LSS-EU 2018: Overview and Recent Developments Linux Integrity Subsystem

Similar documents
LSS 2017: linux-integrity subsystem update Mimi Zohar

LSS 2016: linux-integrity subsystem status. Mimi Zohar

Using Linux as a Secure Boot Loader for OpenPOWER Servers

Linux Kernel Security Overview

Extending the Linux Integrity Subsystem for TCB Protection. David Safford, Mimi Zohar,

Linux Kernel Security Update LinuxCon Europe Berlin, 2016

Security features for UBIFS. Richard Weinberger sigma star gmbh

Lecture 3 MOBILE PLATFORM SECURITY

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Protecting your system from the scum of the universe

(Ab)using Linux as a Trusted Bootloader

Lecture Embedded System Security Trusted Platform Module

Protecting your system from the scum of the universe

Platform Configuration Registers

Defeating Invisible Enemies: Firmware Based Security in OpenPOWER Systems. Linux Security Summit George Wilson IBM Linux Technology Center

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Mobile Platform Security Architectures A perspective on their evolution

Auditing TPM Commands

OS Security IV: Virtualization and Trusted Computing

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

The Road to a Secure, Compliant Cloud

Operating system hardening

Landlock LSM: toward unprivileged sandboxing

OVAL + The Trusted Platform Module

Security for the Xen Hypervisor Status Quo & Perspective 2006

Overview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work

Justifying Integrity Using a Virtual Machine Verifier

TRUSTED COMPUTING TRUSTED COMPUTING. Overview. Why trusted computing?

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

TPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Lecture Embedded System Security Introduction to Trusted Computing

Software Vulnerability Assessment & Secure Storage

WHITE PAPER. Authentication and Encryption Design

TUX : Trust Update on Linux Kernel

Lecture Embedded System Security Introduction to Trusted Computing

Linux Security Summit Europe 2018

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Deploying Secure Boot: Key Creation and Management

Security Namespace: Making Linux Security Frameworks Available to Containers

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

OP-TEE Using TrustZone to Protect Our Own Secrets

Lecture Embedded System Security Introduction to Trusted Computing

Justifying Integrity Using a Virtual Machine Verifier

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2007

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing. Hermann Härtig Technische Universität Dresden Summer Semester 2009

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

CIS 4360 Secure Computer Systems SGX

CIS 4360 Secure Computer Systems Secured System Boot

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

Resilient IoT Security: The end of flat security models

Linux Kernel Evolution. OpenAFS. Marc Dionne Edinburgh

Why lock down the kernel? Matthew Garrett

Chrome/OS Security 2014

STING: Finding Name Resolution Vulnerabilities in Programs

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Trusted Computing Use Cases and the TCG Software Stack (TSS 2.0) Lee Wilson TSS WG Chairman OnBoard Security November 20, 2017

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Use of Mojo PowerPoint Template. Your name, Title

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Logging, Monitoring, and Alerting

How to create a trust anchor with coreboot.

Trusted Computing and O/S Security

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

The Future of Security is in Open Silicon Linux Security Summit 2018

Advanced Systems Security: Ordinary Operating Systems

Android Bootloader and Verified Boot

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

File access-control per container with Landlock

Advanced Systems Security: Ordinary Operating Systems

Unix, History

Applications of Attestation:

Linux Kernel Security

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

GSE/Belux Enterprise Systems Security Meeting

Technical Brief Distributed Trusted Computing

Scalable Architectural Support for Trusted Software

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

PRIMA: Policy-Reduced Integrity Measurement Architecture

Click to edit Master. Trusted Storage. title style. Master subtitle style Seagate Technology

Project Cerberus Hardware Security

Binding keys to programs using Intel SGX remote attestation

Hypervisor Security First Published On: Last Updated On:

Integrity-checked block devices with device mapper. Mandeep Baines Will Drewry

Secure Containers with EPT Isolation

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

IBM Research Report. Docker and Container Security White Paper

Keeping Up With The Linux Kernel. Marc Dionne AFS and Kerberos Workshop Pittsburgh

