Overview of AGL the FLOSS embedded secured OS based on linux 9th - - PowerPoint PPT Presentation
Overview of AGL the FLOSS embedded secured OS based on linux 9th October 2018 Jos Bollo Security Technical Lead jose.bollo@iot.bzh IoT.bzh LORIENT October 2015 Stphane Manuel Fulup Yannick Jos Mostly dedicated to AGL vannes
9th October 2018
José Bollo Security Technical Lead jose.bollo@iot.bzh
9th October 2018
2
Fulup
Stéphane
Manuel Yannick José
October 2015 October 2018
LORIENT
vannes
9th October 2018
3
9th October 2018
4
identity audio-4a persistence weather unicens nfc network mediascanner mediaplayer geoclue bluetooth windowmanager low-can homescreen LINUX KERNEL AGL framework SystemD (pulseaudio) Network-Manager ... geoclue bluez gstreamer ... DASHBOARD HOMESCREEN LAUNCHER MEDIAPLAYER HVAC MIXER SETTINGS RADIO NAVI PHONE POI ... upstream services AGL services AGL applications
9th October 2018
5
APPLICATION
SECURITY CONTEXT
C
SERVICE
SECURITY CONTEXT
D
SERVICE
SECURITY CONTEXT
B
APPLICATION
SECURITY CONTEXT
A
inter connection
dbus, ws, bus1, tls, ... network Applications and services are running isolated one another by their smack security context The communication between applications is controlled by policy (framework, fjrewall, gateway, OAuth, openid connect) Access to service features is controlled by permission enforcement mechanism (cynara, OAuth) Services are like applications
9th October 2018
6
– Simple Mandatory Access Control Kernel – Strong isolation of kernel objects (files, sockets)
– Using netherd and netfilter
– Filtering permission – User consent mechanism
– Oauth and OpenID Connect
9th October 2018
7
LINUX KERNEL
PBAC
Permission Based Access Control
Access Control
provides
control accesses
+has_access()
MAC
Mandatory Access Control
DAC
Discretionary Access Control
SMACK
Simple Mandatory Access Control Kernel
CYNARA ACL
Standard Linux Access Control
NSBAC
NameSpace Based Access Control (containers)
9th October 2018
8
Protected Service LINUX KERNEL Legitimate application BlackHat application System resource The permission database
Cynara helps
to protect services
Smack linux
security module helps to protect system resources
DENIED DENIED GRANTED GRANTED
9th October 2018
9
: SOLUTION : SERVICE CONNECT INVOKE METHOD SIGNAL EVENT return from INVOKE Subject to permission to connect to the service Subject to permission to invoke the METHOD
Subject to permission to receive EVENT of the service
: CLIENT
9th October 2018
10
: SOLUTION X : SERVICE Y : SERVICE <<depends>> <<depends>> Policy for Y is: requires permission P About permission P, the policy for X is either:
AGL framework takes care of composition of permissions. Under control of strict policy, it allows some services to run with the context of their clients, behaving as their client.
: CLIENT
9th October 2018
11
9th October 2018
12
9th October 2018
13
LSM (Linux Security Module)
files (like SELinux).
and processes (ptrace, signals, ...).
9th October 2018
14
– the subject's label – the object's label – the access
System User rwx
This rule tells to allow read, write and execute access to objects labeled User for the processes labeled System.
What are labels? What are subjects? What are objects? How to set? Simple !!!
9th October 2018
15
special meaning: they are compared to equality (case sensitive: a≠A).
a smack label.
context.
– Commands id, ps (option -Z or -M), ls (option -Z) are prompting
contexts processes and files.
execute (x), append (a), lock (l), transmute (t), bringup (b).
9th October 2018
16
How to set context? You can't! Except if you have the capability CAP_MAC_ADMIN.
# chsmack --access label fjle # echo -n label > /proc/$$/attr/current # echo “subject object rwt” > /sys/fs/smackfs/load-self2 # echo “subject object rwt” > /sys/fs/smackfs/load2 # echo “subject object rwt” | smackload
How to set rules? You can only reduce accesses for the current thread (inherited by cloning). But if you have the capability CAP_MAC_ADMIN, you can change all rules.
