story about the Linux kernel.● Architecture portability.● Linux maintainment.● General ideas.
  4. 4. Filesystem Sources.
  5. 5. Filesystem sources.● Fs/● Superblock, aio, acls, file, file_table, inode,attr, quota..● Binfmt*● Adfs, affs, afs, autofs, befs, bfs, coda,cramfs, ramfs, devfs, devpts, hfs, hpfs, qnx4,umsdos, vfat, xfs, jfs, isofs, hugetlbfs, minix,romfs, ....
  6. 6. Filesystem Introduction.
  7. 7. Filesystem Introduction.● Whats a Filesystem?● Management with VFS layer.● Proc fs.● Sysfs.● Relayfs.● Udev y hotplugging.
  8. 8. Whats a Filesystem?● A place to storage data on disk.● Superblock.● Inodes.● Directory entries.● Files.
  9. 9. Filesystem Form with VFS● Superblock and sb_ops.● Inode and inode_ops.● File and file_operations.● Register_filesystem● Mounting a filesystem● Accesing data filesystem via definedsyscalls.
  10. 10. More Known Filesystems.● ext2/ext3● Jfs● Reiser3 y reiser4.● XFS● NTFS● UDF● Distributed filesystems: NFS, Coda, SMB,AFS.
  11. 11. The future of filesystems.● More oriented-object or more oo.● Modularity via plugins.● Fasters searching data.● Encryption and compression support.● More robusted used algorithms.● Better storage.
  12. 12. Reiserfs4 Overview.
  13. 13. Basic semantics.● Files.● Names and objects.● Namespaces and interfaces.● Directories.● Security attributes.
  14. 14. Trees concepts.● Set of nodes.● Fanout.● Finited and infinited trees.● Keys to identify objects.● Node structure.● Items structure.
  15. 15. Trees design.● Height or space balanced.● B and b+ trees.● Htrees.● Positional trees.● Dancing trees.● Cache design.
  16. 16. Nodes.● Identified by a key.● Formatted and unformatted.● Leaf and twig nodes.● Items: nodes collection to storage data.● Units: data that we put in the whole item.
  17. 17. Storing Data.● Graphs and dancing trees.● Separate layers: semantic and storage.● BLOBs and extents.
  18. 18. Atomic filesystem● Brief history about fs crashing.● Filesystem checkers.● Reducing the damage with atomic op.● Journaled location.● Commiting allocation.
  19. 19. Repacker.● 80% remain unchanged on disk.● Ordering the tree.● Sort the tree and pack perfectly.● Eliminates posible fragmentation.
  20. 20. Journaling.● Location on disk: journal/log.● Commited area.● Problem: twice write data.● Metadata journaling.● Solution: Wandering logging.● Commiting and transactional layer.● Copy-on-capture and steal-on-capture.
  21. 21. Distributed Filesystem.
  22. 22. WAFL.● Distributed Filesystem● Used in network appliances.● Snapshots.● Copy-on-write.● Large files, NFS, high performance and aquickly restart.
  23. 23. Plugins design.● File, directory and hash.● Security.● Item● Key assignment.● Node and item search.● Still not dinamically loaded.
  24. 24. Reiser future.● Cryptography and compression.● Quotas support.● Dynamic plugins.● Distributed filesystem.● Encryption on commit.
  25. 25. Seguridad en sistemas de ficheros.
  26. 26. Basic Polices.● Credentials.● Capabilities.● ACLs● Attributes.● Metadata.
  27. 27. Security in filesystems.● Filesystem and swap crypto.● CryptoAPI support.● LSM hooks for the file access.● File capabilities.
  28. 28. CryptoAPI.
  29. 29. ● Criptografiia en kernel space.● Uso de scatterlists.● Implementación de criptografía de claveprivada y hashing (ciphers y digests)● Ejemplos: MD4, MD5, DES, AES,Blowfish, Twofish, ..● Patent-free (IDEA en el 2011? :-) yestandarizados.● Necesidad por ipv6, packet encryption.● Firma de módulos.
  30. 30. #include <linux/crypto.h> struct scatterlist sg[2]; char result[128]; struct crypto_tfm *tfm; tfm = crypto_alloc_tfm("md5", 0); if (tfm == NULL) fail(); /* Rellenar scatterlists */ crypto_digest_init(tfm); crypto_digest_update(tfm, &sg, 2); crypto_digest_final(tfm, result); crypto_free_tfm(tfm);
  31. 31. Cryptoloop.● Inicializamos pool con dd.● Cargar cipher.● Losetup -e twofish /dev/loop0 /pool● Keysize and password.● Crear sistema de ficheros para loop.● Montamos sobre loop.● Desmontamos loop y filesystem.
  32. 32. Benchmarking.● Contest.● LTT.● Linux Test Project.● Classics benchmarks.
  33. 33. Linux Security Modules.
  34. 34. LSM.● NSA, SELinux, SGI, Inmunix y Janus.● Capabilities.● sys_security y security_operations.● register_security● selinux_plug_init● netfilter.
  35. 35. Referencias.● Nucleo desarrollo:● Kernelnewbies-es y kernelnewbies.● Kerneljanitors.● LKML.● Posthalloween 2.5.x● Artículos en sobre DriversPorting.● Traducciones en
  36. 36. ¿¿¿Preguntas???
  37. 37. Security and Integrity in Linux Filesystems. Alejandro Sanchez Acosta