Transcription:

LSS-EU 2018: Overview and Recent Developments Linux Integrity Subsystem Mimi Zohar 1 IBM Research

Linux Integrity Subsystem & Ecosystem IMA Overview IMA-measurement, IMA-appraisal, IMA-audit Relationship between EVM & IMA-appraisal Keys & keyrings IMA measurement list usage Attestation: compromise detection Integrity analytics, forensics Namespacing IMA Recent developments, current & future work 2 IBM Research

Goals The goals of the kernel integrity subsystem are to: detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file s measurement against a good value stored as an extended attribute, and enforce local file integrity. IMA Wiki White paper: http://downloads.sf.net/project/linux-ima/linux-ima/integr ity_overview.pdf 3 IBM Research

IMA Features IMA-measurement: detect if files have been accidentally or maliciously altered Need to know if/when a system has been compromised Pointless to ask the system if it has been compromised Available in Linux 2.6.30 IMA-appraisal: appraise a file s measurement against a good value and enforce local file integrity Good value: file hash or signature stored as an extended attribute Signature verification uses keys in specific keyring Available since Linux 3.7 IMA-audit: augment the audit subsystem with IMA records Used to assist with security analytics/forensics Available in Linux 3.7 4 IBM Research

Example Policy Simple ima-policy: measure func=kexec_kernel_check appraise func=kexec_kernel_check appraise_type=imasig audit func=kexec_kernel_check /* collect - calculate file hash */ rc = ima_collect_measurement(); if (rc!= 0) goto out_locked; if (action & IMA_MEASURE) ima_store_measurement(); if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) rc = ima_appraise_measurement(); Calculate file hash once Add hash to measurement list Verify kernel image signature* Add audit records if (action & IMA_AUDIT) ima_audit_measurement(); out: return rc; * Requires loading key(s) 5 IBM Research

Secure vs. Trusted Boot* Secure Boot Trusted Boot Each stage of booting verifies the signature of the next stage before transferring control Signature verification failure causes the boot to fail Hardware root of trust is stored in nonvolatile memory Extending Secure & Trusted Boot to the OS Extending Secure & Trusted Boot to the OS Each stage of booting, measures the next stage, adds the measurement to an event log, and extends the TPM, before transferring control TPM is hardware root of trust * Some people use the terms Verified and Measured Boot 6 IBM Research

Linux Integrity Subsystem & Ecosystem: IMA-measurement & IMA-appraisal Secure Boot Software Distribution with File Signatures Signing Linux Executables for Fun and Security (2017 LPC Matthew Garrett) File signatures needed! (2016 LPC talk) Key Management Key granularity Blacklisting keys Platform keyring Extending Secure & Trusted Boot to the OS Extending Secure & Trusted Boot to the OS Policies ima_policy= ["tcb appraise_tcb secure_boot fail_securely ] 7 IBM Research

Relationship between EVM & IMA-appraisal IMA-appraisal protects file data Good value: file hash or signature stored as an extended attribute Signature verification based on keys in specific keyring (.ima) EVM protects file metadata Either HMAC or signature of file metadata HMAC value calculated/verified using EVM key (encrypted key) Signature verification based on keys in specific keyring (.evm) Trusted key: TPM symmetric key Encrypted key: encrypted/decrypted w/trusted key (or user key) EVM binds the file metadata to the file data inode: ino, generation, uid, gid, & mode SELinux, smack, apparmor, IMA, & capabilities xattrs (optional) New immutable & portable signatures (Matthew Garrett, Google) No inode filesystem specific data Requires security.ima xattr 8 IBM Research

