Your First Guide to ”secure Linux” August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp NTT DATA CORPORATION
Abstract There ¡are ¡two ¡types ¡of ¡people ¡in ¡the ¡world. ¡Those ¡who ¡are ¡ security ¡experts, ¡and ¡the ¡remainder ¡of ¡the ¡world. ¡In ¡most ¡cases, ¡ security ¡experts ¡are ¡willing ¡to ¡provide ¡technical ¡assistance ¡to ¡ people, ¡but ¡this ¡does ¡not ¡always ¡work ¡as ¡the ¡information ¡can ¡be ¡ highly ¡technical ¡and ¡confusing ¡if ¡you ¡are ¡not ¡comfortable ¡with ¡ the ¡fundamentals ¡of ¡Linux ¡security. Toshiharu ¡Harada, ¡Project ¡Manager ¡for ¡TOMOYO ¡Linux ¡at ¡NTT ¡ DATA ¡CORPORATION ¡will ¡share ¡the ¡fundamental ¡concepts ¡of ¡ "secure ¡Linux" ¡for ¡managers ¡and ¡end ¡users ¡who ¡have ¡little ¡or ¡no ¡ familiarity ¡with ¡security. ¡This ¡session ¡does ¡not ¡require ¡any ¡ special ¡skills ¡or ¡knowledge, ¡and ¡is ¡*not* ¡designed ¡for ¡security ¡ experts.
Prologue "Whenever people agree with me, I always feel I must be wrong” -- Oscar Wilde
“secure Linux” is a Linux version of “OS with enhanced security”
What is “OS with enhanced security”?
You can Google it as always, but what you get will be much more than you want (and hard to understand)
If you ask “security people” ... You’ll get the same results in 3D
• Tons of information on the net ... • Open source implementations available ... • Active and friendly community ... What’s the missing link?
Maybe the missing link is the “concept” of “secure Linux” So, here I am
Who Am I? • Project manager of TOMOYO Linux, one of the “secure Linux” extensions part of the upstream • When I launched TOMOYO project in 2003, I started investing of the existing projects • Thanks to many people, TOMOYO has been incorporated in the mainline Linux kernel
This presentation is intended to provide you the fundamental concepts of • what “secure OS” is • why it has to be developed
What You Get Understanding the underlying concepts of “secure Linux” should help you • to enlarge your administrative knowledge and experience • to make a good decision on when and how you need it • to protect your system (someday)
“secure Linux” is • a name for Linux version of “secure OS (operating system)” • Linux has three “secure Linux” extensions: SELinux, SMACK and TOMOYO currently, and AppArmor (to be merged for 2.6.36)
Pros of “secure Linux” • It can reduce the potential damages to your Linux system when it gets exploited • So, let’s start with “exploits”
Chap. 1 Exploits "Give me a place to stand on, and I will move the Earth.” -- Archimedes
Wisdom from Microsoft Security Response Center
Law #1 “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore” • Actually, a bad guy can run his program on your computer without persuading “you” • That’s what we call an “exploit”
What is an “exploit”? From Wikipedia (as of July 15th, 2010) • An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). • This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.
Bad luck aspect of computer science From “10 Immutable Laws of Security by Microsoft” Law #1 • “It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful.”
Exploits Demo • Understanding the meaning of “exploit” helps you to understand what “secure OS” is • Let’s see three examples
(1) ftp exploit
(2) samba exploit
(3) local exploit
Know Thy Enemy • Typical procedures of exploits 1. Connect to a server pretending a normal client 2. Check to see if a server is a vulnerable one 3. Cause “misbehavior” by buffer overflow and other technique • Their goal is gaining the root privilege
Chap.1 Summary • Exploits are based on vulnerabilities • Vulnerabilities are common and your systems is exposed to many risks • Exploits aim to obtain root privilege of your system in the most cases
Chap. 2 Linux Security “With great power, comes great responsibility” -- Peter Parker
Reviewing Good Old Linux Security • Linux had got “security”, of course • it’s called Discretionary Access Control (DAC, for short) • “Owners” (and root) can define access permissions through “chmod” command • Any problem with that? • Yes, unfortunately
Problem with DAC • Root user can violate DAC settings • DAC cannot help when ... • your server is exploited • a bad guy manages to login your server as root • It’s useless against exploits
What about Firewalls and IDS? Can they compensate DAC shortage?
Firewall and IDS • Firewall • Exploits pretend to be good clients and try to connect through opened ports • IDS • IDS can’t recognize unknown/future attacks and vulnerabilities
Click’N See
Buffer Overflow • We learned that DAC and other traditional Linux security are not quite dependable • Suppose “buffer overflow” is a typical approach of attacks, can we prevent them causing “buffer overflow”?
Click’N See
Buffer Overflow • What is it? • Intentionally cause overflow of “buffer” to gain control and execute /bin/sh • How to protect? • Various tools and technologies have been invented, but not guarantee safe
Chap. 3 MAC "Although the world is full of suffering, it is full also of the overcoming of it.“ -- Helen Keller
Origins of secure OS • In ‘80s, research has been made in the USA, to define evaluation criteria for trusted computer systems • DoD unveiled “Trusted Computer Systems Evaluation Criteria” (TCSEC, aka “Orange Book”) in 1985
1985
Amiga 1000 was released in 1985
TCSEC (TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA) Trusted Computer Systems should have ... Division A and “ Verified Protection” Division B and “ Mandatory Protection” Division C “ Discretionary Protection” Division D “Minimal Protection”
DAC defined by TCSEC • “The TCB* shall define and control access between named users and named objects in the ADP* system.” • “The enforcement mechanism shall allow users to specify and control sharing of those objects by named individuals or defined groups or both.” • TCB: Trusted Computing Base, ADP: automatic data processing ( you don’t have to remember these terms, I think)
DAC read object write execute user group others (self)
DAC % chmod 600 my_file read object write execute user group others (self)
MAC • MAC (Mandatory Access Control) can improve the situation which DAC cannot solve
MAC defined by TCSEC • “The TCB shall enforce a mandatory access control policy over all subjects and storage objects under its control.” • “These subjects and objects shall be assigned sensitivity labels that are a combination of hierarchical classification levels and non- hierarchical categories, and the labels shall be used as the basis for mandatory access control decisions.”
MAC subject object grant or reject A B label for label for A B
NSA SELinux FAQ Security of Linux system depends ... 1.Unmodified Linux system 2.Linux system with MAC
Security of “Unmodified Linux System” security privileged applications correctness of the kernel
Security of “Linux System with MAC” security security policy correctness of the kernel MAC
How MAC can help? (samba exploit vs. TOMOYO)
Differences Unchanged (Things you cannot change) • exploit has occurred • a bad guy obtained “root” shell without logging in Changed (Things you can change with MAC) • some commands failed despite of “root” privilege (MAC introduced a new layer of security)
Click’N See
Chap. 4 “Policy” God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. -- Reinhold Niebuhr
“secure Linux” needs “policy” • MAC is an “instrument” to restrict invalid accesses, not a “brain” • You (security admin) do instruct MAC system about good and bad accesses by defining a “policy” (AppArmor calls it “profile”)
Recommend
More recommend