9th October 2018
17
Security Module)
– Lock access mode (kernel 3.13) – Support for multi-rule write to load2 and change-rule (kernel 3.12) – Maximum value for CIPSO category change from 63 to 184 (kernel
3.12)
– Longer Smack labels (24->255) and recursive transmute (kernel 3,5) – Transmute access mode (kernel 2.6.38) – Bringup mode – Netlabel filtering
9th October 2018
18
https://www.kernel.org/doc/html/latest/admin-g uide/LSM/Smack.html
https://github.com/smack-team/smack
9th October 2018
19
9th October 2018
20
Tizen’s management of permissions
– It was a response to the insane growth of smack rules
was to slow
Poland
9th October 2018
21
client session user permission
DENIED GRANTED OTHER (ASK, ...)
The 4-uple of values is checked client, session, user and permission are text strings
9th October 2018
22
low-can cynara HVAC The application HVAC runs with security label User::App::HVAC Request cynara authorisation for User::App::HVAC PID UID PERM
The low-can service get the credentials of its client using getsockopt (SO_PEERCRED & SO_PEERSEC) Request issued over UNIX Domain Socket The server cynara checks whether a rule allows the request Issue with NAND memory (limited write cycle) => specifjc optimizations cache
Caching is possible to avoid request
(getsockopt is a C function)
9th October 2018
23
... cynara agent
For some queries, the server cynara may ask an “agent” to give or not the authorization
agent agent agent Example 1 An agent can ask the user Session manager Example 2 An agent can ask the session manager
The application The application HVAC HVAC requires permission to change requires permission to change temperature. temperature. Do you accept? Do you accept? Yes forever Yes forever Yes now Yes now Not now Not now Never Never
A t t e n t i o n A t t e n t i o n
9th October 2018
24
9th October 2018
25
low-can cynara HVAC cache agent
9th October 2018
26
a patched version of DBUS (1.10.20 for AGL and 1.10.6 for tizen where current development is 1.13.6)
– Includes asynchronous cynara checks – Will not enter upstream
9th October 2018
27
https://wiki.tizen.org/Security:Cynara
https://git.automotivelinux.org/AGL/meta-agl/tr ee/meta-security/recipes-security/cynara
https://git.automotivelinux.org/AGL/meta-agl/tr ee/meta-security/recipes-core/dbus-cynara
9th October 2018
28
9th October 2018
29
SERV
C
SERV
D
SERV
B
APP
A
(and/or applications) is a detail that must be abstract to developers
applications and services
9th October 2018
30
monitor/get({“verbosity”: “monitor”}) Example: a call to get the verbosity level of API monitor The api (or service) The verb (or method) of the api The request arguments is any JSON value Example: curl invocation $ curl -H ‘x-afb-token: HELLO’ \ localhost:1056/api/monitor/get?verbosity=monitor Example: javascript invocation afb.call(‘monitor/get’, {‘verbosity’: ‘monitor’}).then(gotapis); Example: C binding invocation wrap_json_pack(&req, “{ss}”, “verbosity”, “monitor”); afb_api_call(myapi, “monitor”, “get”, req, gotpis, NULL); The reply is a JSON value
{ "verbosity": { "monitor":"info" }}
9th October 2018
31
– Using HTTP(s) and WS(s), the model crosses
firewalls
– JSON data as argument or result introduce flexibility,
reliable portability and wide language binding
– Agnostic about programming language
– Need for agreement on names of API – JSON (de)serialisation
9th October 2018
32
cloud APPLI SERVICE BINDER
A
BINDER
B
APPLI BINDER
C
BINDING
BINDER
D
BINDING
Connected car Master ECU Other ECU
HTTPS+WSS/TCP HTTPS+WSS/TCP WS/UDS WSS/TCP
WS: WebSocket WSS: WS Secured UDS: Unix Domain Socket
9th October 2018
33
implements one or more apis
name and implemented by only one binding
return result, can be protected
remote api is accessed like a local api
9th October 2018
34
(UDS, WS/UDS, WS/TCP, HTTP, linked)
RPC: Remote Procedure Call OPA: One Page Application
9th October 2018
35
– By permissions – By Level Of Assurance – By secret token
failure in bindings
9th October 2018
36
–
Container process
possibly scripts if needed in future -js?-)
–
Transport
–
Security
–
Standardized high level Sync/Async API
–
Standardized high level event model
–
Expose API through HTTP or WebSocket
–
One or more API published through binder
–
Provided as:
APPLICATION BINDER
afb-daemon
API Z
BINDER
afb-daemon
API Z
A B
API X API Y
Application and its binder runs the same security context This binder implements two APIs: X and Y This API is remote or imported This binding implements only
Implicit API/WS RPC The binder exports the API Z Explicit HTTP+WS link
9th October 2018
37
– Common HTTP+WS: this connection is the
common one (HTTP and/or WebSocket).
websocket for it api “pod”.
– Specific API/WS: this connection is specific to an
API (API over special WebSocket).
9th October 2018
38
apis using point to point connections
advantages are:
– less contention
(pressure),
– no mediator (security and
efficiency)
BINDER
afb-daemon
API X API Y API Z
BINDER
afb-daemon
API Z API Y
BINDER
afb-daemon
API Y
9th October 2018
39
to binders either by their WS/HTTP pod or by their API/WS pod
that library: afb-client-demo. It can be used to connect to binders during development.
9th October 2018
40
binders, they get for free:
– High level programming model with events – Connectivity managed – Security enforced
– Connect to a binder that is connected to service – Connect directly to the services it uses through
libafbwsc but in this case integration with the whole system may encounter glitches
9th October 2018
41
: APPLICATION : BINDER : BINDING : BINDING : BINDING : SERVICE HTTP WebSocket : BINDER : BINDING This link can be either DBus or UDS
Native link to services is not forbiden. A library allows to connect to Binder's services A service can be implemented on top
security context APPLICATION security context SERVICE
9th October 2018
42
9th October 2018
43
and introspect itself
that allows to inspect all binders, APIs and sessions
supervisor
restricted
reduced on cars
BINDER BINDER BINDER BINDER BINDER BINDER BINDER SUPER VISOR
9th October 2018
44
https://git.automotivelinux.org/src/app-framewo rk-binder/
http://docs.automotivelinux.org/docs/apis_servi ces/en/dev/reference/af-binder/afb-overview.ht ml
9th October 2018
45
9th October 2018
46
– It exports a set of verbs that can be called
for their client
in other context or other binders
9th October 2018
47
Flounder are able to define 0, 1 or many APIs:
– 0: No public interface, useful to create in binder
applications
– 1: The standard case, static declaration preferred – 2+: This rare case is implemented by the controller
and used by 4A (AGL Advanced Audio Architecture)
needed)
9th October 2018
48
standardizing on how REST APIs are described
v3 specification
based on its openAPI description
description of its API through call monitor/get({“api”:true})
9th October 2018
49
must respect and conform:
– PREINIT: The binder discovers the bindings and loads it.
– INIT: All the bindings are loaded, the binder call the
initialization function (if any) of all API.
