Security Enhanced Linux

advertisement
Linux Security Module
(LSM) Framework
By Hasari Tosun
11/30/2006
Overview
Goal: To create a security module for Linux kernel
Motivation: 1) Learn Linux kernel, 2) learn kernel-level
security
• Why secured Operating System?
• Brief summary of traditional Linux access control
(Discretionary Access Control)
• Principle of least privilege
• Linux Security Modules (LSM) Framework
• Brief introduction to Security Enhanced Linux (SELinux)
Module
• Project: Simple Sandbox Security Module (sandbox)
• Demo
Why secured Operating System?
• Software threats and Internet:
– Network connectivity: Network
connectivity, in particular, the
Internet increased software threats.
– Active content: have capability of
triggering actions automatically
(PDF, MS Office, many others)
– Mobile code: designed to be
transported across a network for
execution on remote hosts
(JavaScript, ActiveX etc)
•
•
•
On March 3rd, 2003,
a vulnerability in
Sendmail affected
many organizations
worldwide. The
problem was that an
e-mail message with
a carefully-crafted
"from," "to," or "cc"
field could give the
sender complete
(root) control over
any machine
running Sendmail.
Buffer overflow
Sendmail is installed
as root
Why secured Operating System?
• Insider Threats: Comes from local
area network which represents even
more serious risk (Gartner research
has estimated that 70% of security
incident costs are due to insider
breaches)
• Complex Software: Complex
software may have defects that can be
exploited by attackers.
Why secured Operating System?
http://www.cert.org/stats/cert_stats.html
Incidents Reported
160000
140000
120000
100000
Incidents Reported
80000
60000
40000
20000
Year
20
02
20
00
19
98
19
96
19
94
19
92
0
19
90
Incidents
•
Discretionary access control
(DAC)
• Prior to Linux kernel 2.6, DAC was the
only security framework for Linux.
• In a DAC model, security decisions are
based solely on user identity and
ownership of the objects.
• No protection against malicious or flawed
software.
• Each user has complete discretion over
his/her own objects.
DAC
• Only two major categories of users: admin and
other.
• Too much privilege.
• Unbounded privilege escalation
DAC: Details
•
•
Each process is
associated with some
credentials, which binds
the process to a specific
user or a specific group.
The use of credentials
requires support both in
the process data structure
and in the resource being
protected.
uid,gid
user and group real
identifiers
fuid, egid
User and group
effective
identifiers
fsuid,fsgid
User and group
effective
identifiers for file
access
groups
Supplemental
group identifiers
suid,sgid
user and group
saved identifiers
DAC: Details
•
•
•
•
uid=0 is root, gid=0 is root group.
If uid=0, kernel bypasses the permission
checks.
When a process is created, it always
inherit the credentials of its parent.
Effective credentials can be modified
using system calls; setuid(), setresuid(),
setfsuid() and setreuid()
Principle of least privilege
Grant just the minimum
possible privileges to
permit a legitimate
action:
• Minimized privileged
modules: Give a privilege
to only the parts of the
program needing it.
• Minimize privileges
granted
• Minimize privileges’ time
Programming Tips:
• Break the program
into separate parts
so that only small
and independent
parts require special
privileges.
• If different parts
must run
concurrently, use
processes; Threads
share their security
privileges
Linux Security Modules
(LSM) Framework
• At the Linux Kernel 2.5 Summit (2001), several different
security projects were proposed for the kernel.
• These different approaches were often incompatible.
• Under guidance of Linus, a group was formed to create
Linux Security Modules framework with following
principles:
– The Linux kernel still does its normal security checks.
– When kernel needs to decide if access should be
granted, it also asks a security module whether or not
the action is okay.
– An administrator should pick the security module he
wants.
LSM Architecture
• The LSM framework was designed so that
almost all of its hooks would be restrictive
• An authoritative hook makes the absolute final
decision: if the hook says a request should be
granted, then it's granted no matter what.
• A restrictive hook can only add additional
restrictions; it can't grant new permissions.
• Authoritative model is more flexible. But it
requires many radical changes to the Linux
kernel.
LSM Architecture
User
space
Operation
Kernel
space
context
DAC
Primary
Security
Module
LSM
0/ERR
0/ERR
Execute
operation
Policy files
(policy database)
LSM UML Diagram
Before critical Action
Security_ops>action(defined in
security.h)
LSM Architecture
•
So, Five components added to kernel or
modified:
1. An interface of security functions.
2. Inserts calls to security functions at
various points within the kernel code.
3. Adding security fields to kernel object.
4. Providing functions to allow kernel modules
to register and unregister themselves as
security modules.
5. Move capabilities logic into an optional
security module.
LSM Architecture:
1)Function interface
• security.h file has security_operations structure
which defines security functions as function
pointers.
• It defines a global variable:
extern struct security_operations security_ops;
• security.h defines a set of static functions that
corresponds to a each security call.
• For each static function x, it executes
security_ops->x(). Thus, kernel calls x and x calls
registered function pointer.
LSM Architecture: 2) kernel
security calls
• LSM inserts calls to security functions at critical points in
the kernel code to perform access control. For example:
– fork.c: Task Create
– namei.c: Virtual File System Create
• LSM inserts calls to security functions at critical points in
the kernel code to manage the security fields. For example:
– inode.c: security_inode_alloc
– inode.c: security_inode_free
– fork.c: security_task_alloc
– fork.c: security_task_free
LSM Architecture: 3) security
fields in kernel objects
• security fields (void *
security) added to various
kernel objects.
• The setting of security
fields is handled by
security modules.
• These fields are used by
security modules for
labeling.
task_struct
Task (Process)
linux_binprm
Program
Super_block
File System
inode
Pipe, File, or
Socket
sk_buff
Network buffer
net_device
Network device
Kern_ipc_perm
Semaphore,
Shared Memory
Segment,
or Message
Queue
LSM Architecture: 4) Module
Registration
• The primary security module must
register itself using register_security
function in security.c file.
• It only register one module as
primary module.
• The decision of module stacking is
left to primary module:
– If the secondary module fails to
register using register_security, it
needs to call mod_reg_security
– This function call the primary
function to decide about stacking.
int register_security(struct
security_operations *ops)
{
if (verify(ops)) {
printk(KERN_DEBU
G "%s could not verify
security_operations
structure.\n",
__FUNCTION__);
return -EINVAL;
}
if (security_ops !=
&dummy_security_ops)
return -EAGAIN;
security_ops = ops;
return 0;
}
LSM Architecture: 5)
process capabilities
• The name "capabilities" comes from the now
defunct POSIX draft 1003.1e.
• These capabilities are a partitioning of the all
powerful root privilege.
• A process has three sets of bitmaps called the
inheritable(I), permitted(P), and effective(E)
capabilities.
• Each capability is implemented as a bit in each of
these bitmaps which is either set or unset.
• The kernel will check the appropriate bit in the
effective set of the process for privileged
operation.
process capabilities
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
CAP_AUDIT_WRITE
Allow to generate audit messages by writing in netlink sockets
CAP_AUDIT_CONTROL
Allow to control kernel auditing activities by means of netlink
sockets
CAP_CHOWN
Ignore restrictions on file user and group ownership changes
CAP_DAC_OVERRIDE
Ignore file access permissions
CAP_DAC_READ_SEARCH Ignore file/directory read and search permissions
CAP_FOWNER
Generally ignore permission checks on file ownership
CAP_FSETID
Ignore restrictions on setting the setuid and setgid flags for files
CAP_KILL
Bypass permission checks when generating signals
CAP_SETGID
Ignore restrictions on group's process credentials manipulations
CAP_SETPCAP
Allow capability manipulations on other processes
CAP_SETUID
Ignore restrictions on user's process credentials manipulations
CAP_SYS_ADMIN
Allow general system administration
CAP_SYS_BOOT
Allow use of reboot( )
CAP_SYS_CHROOT
Allow use of chroot( )
CAP_SYS_PTRACE
Allow use of ptrace( ) on every process
CAP_SYS_RESOURCE
Allow resource limits to be increased
CAP_SYS_TIME
Allow manipulation of system clock and real-time clock
•
The full list is given in text book (p. 813)
•
Security Enhanced Linux (SELinux)
Module
• Developed by National Security Agency
(NSA)
• The most comprehensive implementation
of LSM.
• Most of SElinux became part of LSM
framework.
• SELinux is primary security module in
Fedora distribution.
SELinux: Object Labeling
• Important objects in the OS are
labelled; Processes, files, inodes,
superblocks etc.
• Files persistently labelled via
extended attributes.
• Labels are called security
contexts.
SELinux Architecture
Operation
SELinux
Module
context
LSM
DAC
0/ERR
0/ERR
Execute
operation
Security
Server
Policy files
(policy database)
selinuxfs
SELinux Concepts
• Identity: each user
and process has a
unique identity on the
system.
• Roles – Used to
specify acceptable
actions from a user.
Each role has a set of
privileges assigned to
it
SELinux Concepts
• Type: This refers to the
privileges assigned to the
object
• Policy rules: allow
sysadm_t shadow_t:file
getattr;
SELinux: Code walkthrough
• Brief code walk-through for SELinux
Simple Sandbox Security
Module (sandbox)
• Although a few security modules exists
that are very comprehensive, including
SELinux, they are hard to manage.
• It is difficult for a system administrator to
write a correct security policy.
• So, I wrote a simple sandbox security
module that jail programs to a certain
directory during inode_create operation.
sandbox
• Security rule: defined in /etc/sandbox in
format of <programx>=<directoryx>.
Thus, program x can only issue
inode_create in directoryx.
• Rules are read during initialization of the
module.
• If new rules are added, the module needs to
be restarted.
sandbox: Code walk-through
• Source code is defined in sandbox.c file.
• Can be downloaded from: sandbox.c
sandbox
• In order for it to run:
– Capabilities module needs to be set to m
(loadable module, not built-in module) during
build process.
– Without capabilities module running, sandbox
module can stack against SELinux module.
sandbox: DEMO
•DEMO (Flash)
•DEMO (AVI)
Recap & Future directions
• Traditional Linux access control is uid and guid
• A multi-leveled security framework for modern operating
system is a must.
• LSM provides a powerful interface to create security
modules for the kernel.
• Sandbox module demonstrates how easy is to create a
security module.
• Current security modules such as SELinux use labeling
which is difficult for policy writer. Thus, a simple rulebased security module is needed
• A more flexible module-stacking feature must be provided
to allow any number of security modules.
References
• http://www.cs.montana.edu/~tosun/
cs518/
Questions?
Download