File hashes, HMAC, and signature usage Files may change Requires access permission (eg. DAC, MAC) Must be hashed Are HMAC protected "immutable" files may be signed But with which keys, on which keyring? Userspace keyrings: _ima, _evm Keys are normally added to these keyrings in the initramfs, prior to pivoting root Kernel trusted keyrings:.ima,.evm Keys added to trusted keyrings must be signed by keys on the.builtin_trusted_keys or, if enabled,.secondary_trusted_keys 9 IBM Research

IMA-appraisal: local CA (the linchpin) Extending the secure boot certificate and signature chains of trust to the OS 10 IBM Research

Methods for loading IMA Local-CA public key on to the.builtin_trusted_keys keyring Build keys into the kernel image Reserve space in the kernel image for IMA local-ca. Post build, install key and resign kernel image (Mehmet Kayaalp, partially upstreamed) Or, load the firmware database keys onto the.secondary_trusted_keys keyring and configure secondary trusted keyring (not mainline) 11 IBM Research

Linux Integrity Subsystem & Ecosystem: IMA-measurement & IMA-appraisal Secure Boot Trusted Boot Software Distribution with File Signatures Signing Linux Executables for Fun and Security (2017 LPC Matthew Garrett) File signatures needed! (2016 LPC talk) Key Management Key granularity blacklisting keys Platform keyring Extending Secure & Trusted Boot to the OS Extending Secure & Trusted Boot to the OS Measurements Attestation Integrity Analytics TPM setup System enrollment Augment system auditing Policies (measurement, appraisal, & audit rules) ima_policy= ["tcb appraise_tcb secure_boot fail_securely ] Forensics 12 IBM Research

IMA measurement list Too few measurements, system integrity is unknown Based on policy Too many measurements, memory pressure on system and possible performance issues Identify what to measure Changes are coming, but do they all retain the existing security guaranties? TPM 2.0 crypto agile measurement list support Exporting the measurement list Only store "unknown" measurements based on an in kernel white list Request the file hash from the filesystem, instead of calculating it 13 IBM Research

Remote Attestation: Compromise Detection What is remote attestation? Local machine reports to a remote server the exact software running on the platform From boot firmware through OS load and into applications What is an attestation quote? Digitally signed report Why can we trust it? Chain of measurements stored on crypto hardware (TPM) Signing key (attestation key, quote key) never leaves the TPM 14 IBM Research

IBM Attestation Client/Server & TSS Attestation Client (Open sourced 2016) Pure C implementation Pre-OS event log and IMA measurement list Supports both TPM 2.0 and now TPM 1.2 TCG enrollment protocol using EK certificate as root of trust IBM TSS (open sourced 2015) Designed for ease of understanding, ease of use Support all TPM 2.0 requirements with single function call and now supports TPM 1.2 Command line utility for each TPM command Sample code for application programmers Scriptable for rapid prototyping and TSS regression test Linux, Windows, AIX, Raspian, x86, Power, ARM HW and SW TPM support built in 15 IBM Research

16 IBM Research

IMA: Running on the Host, in VMs, and in Containers Level 2 Container Integrity Attestation Container Owner Level 1 Guest VM Integrity VM 1 VM 2 VM 3 KVM Attestation Virtual Machine Owner Level 0 Infrastructure Integrity OS UEFI / BIOS, Petitboot Attestation Bare Metal Infrastructure Owner 17 IBM Research

Staging IMA namespacing IMA-audit: differentiating between what ran on the system vs. in a namespace, and between namespaces. Define how to initialize IMA namespaces Extend integrity audit messages with container id IMA-measurement: per IMA namespace measurement list Define per namespace: policy, measurement list Requires virtualizing securityfs, prevent securityfs information leakage, and optionally vtpm support IMA-appraisal: signature verification on a per IMA namespace basis Per namespace IMA keyring Permit root in the namespace to write security xattrs Requires: per namespace xattrs (scaling issues) 18 IBM Research

