Your First Guide to secure Linux. August 12, 2010 Toshiharu Harada NTT DATA CORPORATION

Transcription

1 Your First Guide to secure Linux August 12, 2010 Toshiharu Harada NTT DATA CORPORATION

2 Abstract There are two types of people in the world. Those who are security experts, and the remainder of the world. In most cases, security experts are willing to provide technical assistance to people, but this does not always work as the information can be highly technical and confusing if you are not comfortable with the fundamentals of Linux security. Toshiharu Harada, Project Manager for TOMOYO Linux at NTT DATA CORPORATION will share the fundamental concepts of "secure Linux" for managers and end users who have little or no familiarity with security. This session does not require any special skills or knowledge, and is *not* designed for security experts.

3 Prologue "Whenever people agree with me, I always feel I must be wrong -- Oscar Wilde

4 secure Linux is a Linux version of OS with enhanced security

5 What is OS with enhanced security?

6 You can Google it as always, but what you get will be much more than you want (and hard to understand)

7 If you ask security people... You ll get the same results in 3D

8 Tons of information on the net... Open source implementations available... Active and friendly community... What s the missing link?

9 Maybe the missing link is the concept of secure Linux So, here I am

10 Who Am I? Project manager of TOMOYO Linux, one of the secure Linux extensions part of the upstream When I launched TOMOYO project in 2003, I started investing of the existing projects Thanks to many people, TOMOYO has been incorporated in the mainline Linux kernel

11 This presentation is intended to provide you the fundamental concepts of what secure OS is why it has to be developed

12 What You Get Understanding the underlying concepts of secure Linux should help you to enlarge your administrative knowledge and experience to make a good decision on when and how you need it to protect your system (someday)

13 secure Linux is a name for Linux version of secure OS (operating system) Linux has three secure Linux extensions: SELinux, SMACK and TOMOYO currently, and AppArmor (to be merged for )

14 Pros of secure Linux It can reduce the potential damages to your Linux system when it gets exploited So, let s start with exploits

15 Chap. 1 Exploits "Give me a place to stand on, and I will move the Earth. -- Archimedes

16 Wisdom from Microsoft Security Response Center

17 Law #1 If a bad guy can persuade you to run his program on your computer, it s not your computer anymore Actually, a bad guy can run his program on your computer without persuading you That s what we call an exploit

18 What is an exploit? From Wikipedia (as of July 15th, 2010) An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

19 Bad luck aspect of computer science From 10 Immutable Laws of Security by Microsoft Law #1 It s an unfortunate fact of computer science: when a computer program runs, it will do what it s programmed to do, even if it s programmed to be harmful.

20 Exploits Demo Understanding the meaning of exploit helps you to understand what secure OS is Let s see three examples

21 (1) ftp exploit

22 (2) samba exploit

23 (3) local exploit

24 Know Thy Enemy Typical procedures of exploits 1. Connect to a server pretending a normal client 2. Check to see if a server is a vulnerable one 3. Cause misbehavior by buffer overflow and other technique Their goal is gaining the root privilege

25 Chap.1 Summary Exploits are based on vulnerabilities Vulnerabilities are common and your systems is exposed to many risks Exploits aim to obtain root privilege of your system in the most cases

26 Chap. 2 Linux Security With great power, comes great responsibility -- Peter Parker

27 Reviewing Good Old Linux Security Linux had got security, of course it s called Discretionary Access Control (DAC, for short) Owners (and root) can define access permissions through chmod command Any problem with that? Yes, unfortunately

28 Problem with DAC Root user can violate DAC settings DAC cannot help when... your server is exploited a bad guy manages to login your server as root It s useless against exploits

29 What about Firewalls and IDS? Can they compensate DAC shortage?

30 Firewall and IDS Firewall Exploits pretend to be good clients and try to connect through opened ports IDS IDS can t recognize unknown/future attacks and vulnerabilities

31 Click N See

32 Buffer Overflow We learned that DAC and other traditional Linux security are not quite dependable Suppose buffer overflow is a typical approach of attacks, can we prevent them causing buffer overflow?

33 Click N See

34 Buffer Overflow What is it? Intentionally cause overflow of buffer to gain control and execute /bin/sh How to protect? Various tools and technologies have been invented, but not guarantee safe

35 Chap. 3 MAC "Although the world is full of suffering, it is full also of the overcoming of it. -- Helen Keller

36 Origins of secure OS In 80s, research has been made in the USA, to define evaluation criteria for trusted computer systems DoD unveiled Trusted Computer Systems Evaluation Criteria (TCSEC, aka Orange Book ) in 1985

37 1985

38 Amiga 1000 was released in 1985

39 TCSEC (TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA) Trusted Computer Systems should have... Division A and Verified Protection Division B and Mandatory Protection Division C Discretionary Protection Division D Minimal Protection

40 DAC defined by TCSEC The TCB* shall define and control access between named users and named objects in the ADP* system. The enforcement mechanism shall allow users to specify and control sharing of those objects by named individuals or defined groups or both. TCB: Trusted Computing Base, ADP: automatic data processing ( you don t have to remember these terms, I think)

41 DAC read write execute object user (self) group others

42 DAC % chmod 600 my_file read write execute object user (self) group others

43 MAC MAC (Mandatory Access Control) can improve the situation which DAC cannot solve

44 MAC defined by TCSEC The TCB shall enforce a mandatory access control policy over all subjects and storage objects under its control. These subjects and objects shall be assigned sensitivity labels that are a combination of hierarchical classification levels and nonhierarchical categories, and the labels shall be used as the basis for mandatory access control decisions.

45 MAC subject A grant or reject object B label for A label for B

46 NSA SELinux FAQ Security of Linux system depends Unmodified Linux system 2. Linux system with MAC

47 Security of Unmodified Linux System security privileged applications correctness of the kernel

48 Security of Linux System with MAC security security policy correctness of the kernel MAC

49 How MAC can help? (samba exploit vs. TOMOYO)

50 Differences Unchanged (Things you cannot change) exploit has occurred a bad guy obtained root shell without logging in Changed (Things you can change with MAC) some commands failed despite of root privilege (MAC introduced a new layer of security)

51 Click N See

52 Chap. 4 Policy God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. -- Reinhold Niebuhr

53 secure Linux needs policy MAC is an instrument to restrict invalid accesses, not a brain You (security admin) do instruct MAC system about good and bad accesses by defining a policy (AppArmor calls it profile )

54 Importance of policy The goal is very simple Grant access if it s correct (or needed) Reject everything else If you make mistakes in your policy system might fail to work properly system might not be protected

55 The Serenity Prayer O God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other

56 The Security Prayer (with my deepest respects for Reinhold Niebuhr) O God, give us grace to accept with serenity the things that are needed, Courage to reject the things which are not necessary, and the Wisdom to distinguish the one from the other

57 Where to find the wisdom? SELinux has a reference policy that embodies the built-up knowledge over the years about what accesses are in fact required for a large body of software novice users can start with Boolean and power users can maintain their own foundation TOMOYO and SMACK Do it yourself

58 Domain No program is always good or always bad Therefore, security policies are the set of security contexts (conditions) SELinux and TOMOYO call them domains (AppArmor call them profiles )

59 Domain Granularity of MAC policy is determined by two factors domain granularity access control granularity for each domain Both live in the kernel space, not in the userspace

60 userspace kernel

61 Managing Policy What and When Give permissions only when they are needed Delete permissions if they turned out to be unnecessary How Carefully monitor the logs

62 Managing Policy Cautions a policy error is detected/defined when a access occurs but its definition is missing among policy rules you can add such an error definition to the policy, in fact transforming it into policy rule, so that the same error will not occur anymore if you repeat this step thoughtlessly, you will lose control

63 Policy Auto Learning What is it? Feature available with AppArmor and TOMOYO How it works? Observing executions of system call Transform results into the policy rule (like audit2allow does for SELinux)

64 Results of policy auto learning can never be perfect has no logics should be considered as a starting point Auto learning feature can be used as an analysis tool or an educational tool

65 References Live as if you were to die tomorrow. Learn as if you were to live forever. -- Mahatma Gandhi

66 For Comprehensive Understanding of Linux Security Ideal reference by James Morris, who is the Linux kernel security subsystem maintainer; author of the kernel cryptographic API; and a leading contributor to the SELinux, Linux Security Module, Netfilter and IPsec projects.

67 Linux Kernel Security Wiki Best place to find Linux kernel security related projects

68 To Know Your Enemy Apache.org services attacked (April 13, 2010) Changes to LoCo Server Policy (August 11, 2007) August/ html Debian server compromise (July 12, 2006)

69 Find the Code Linux Cross Reference

70 TCSEC to ISO/IEC TCSEC has expired and the current standard is ISO/IEC Functional requirements have been described as protection profile LSPP (Labeled Security Protection Profile) succeeds MAC in TCSEC

71 Standards National Security Institute STD Trusted Computer System Evaluation Criteria ISO/IEC CAPP: Controlled Access protection profile LSPP: Labeled Security protection profile

72 RHEL Certifications

73 Other Topics

74 Secure Embedded Linux Characteristics of embedded devices Dedicated for usages and built with minimum resources Mass production affects cost (recall for millions, for instance) Network/HD/Updates might not always be available Linux has been spreading for embedded devices

75 Secure Embedded Linux Google s Android and Chromium OS are adding unique modifications to improve security

76 Secure Embedded Linux

77 Cloud Guest OS runs as a process from host OS / hypervisor Internal activities of guest OS are translated, so host OS can hardly monitor and confine them Guest OS share the NIC, HD and other devices, so physically reachable each other

78 Cloud Commonly used virtualization library libvirt has been incorporated the results of svirt (secure virtualization)

79 Congratulations You ve just learned the most difficult part of Linux security, understanding the concept Everything else is waiting for you to begin If you understand secure Linux, you will find it as an invaluable tool

80 Loving can cost a lot, but not loving always costs more. -- Merle Shain

81 Why not starting today?

82 The Serenity Prayer by Reinhold Niebuhr ( ) God, give us grace to accept with serenity the things that cannot be changed, Courage to change the things which should be changed, and the Wisdom to distinguish the one from the other. Living one day at a time, Enjoying one moment at a time, Accepting hardship as a pathway to peace, Taking, as Jesus did, This sinful world as it is, Not as I would have it, Trusting that You will make all things right, If I surrender to Your will, So that I may be reasonably happy in this life, And supremely happy with you forever in the next. Amen

83 Contact Information I would like to make these slides useful for future readers, so please send your comments and corrections to haradats@gmail.com Open source is a mutual benefit society, so I m sharing my own experiences as TOMOYO Linux project manager as well as selected technical slides

84 The latest version of these slides can be found at SlideShare Acknowledgements Special thanks to Giuseppe La Tona, Tetsuo Handa for reviewing and Stephen Smalley for correcting SELinux related information Trademarks Linux is a registered trademark of Linus Torvalds in the United States and other countries TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan