Thinking the Open Source way

Transcription

1 Thinking the Open Source way Matt Jamison Sr. Gov t Solutions Architect MSgt, USAFR jamo@redhat.com

2 Source code: #include <stdio.h> int main (void) { printf("hello, world!\n"); return 0; }

3 Binary code:

4 How Open Source is changing our lives Wikipedia 4.6M articles, 2,029 volumes Mozilla Firefox

5

6 How Open Source is changing our lives Wikipedia 4.6M articles, 2,029 volumes Mozilla Firefox MIT - OpenCourseWare (OCW) MIT Open Source Building Alliance (OSBA)

7 3,500 sq ft 40 pieces delivered to site assembled in less than 30 days

8 How Open Source is changing our lives Wikipedia 4.6M articles, 2,029 volumes Mozilla Firefox MIT - OpenCourseWare (OCW) MIT Open Source Building Alliance (OSBA) HIV Research - $287M Grant

9 All recipients have had to agree to share their findings - even if they had been working on competing projects. -Bill Gates (Bill and Melinda Gates Foundation)

10 How Open Source is changing our lives Wikipedia 4.6M articles, 2,029 volumes Mozilla Firefox MIT - OpenCourseWare (OCW) MIT Open Source Building Alliance (OSBA) HIV Research - $287M Grant Linux, SELinux, Containers

11 What's Next?

12 What's Next? What can we share today to change tomorrow?

13 Linux

14 Linux Happy 22nd Birthday Linux Almost 17 Million lines of code 7.14 changes to the newest development kernel every hour 3.10 kernel 1,392 developers and 243 company contributions 20% of development work: Red Hat and Intel Long tail companies made significant changes 50% patch sign off: Red Hat, Linux Foundation, Intel, Google

15 Higher Quality Coverity has tracked the code quality of open source software since Proprietary software, on average, has 10,000 to 20,000 defects per million lines of code. This has been true since Linux has 985 defects in 5.7 MLOC, or 99.3% lower than a proprietary system Linux grew 4.7%, but defect density went down 2.3% Funded by DHS, Coverity adds the LAMP stack and 32 OSS projects, and defect density stayed the same Now covers 250 projects, with 434 defects per MLOC. Worst performer has 1237 defects per MLOC Now covers 280 projects, with defect density down 16% Open source quality for active projects in Coverity Scan is better than the software industry average.

16 Knowledge Is Power

17 If it's a level playing field, what is Red Hat doing to make sure it's a clean game?

18 The Playing fields... Red Hat Network Satellite Red Hat Security Response Team OpenSCAP Security partnerships SELinux, SVirt, Cgroups, Containers, OpenShift

19 Management for RHEL

20 STIG / SCAP / OpenSCAP The SCAP protocol suite contains multiple complex data exchange formats that are used to transmit important vulnerability, configuration, and other security data. the goal of the OpenSCAP project to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it presents. SCAP is a protocol, akin to HTML, and consumers must use a protocol interpreter. OpenSCAP provides that functionality for the RHEL platform. XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents.

21 Security Response Team Be the point of contact for customers, users, and researchers who have found security issues in our products and services, and to publish the procedures for dealing with this contact. Track alerts and security issues in the community Investigate and address security issues Ensure timely security fixes Ensure that customers can easily find, obtain, and understand security advisories and updates Work with other vendors of Linux and open source software (including our competitors) to reduce the risk of security issues through information sharing and peer review

22 A layered defense YOUR SYSTEM

23 SELinux: Background Originated from NSA R&D. First public release by NSA in Dec Large and growing user and developer community. Integrated into mainline Linux 2.6 in Aug Found in many Linux distributions be default today.

24 Building Security Openly NSA develops technology for deeply extending security of Linux Integrated into the Open Source Linux Kernel Red Hat enables by DEFAULT in All Enterprise Solutions Red Hat integrates into sponsored Open Source project... Customers, NSA, Community, and Red Hat continue evolution

25 Discretionary Access Control (DAC)

26 Strict Policy

27 Targeted Policy

28 SELinux Limit Exploit Impact SELinux is a flexible Mandatory Access Control architecture within the standard Open Source Linux Kernel Exploit Exploit

29 Samba exploit, May Samba vulnerabilities to which the fix was issued at time of disclosure to public No known exploits to exist for vulnerabilities which leveraged a heap overflow We believe that the executable memory process checks in SELinux would have prevented the exploit from executing writable memory. While the exploit might be able to take advantage of a buffer overflow when the attacker tries to execute the code, SELinux would stop it.

30 IF attacker gained root access read/write to any files/directories labeled samba_share_t (expected) read/write to /etc/samba/*, /var/log/samba/*, /var/spool/samba, /var/run/samba/* create/read/write files created in /tmp by samba, nothing else Outward/listen tcp connections on ports 631, , 445 and nsswitch ports Read most files in /etc/, /usr/ Update the utmp file Read and do all code used in nsswitch

31 What the attacker can't do read/manipulate users home directories (how important is that?) read/manipulate any databases on the system Attack data/processes owned by other confined domains (200+ in RHEL5) Attack other machines via the network, other than ports mentioned above. Cannot send mail to become spam agent.

32 But wait, there's more While the attacker is trying to do evil things on your machine, your audit logs will be capturing avc messages showing you what the attacker was trying to do. If you had setroubleshoot running, you would be receiving real time notification of these avc messages, and if you set it up to , you would be getting s about it.

33 Virtualization: Svirt Security Applying security labels to individual guest virtual machines and their resources Guest Isolation achieved with SELinux Mandatory Access Controls (MAC) Protect against untrusted Guest VM Protect against Host misconfiguration Prevents unauthorized access of Guests/Host Builds on existing, proven security mechanisms & controls 38

34 KVM Security Comparison ATSEC 39

35 40

36 Survey Have you used open source technology in the past month?

37 Internet usage 80% of the 1 Billion websites use open source webservers. >21 Billion lines of open source code.

38 Survey Have you used open source in the past hour?

39 Open Source in phones 1.5 Million Android devices activated daily. Almost 80% of all cell phones are android. Hundreds of open source apps make up IOS.

40