OPG Leadership Series Solaris Security Design Kickoff, - - PowerPoint PPT Presentation

opg leadership series solaris security design kickoff
SMART_READER_LITE
LIVE PREVIEW

OPG Leadership Series Solaris Security Design Kickoff, - - PowerPoint PPT Presentation

Mar 13, 2024 209 likes •584 views

OPG Leadership Series Solaris Security Design Kickoff, Considerations September, 2005 Casper Dik Sun Microsystems, Inc. Solaris Security Design Principles Or how ten years changed my perspective on security History of fixes and hardening

slide-1
SLIDE 1

OPG Leadership Series Kickoff, September, 2005 Solaris Security Design Considerations

Casper Dik Sun Microsystems, Inc.

slide-2
SLIDE 2

2

Solaris Security Design Principles

Or how ten years changed my perspective on security

  • History of fixes and hardening
  • Solaris 10
  • Look at the future
  • My greatest frustration
slide-3
SLIDE 3

3

What was wrong?

  • Bugs
  • Configuration issues
  • Software reuse
slide-4
SLIDE 4

4

Bugs

  • Retraining programmers
  • Fixing bugs
  • Codesweep
  • Automated Scanning
slide-5
SLIDE 5

5

Improving code quality

  • Security awareness training
  • Better programming interfaces
  • Different programming languages
slide-6
SLIDE 6

6

Bugs: Optimist's view

  • And then you're done!
slide-7
SLIDE 7

7

Bugs: Pessimist's view

  • Programmers come and go

> Continuous training required

  • Training doesn't stick
  • Much code imported from the outside
  • Code evolves to evade automated scanning
  • Code increases 10-50 fold

> And so do bugs

  • Where there are bugs, there are security bugs
slide-8
SLIDE 8

8

Bugs: Pessimist's view

  • Different programming languages, different security

issues

  • You can write C/FORTRAN in any language
slide-9
SLIDE 9

9

Bugs: Open versus Closed source

  • Ross Anderson[2002]: Security in Open vs Closed

Systems

> Defender and attacker helped equally

  • So what happens when transitioning?

> Tested in OpenSolaris > Not much, so far

slide-10
SLIDE 10

10

Bugs: Realist's view

  • Fixing bugs helps
  • Fixing bugs is not sufficient
slide-11
SLIDE 11

11

Configuration

  • “Ease of Use” trumped Security
  • Services defaulted to on
  • Access defaulted to open
  • Complaints when defaults changed

> Remember /etc/hosts.equiv with “+” in SunOS 3 & 4?

slide-12
SLIDE 12

12

Configuration

  • Backward compatibility King
  • “Like turning a supertanker”

> File permissions fixed > New network services default to off

  • Everything defaults to off

> Except sshd

slide-13
SLIDE 13

13

Configuration

  • System must be secure with defaults
  • Disabled services must be secure, too!
slide-14
SLIDE 14

14

Changing World

  • Everything is connected
  • Much is wireless
  • Dynamic content
  • Webify Everything

> Controlled Environment -> Internet

  • Software reuse?!?
slide-15
SLIDE 15

15

What we have

  • Bugs
  • Enabled Services
  • Users
  • System Administrators
slide-16
SLIDE 16

16

What I want

  • Security:

> With bugs > Without firewalls > While doing useful work > Without virusscanners

slide-17
SLIDE 17

17

Design for Resilience

  • Tamper proof
  • Tamper resistant
  • Tamper evident
slide-18
SLIDE 18

18

Security Evolution in Solaris 10

  • Cryptographic Framework
  • Privileges
  • Loopback Credentials
  • Zones
  • RBAC
  • SMF
  • BART
  • Trusted Extensions
slide-19
SLIDE 19

19

Cryptographic Framework

  • Cryptographic Algorithms

> encrypt(1), decrypt(1)

  • Digests

> digest(1)

  • Random number generator
slide-20
SLIDE 20

20

Cryptographic Framework

  • Two software instances of all algorithms

> One Userland > One Kernel

  • Completely Pluggable

> Add accelerator (different implementation) > Add new algorithm

  • 128-bit crypto standard

> Import restrictions in some countries

slide-21
SLIDE 21

21

Privileges

  • Privileges with a pragmatic twist
  • Principle of Privilege Escalation Prevention

> “You need as many Privileges as you can get”

  • Basic Privileges

> Privileges required for previously unprivileged actions > Execve, fork, viewing other people's processes > Extensible

  • Hard privilege limit

> Privileges processes can never exceed

slide-22
SLIDE 22

22

Privileges

  • Privileges needed to control other process

> Superset of privileges available in that process

  • Privileges needed to write to /dev/*mem, /dev/dsk/*

> All privileges defined in the system

  • Users can be prevented from ever performing some

tasks

slide-23
SLIDE 23

23

Loopback Credentials

  • Loopback server now knows who connects

> Uids > Gids > Privileges > Audit attributes > Zone

slide-24
SLIDE 24

24

Zones

  • Virtual OS Instance
  • Ease of administration
  • Compartmentalize
  • Separate namespaces
  • Resource controlled
  • Observable from the global zone
slide-25
SLIDE 25

25

Service Management Facility (SMF)

  • Single set of commands for all services
  • Service dependency graph
  • Restarts failed services
  • Delegation of administrative authorizations
slide-26
SLIDE 26

26

Role Based Access Control (RBAC)

  • Allows assigning Authorizations and Roles to users
  • Allows running privileged commands by

unprivileged users or roles

slide-27
SLIDE 27

27

BART

  • Basic Auditing and Reporting Tool
  • Verifies file contents and attributes
  • To be integrated with online database

> SunSolve Fingerprint database

slide-28
SLIDE 28

28

Signed Binaries

  • All Solaris 10 binaries carry a signature

> Binaries can be verified off-line > Obviously not on a compromised system

  • Requirement for export of “Crypto with a hole”

> Crypto plugins must be signed > No obvious restrictions on who can get certificate > Strong crypto unbundled because of import restrictions

slide-29
SLIDE 29

29

Signed Execution (Future)

  • Allow restrictions on the executables run
  • Allow restrictions on the kernel modules loaded
  • You are in control!
slide-30
SLIDE 30

30

Secure Boot (Future)

  • Verify all binaries while they are loaded
  • Hardware assist required for full feature set

> TPM > But system administrator in control

slide-31
SLIDE 31

31

Trusted Extensions (Soon)

  • Labeled zones
  • Trusted Networking (labeled networking)
  • Trusted Window System
  • Replaces Trusted Solaris
slide-32
SLIDE 32

32

Unbundled Tools

  • Hardening toolkits

> But more and more obsolete

  • Findrootkit (to be released)
slide-33
SLIDE 33

33

My Greatest Frustration

  • Incompetent Security Auditors
  • About as advanced and scientific as

> Bloodletting/Leeches > Animal Sacrifice > Palm reading

  • Random, Unmotivated, Requirements

> Known to break systems > Inflexible

slide-34
SLIDE 34

34

Relevant Security Pages

  • Sun Security Home Page

> http://www.sun.com/security/

  • Solaris Patches & Fingerprint Database

> http://sunsolve.sun.com/

  • Sun Security Coordination Team

> http://sunsolve.sun.com/security/

  • Sun BluePrints for Security

> http://www.sun.com/security/blueprints/

  • Solaris Security Toolkit

> http://www.sun.com/security/jass/

slide-35
SLIDE 35

35

Relevant Blogs

  • Glenn Brunette

> http://blogs.sun.com/gbrunett

  • Alec Muffett

> http://blogs.sun.com/alecm

  • Casper Dik

> http://blogs.sun.com/casper

slide-36
SLIDE 36

36

Get The Source!

  • http://cvs.opensolaris.org

> Source repository

  • http://www.opensolaris.org

> Discussions, binaries and all the rest

  • http://blogs.sun.com/

> Engineers explaining their bit of Sun Software

slide-37
SLIDE 37

OPG Leadership Series Kickoff, September, 2005 Solaris Security Design Considerations

Casper Dik Sun Microsystems, Inc. http://blogs.sun.com/casper