– RUNNING: All initialization successful
9th October 2018
50
table of C++
– Binder can adapt to the version of the binding – A same binding binary can be used by the binder or by programs
implementing binder interfaces
: BINDING : BINDER binding's interface binder's interface : BINDING SOME APPLICATION binding's interface binder's interface
9th October 2018
51
1 #define AFB_BINDING_VERSION 3 2 #include <afb/afb-binding.h> 3 4 void hello(afb_req_t req) 5 { 6 AFB_REQ_DEBUG(req, "hello world"); 7 afb_req_reply(req, NULL, NULL, "hello world"); 8 } 9 10 const afb_verb_t verbs[] = { 11 { .verb="hello", .callback=hello }, 12 { .verb=NULL } 13 }; 14 15 const afb_binding_t afbBindingExport = { 16 .api = "tuto-1", 17 .verbs = verbs 18 };
static inline void afb_req_reply( afb_req_t *req, json_object *obj, const char *error, const char *info) { req->itf->reply(req,
}
9th October 2018
52
– These are in fact handles to push events – Ex: the api telephony creates an event incomingCall
that is finally named event telephony/incomingCall
– Pushing means send the data tagged by the event name
to all listeners
adding or removing it to the list of listeners
9th October 2018
53
1 afb_event_t evt_knock; 2 3 void knock(afb_req_t req) 4 { 5 afb_event_push(evt_knock, json_object_get(afb_req_json(req))); 6 afb_req_reply(req, NULL, NULL, NULL); 7 } 8 9 void listen(afb_req_t req) 10 { 11 if (json_object_get_boolean(afb_req_json(req))) 12 afb_req_subscribe(req, evt_knock); 13 else 14 afb_req_unsubscribe(req, evt_knock); 15 afb_req_reply(req, NULL, NULL, NULL); 16 } 17 18 void init(afb_api_t api) 19 { 20 evt_knock = afb_api_make_event(api, "knock"); 21 }
9th October 2018
54
WGT
9th October 2018
55
core system user AGL profjle source
yocto generates the
core image
yocto generates
the SDK Application sources
WGT
AGL SDK Compile with SDK widget
WGT
9th October 2018
56
Developer team Confjguration fjle confjg.xml
produces the application or service
describes its product and its requirements
WGT
9th October 2018
57
<?xml version="1.0" encoding="UTF-8"?> <widget xmlns="http://www.w3.org/ns/widgets" id="org.openstreetmap.agl.pushviews" version="1.0.1"> <name>Push street views</name> <icon src="pushviews.png"/> <content src="index.html" type="text/html"/> <description>Pushes camera views to openstreetmap</description> <author>Open Street Map</author> <license>GPL</license> <feature name="urn:AGL:widget:required-api"> <param name="gps" value="ws" /> <param name="sensors" value="ws" /> <param name="camera" value="ws" /> <param name="pushviews:https://agl.openstreetmap.org/cloud/pushviews" value="cloud" /> </feature> …
WGT
9th October 2018
58
… <feature name="urn:AGL:widget:required-permission"> <param name="urn:AGL:permission:gps:public:read" value="required" /> <param name="urn:AGL:permission:sensors:public:read" value="required" /> <param name="urn:AGL:permission:camera:public:take:front" value="required" /> <param name="urn:AGL:permission:camera:public:take:rear" value="optional" /> </feature> </widget>
WGT
9th October 2018
59
Developer team signed content
signs its product
WGT
9th October 2018
60
signed content Authority 1 Authority 2
WGT
That authority adds a key that will unlock special permissions
9th October 2018
61
signed content
W G T W G Tpackaged content
its confjg and its signatures
WGT
9th October 2018
62
signed content
W G T W G Tpackaged content confjg.xml This signature opens permissions to the widget
WGT
9th October 2018
63
/ bin lib etc lang htdocs en jp libexec Native executables Local libraries of executables (RPATH) Bindings Confjguration fjles ... Internationalization index.html ... confjg.xml Served HTTP fjles author.sig ... Manifest fjles
9th October 2018
64
https://www.w3.org/TR/widgets/
https://www.w3.org/TR/widgets-digsig/
https://git.automotivelinux.org/src/app-framewo rk-main/
WGT WGT
9th October 2018
65
9th October 2018
66
Tizen 3 Ostro AGL
J u n e 2 1 5 M a r c h 2 1 5 N
. 2 1 5
First tizen 3 security release AGL spec 1.0 may 28th
D e c . 2 1 6
Integration to AGL Start of refjting the framework Introduction
synchronization
M a r c h 2 1 7 O c t . 2 1 7
Integration to systemD Integration to systemD with users
9th October 2018
67
set of permission for an installed app
certificates
public partner platform system
Any Tiers Authorized Tiers Confjdent Tiers Manufacturer Can't use sensitive features Can access some sensitive features Can access many sensitive features Can access ALL features
9th October 2018
68
urn:AGL:permission:<api>:<level>:<hierarchical-name> The API providing the
starting with @) then it is a transverse permission not linked to an API. One of the values:
— system — platform — partner — publisher — owner — public
Colon separated names possibly defjning hierarchies of permissions
Cryptography protection
Examples:
9th October 2018
69
AGL framework
WGT WGT
Security Context
DB of apps = Widget’s fjles + systemd units
systemd service APPLICATION
9th October 2018
70
– Manages right: smack + cynara + groups – Isolate
– Natural integration with boot sequence – Socket activation of services – Integration of cgroups and many other advanced
topics for free
9th October 2018
71
confjg.xml
/etc/afm/afm-unit.conf
WGT WGT
json Mustache engine Units description *.service *.socket ...
temporary data
Unit installer
9th October 2018
72
<feature name="urn:AGL:widget:required-permission"> <param name="urn:AGL:permission:real-time" value="required" /> <param name="urn:AGL:permission:syscall:*" value="required" /> </feature> "required-permission":{ "urn:AGL:permission:real-time":{ "name":"urn:AGL:permission:real-time", "value":"required" }, "urn:AGL:permission:syscall:*":{ "name":"urn:AGL:permission:syscall:*", "value":"required" } } EXTRACT OF CONFIG.XML INTERNAL JSON Internal transform during installation
9th October 2018
73
Hello {{name}} You have just won {{value}} dollars! {{#in_ca}} Well, {{taxed_value}} dollars, after taxes. {{/in_ca}} Hello Chris You have just won 10000 dollars! Well, 6000.0 dollars, after taxes. { "name": "Chris", "value": 10000, "taxed_value": 10000 - (10000 * 0.4), "in_ca": true } TEMPLATE DATA PRODUCT Details: https://mustache.github.io/ https://gitlab.com/jobol/mustach
9th October 2018
74
[Service] SmackProcessLabel=User::App::{{:id}} User=%i CapabilityBoundingSet= AmbientCapabilities= Slice=user-unlimited-%i.slice {{#required-permission}} {{#urn:AGL:permission::public:display}} SupplementaryGroups=display {{/urn:AGL:permission::public:display}} {{/required-permission}} Conditionnal group UID of the user is the parameter Setting of SMACK
9th October 2018
75
Security Context
afb-daemon
afm-system-daemon
Bindings application
systemd afm-user-daemon (legacy) dbus ws-client ws-client
USER LAND SYSTEM LAND
afm-util t r a n s i t i
n a l t r a n s i t i
n a l
9th October 2018
76
https://git.automotivelinux.org/src/app-framewo rk-main/
http://docs.automotivelinux.org/docs/apis_servi ces/en/dev/
https://github.com/iotbzh/nss-localuser
9th October 2018
77
9th October 2018
78
– Key RF – Phone – Gesture – ...
9th October 2018
79
PAM activation
✔ Plugable Authentication Module ✔ Standard ✔ Highly confjgurable ✔ Modular design ✔ Face recognition ✔ Voice identifjcation ✔ Password
authentication
session User identity service USER SESSION Cloud identity User services User applications
9th October 2018
80
User identity service USER SESSION Cloud identity User services User applications User data
9th October 2018
81
USER SESSION afm-system-daemon systemd Home screen User applications UID of the client is the parameter
9th October 2018
82
9th October 2018
83
services and binders. It allocates security tokens.
token.
token is valid or not.
APPFW to a specialized service (design).
– Expiration – Credentials – Abstract identity
9th October 2018
84
BINDER 23 AGL domain (CAR) LOCAL “HOME SCREEN” AGL APPFW APP 23
⑤ ① ② ③ ④
(1) Ask to launch APP 23 (2) Launch APP 23 (3) Ask its token (check of PID, SMACK, UID) (4) Connect to the binder with its token (5) Check token validity
9th October 2018
85
AGL BINDER CLIENT BROWSER
APPLICATION
HTTPS WSS (tcp) tcp uds REVERSE PROXY AGL domain (CAR) internet Remote client can run
Windows, Android, Linux, ...
9th October 2018
86
BINDER 23 CLIENT BROWSER APP 23 REVERSE PROXY AGL domain (CAR) internet REMOTE “HOME” CLIENT BROWSER “HOME” AGL APPFW
④ ② ③ ①
(1) Ask to launch APP 23 (2) Returns the URL of the BINDER for APP 23 and its token (in the URI?) (3) Connect to the binder with its token (4) Check token validity
①
9th October 2018
87
BINDER 23 CLIENT BROWSER APP 23 REVERSE PROXY AGL domain (CAR) internet AGL APPFW
④ ② ③ ①
(1) Connect to the binder with invalid token (2) Check token validity (3) Return redirect (4) Redirected query (sequel depend on policies)
9th October 2018
88
9th October 2018
89
internet Web Browser BINDER
A
HTTPS+WSS/TCP
A
webruntime (local)
remote access the binder
server OPA compliant
connection to AGL services
simple connection to AGL APIs in javascript
Same security context Data of the application Access to services
OPA: One Page Application
9th October 2018
90
1 var loc = document.location; 2 var args = new URLSearchParams(loc.search.substring(1)); 3 var afb = new AFB({ 4 host: loc.hostname + ':' + loc.port, 5 token: args.get("x-afb-token") || args.get("token") || "HELLO" 6 }); 7 var ws = new afb.ws(onopen, onabort); 8 9 function onopen() { 10 ws.onclose = onabort; 11 ws.onevent("*", onevent); 12 ws.call("api/verb", { arg1: true, arg2: 'data' }).then( 13 onsuccess, onerror); 14 }
9th October 2018
91
Web Browser
A
HTTPS+WSS/TCP
A
webruntime (local)
a binding
– Binary acceleration – Confidential code – Access to hardware
binding aren’t exported
access the binding API
Access to services
BINDER
API
9th October 2018
92
<?xml version="1.0" encoding="UTF-8"?> <widget xmlns="http://www.w3.org/ns/widgets" id="exthtml5" version="1.0"> <name>Extended HTML5</name> <icon src="icon.png"/> <description>Example of application with binding</description> <author>me</author> <license>MIT</license> <content src="index.html" type="text/html"/> <feature name="urn:AGL:widget:required-binding"> <param name="libexec/binding-exthtml5.so" value="local" /> </feature> </widget>
9th October 2018
93
essential to building a system
be protected by permissions
S
Access to
services
BINDER
API
Exported API Data of the service
9th October 2018
94
BINDER
A
Native
remote access the binder
server OPA compliant
connection to AGL services
simple connection to AGL APIs in javascript
Access to services
HTTP+WS/TCP
9th October 2018
95
https://git.automotivelinux.org/src/app-framewo rk-binder/tree/test/AFB.js
https://git.automotivelinux.org/apps/app-afb-he lpers-submodule/
9th October 2018
96
9th October 2018
97
Of Assurance) (from 0 to 7)
– Level of Assurance 1: Little or no confidence in the asserted identity’s validity. – Level of Assurance 2: Some confidence in the asserted identity’s validity. – Level of Assurance 3: High confidence in the asserted identity’s validity. – Level of Assurance 4: Very high confidence in the asserted identity’s validity.
afb_req_session_set_LOA
called
LOA level for their own purpose
9th October 2018
98
AFB_SESSION_LOA_1 afb_auth_Permission
void login(afb_req_t *req) { afb_req_session_set_LOA(req, 1); afb_req_success(req, NULL, NULL); } afb_auth_t autlogin = { .type=afb_auth_Permission, .text=”urn:AGL:permission:...” }; afb_verb_t verbs[] = { { .verb=”login”, .callback=login, .auth=&autlogin }, { .verb=”action”, .callback=action, .session=AFB_SESSION_LOA_1 }, { .verb=NULL } };
9th October 2018
99
e
ces/en/dev/reference/af-binder/reference-v3/fu nc-req.html#afbreqsessionsetloa
ces/en/dev/reference/af-binder/reference-v3/ty pes-and-globals.html#the-types-afbautht-and- afbauthtypet
9th October 2018
100
KEEP IT SIMPLE and Flying !