Recent Developments 19 IBM Research

New Features EVM (file metadata) new features (M. Garrett, Google) Portable & Immutable EVM signatures Runtime support for defining and including additional EVM protected security attributes Support for larger EVM digests IMA (file data) Build time IMA policy, persists after loading a custom policy Run time enabled IMA architecture specific policy (N. Jain, E. Richter IBM LTC) 20 IBM Research

Closed IMA-Measurement, IMA-appraisal, & IMA-audit gaps Re-measuring, re-appraising, & re-auditing files on filesystems without i_version support (Sascha Hauer, pengutronix) Prevent kexec ing unsigned kernel image (kexec_load syscall) Prevent loading unsigned firmware (sysfs) FUSE file systems Unprivileged mounted FUSE filesystems is always untrusted Privileged mounted FUSE filesystems Default: re-measure, re-appraise, re-audit on each file access Optional: builtin fail-securely IMA policy New Discussion: support file change detection (Matthew Garrett, Google) 21 IBM Research

Outstanding problems resolved Re-introduced an IMA specific lock to resolve the i_rwsem lockdep (Dmitry Kasatkin, Huawei) Major TPM performance improvements (N. Jain, IBM LTC) Disambiguated IMA audit records (S. Berger, IBM Research) 22 IBM Research

Testing! IMA Linux Test Program(LTP) tests updated (Petr Vorel, Suse) evmtest: a standalone IMA test framework (David Jacobson, IBM Research summer intern) Direct testing of currently running kernel image Designed for integration with LTP and xfstests in mind 23 IBM Research

Current and future work Continue closing measurement/appraisal gaps: initramfs, ebpf, mmap, interpreters Storing firmware keys on the Platform keyring Regression testing: ima-evm-utils, Linux Test Program(LTP), xfstests Simplify usage: sample policies, updating documentation Key management: black lists, revocation Directory filename protection support Re-work the IMA measurement list memory allocation Support other file signature verification methods (eg. appended signatures, fs-verity) Hash agile measurement list 24 IBM Research

How can you help? Review patches* Participate in new feature discussions* evmtests: extend the testing framework with additional tests Simplify usage: sample IMA policies, updating documentation Don t introduce new IMA-measurement, IMA-appraisal, or IMA-audit gaps. * Mailing list: linux-integrity@vger.kernel.org Archive: https://lore.kernel.org/linux-integrity/ 25 IBM Research

Thank you! Special thanks to my colleagues: Stefan Berger, Ken Goldman, Guerney Hunt, Elaine Palmer, Mehmet Kaylaap, Hani Jamjoom, [David Safford, Dimitrios Pendarakis] (IBM Research) George Wilson, Nayna Jain, Thiago Bauermann (IBM LTC) To all of you For the new IMA & EVM features For all the "minor" bug fix patches For the help with updating and packaging ima-evm-utils 26 IBM Research

Questions? 27 IBM Research

Remote Attestation: Compromise Detection The IBM TSS handles the following, hidden from the caller: HMAC, password, and policy sessions Session and HMAC, key calculations, including bind and salt sessions HMAC generation and verificaton (including cphash and prhash) Parameter encryption and decryption, XOR and AES Nonces and nonce rolling Session continue flag TPM 2.0 "Name" and bind session tracking Different session hash algorithms Marshaling, unmarshalling Communications with the TPM, Windows, and Linux, HW and SW TPM 28 IBM Research

IBM TSS: API TPM_RC TSS_Execute( TSS_CONTEXT *tsscontext, RESPONSE_PARAMETERS *out, COMMAND_PARAMETERS *in, EXTRA_PARAMETERS *extra, TPM_CC commandcode,...) out: The standard TPM2 Part 3 response parameter in: The standard TPM2 Part 3 command parameter extra: Some commands (only two so far) require extra parameters commandcode: The standard TPM2 Part 2 command code. : A list of session 3-tuples, of the form - TPMI_SH_AUTH_SESSION sessionhandle, - const char *password, - unsigned int sessionattributes The list is terminated with (TPM_RH_NULL, NULL, 0) 29 IBM Research

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback