securing linux
play

Securing Linux Hyungjoon Koo and Anke Li Fall 2014:: CSE 506:: - PowerPoint PPT Presentation

Mar 03, 2024 •1.08k likes •1.39k views

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux Hyungjoon Koo and Anke Li Fall 2014:: CSE 506:: Section 2 (PhD) Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module)

  1. Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux Hyungjoon Koo and Anke Li

  2. Fall 2014:: CSE 506:: Section 2 (PhD) Outline • Overview – Background: necessity & brief history – Core concepts • LSM (Linux Security Module) – Requirements – Design • SELinux – Key elements – Security context: identity (SID), role, type/domain • AppArmor – Key elements – Application policy profile • SELinux vs AppArmor

  3. Fall 2014:: CSE 506:: Section 2 (PhD) Why a new access control model • Limited traditional access control for Linux – Discretionary Access Control (DAC) • Provide only a coarse access control • 9 bits model ( rwx per owner, group and others) • Has setuid , setgid and sticky bit - not enough • Cases when a fine-grained access control needs – Does passwd require root access to printers? – Suppose I have a secret diary and the app to read it • Can I restrict my app from reading/writing a socket over network? – Alice might have multiple roles • Surfing the web, writing a report, and managing a firewall

  4. Fall 2014:: CSE 506:: Section 2 (PhD) Brief history • Increasing the demand for reference monitor in Linux – A mechanism to enforce access control – Originate from orange book from the NSA: too generic • Adopting LSM in Linux Kernel – Originally a set of kernel modules in 2.2, updated in 2.4 – LSM (Linux Security Module) Feature in 2.6 • SELinux developed by the NSA and released in 2001 • Default choice for Fedora/RedHat Linux • Lots of early works – Subdomain ( AppArmor ), Flask ( SELinux ), OpenWall , …

  5. Fall 2014:: CSE 506:: Section 2 (PhD) Reference monitor • A component that authorizes access requests at the RMI defined by individual hooks which invokes module to submit a query to the policy store From Operating System Security (Fig 2.3)

  6. Fall 2014:: CSE 506:: Section 2 (PhD) Core concepts • Idea: Define policies to decide if applications/users have the privilege to proceed a given operation – MAC: Mandatory access control – Least Privileges • Broadly covered security policy – To all subjects, all objects and all operations – As everything in Linux is represented as a FILE • files, directories, devices, sockets, ports, pipes, and IPCs

  7. Fall 2014:: CSE 506:: Section 2 (PhD) Linux Security Module (LSM) • Implementation of a reference monitor • Requirements – Modularized security – Loadable modules – Centralized MAC – LSM API

  8. Fall 2014:: CSE 506:: Section 2 (PhD) LSM design • Definition – How to invoke permission check? • By calling the initiated function pointers in security_ops • Aka LSM hooks – One hook is shown below: static inline int security_inode_create (struct inode *dir, struct dentry *dentry, int mode) { if (unlikely (IS_PRIVATE (dir))) return 0; return security_ops->inode_create (dir, dentry, mode); } • Placement • Implementation

  9. Fall 2014:: CSE 506:: Section 2 (PhD) LSM design - hooking • Simple diagram of hooking Process 1 Process 2 … Process N int 0x80 User Space Kernel Space System Call Handler LSM System call Func ptr Hook to LSM lsm_open() open() 0xffffaaaa lsm_open(), 0xffffbbbb read() 0xffffaaba lsm_read(), 0xffffbbcb lsm_read() write() 0xffffaaca lsm_write(), 0xffffbbdb lsm_write() getdents() 0xffffaada lsm_getdents(), 0xffffbbeb lsm_getdents() … … …

  10. Fall 2014:: CSE 506:: Section 2 (PhD) LSM design • Definition • Placement – Where to place those hooks? • Entry of system call (not all of them) • Determined by source code analysis – Inline function • E.g., security_inode_create • Implementation

  11. Fall 2014:: CSE 506:: Section 2 (PhD) LSM design – hooking example • open () hook process – Process syscall in user • file path • operation – Invoke syscall in kernel – Lookup inode – Check DAC – Hook & check MAC – Grant access From Operating System Security (Fig 9.2)

  12. Fall 2014:: CSE 506:: Section 2 (PhD) LSM design • Definition • Placement • Implementation – Where to find the function which hooks point to? – SELinux, AppArmor, LIDS, etc. – Does placement need to change in different LSMs? • Theoretically yes • Practically, the placement of hooks is stabilized

  13. Fall 2014:: CSE 506:: Section 2 (PhD) SELinux at a glance • Security Policies – Centralized store for access control – Can be modified by the SELinux system administrator – Determined by security contexts (=user, role, type) – Specification of permissions – Labeled with information for each file • Based on TE (Type Enforcement) and RBAC model • Operations to objects for subjects – append, create, rename, rwx, (un)link, (un)lock, … • Object classes – file, IPC, network, object, …

  14. Fall 2014:: CSE 506:: Section 2 (PhD) Some valid questions • How can SELinux internally incorporate with DAC? – DAC then MAC • Who writes the policy? – Admin • Isn't it hard to write a policy? – Indeed, and complicated (for SELinux ) • What happens if there is wrong policy? – Hell API names are admittedly confusing

  15. Fall 2014:: CSE 506:: Section 2 (PhD) Security context • Consist of three security attributes – User identity (SID, Security identifier) • SELinux user account associated with a subject or object • Different from traditional UNIX account (i.e /etc/passwd ) – Type or domain – Role (RBAC)

  16. Fall 2014:: CSE 506:: Section 2 (PhD) Security context • Consist of three security attributes – User identity (SID, Security identifier) – Type or domain • Postfix _t (i.e user_t, passwd_t, shadow_t , … ) • Divide subjects and objects into related groups • Typically type is assigned to an object, and domain to a process • Primary attribute to make fine-grained authorization decisions – Role (RBAC)

  17. Fall 2014:: CSE 506:: Section 2 (PhD) Security context • Consist of three security attributes – User identity (SID, Security identifier) – Type or domain – Role (RBAC) • Postfix _r (i.e sysadm_r, user_r, object_r , … ) • User might have multiple roles • Associate the role with domains (types) that it can access • Not assign permissions directly • Limits a set of permission ahead of time • If role is not authorized to enter a domain then denied

  18. Fall 2014:: CSE 506:: Section 2 (PhD) Security context example • Putting all together – Alice wants to change her password • SID alice with the user role, user_r • Role permitted to run typical user processes • Any process with user_t to execute the passwd_exec_t label role user_r types {user_t user_firefox_t} <perm> <sub_type> <obj_type>:<obj_class> <op_set> Allow user_t passwd_exec_t:file execute Allow passwd_t shadow_t:file {read write} <file_path_expr> <obj_context> /usr/bin/passwd system_u:object_r:passwd_exec_t /etc/shadow.* system_u:object_r:shadow_t

  19. Fall 2014:: CSE 506:: Section 2 (PhD) Decision making with policy • Access decision – Based on security context – allow, auditallow, dontaudit, and neverallow • Q: how can we decide policy for a temporary object? – temp processes (i.e fork) and files • A: transition decision – Process creation: domain transmission – File creation: type transmission (labelling) type_transition <curr_type> <exe_file_type>:process <res_type> type_transition user_t passwd_exec_t:process passwd_t

  20. Fall 2014:: CSE 506:: Section 2 (PhD) Transition decision examples • Process creation • File creation – Domain decision – Type decision From SELinux Ch2

  21. Fall 2014:: CSE 506:: Section 2 (PhD) Implementation • Policy sources – .te files (type enforcement) • Define rules and macros( m4 ) & assign permissions – . fc files (file context) • Define file contexts, supporting regular expression – RBAC files – User declarations • Makefile (target: policy, install, …) • Policy compiler – Merge all policies to policy.conf – Generate policy binary, centralized policy storage

  22. Fall 2014:: CSE 506:: Section 2 (PhD) AppArmor at a glance • Another mainstream of LSM implementation • Much simpler framework than SELinux – Targeted policy – An “application security system” – Pathname based – Work in two modes: • enforce mode and complain mode – One policy file per application • Used by some popular Linux distributions – Ubuntu, openSUSE, etc.

  23. Fall 2014:: CSE 506:: Section 2 (PhD) How AppArmor works? • Designed to be a complement to DAC – Can’t provide complete access control • Born to be targeted policy – unconfined_t in SELinux • Application based access control – One policy file per application – Protect system against applications • File + POSIX capabilities

  24. Fall 2014:: CSE 506:: Section 2 (PhD) AppArmor profile • Capability rules: capability setuid, capability dac_override, • Network rules: network (read, write) inet, deny network bind inet, • File rules: /path/to/file rw, /dir/** r,

  25. Fall 2014:: CSE 506:: Section 2 (PhD) SELinux vs AppArmor • Whole system vs. only a set of applications • Types & domains vs. defining permission directly • Strict MAC implementation vs. Partially implement • Extended attributes vs. pathname • Difficulty to configure – SELinux needs 4x bigger conf. file than AppArmor • Overhead? – 7% vs. 2%

  26. Fall 2014:: CSE 506:: Section 2 (PhD) Conclusion • SELinux and AppArmor can both greatly enhance OS security. • Choice depends on what you need.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the outside To protect Linux VMs from outside attacks (from processes running on the host). Injecting code into the boot chain. Stealing data from

559 views • 18 slides
Securing Linux John Kristoff jtk@depaul.edu http://condor.depaul.edu/~jkristof/ +1 312 362-5878

Securing Linux John Kristoff jtk@depaul.edu http://condor.depaul.edu/~jkristof/ +1 312 362-5878

Securing Linux John Kristoff jtk@depaul.edu http://condor.depaul.edu/~jkristof/ +1 312 362-5878 DePaul University Chicago, IL 60604 NWU Security Day John Kristoff - DePaul University 1 Starting comments A mish-mash of

678 views • 32 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux &amp; freeBSD Securing &amp; Managing Wireless LAN : Implementing 802.1x EAP-TLS PEAP-MSCHAPv2

278 views • 14 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Wireless LAN Security Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking

Wireless LAN Security Setup &amp; Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux &amp; freeBSD Securing &amp; Managing Wireless LAN : Implementing 802.1x EAP-TLS

417 views • 29 slides
Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&amp;Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

The State of Desktop Linux: Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig www.mylinuxrig.com @steven_ovadia *** Associate Professor/Web Services Librarian LaGuardia Community College About My Linux

458 views • 27 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

766 views • 57 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux FoundaGon

721 views • 55 slides
protoDUNE-SP Cold Electronics Calibration Two in situ DAC available on the FEMB

protoDUNE-SP Cold Electronics Calibration Two in situ DAC available on the FEMB

protoDUNE-SP Cold Electronics Calibration Two in situ DAC available on the FEMB external generated by the FPGA internal generated by the FE ASIC Configure: FPGA controls clock to generate all pulses: Set FPGA to

473 views • 3 slides
Review on DAC Review on DAC DAC Draw the grant diagram for the following Draw the grant

Review on DAC Review on DAC DAC Draw the grant diagram for the following Draw the grant

Review on DAC Review on DAC DAC Draw the grant diagram for the following Draw the grant diagram for the following sequences of grant statements User User Action Action U Grant p, q, r to V, W with grant option V Grant p, q, r to T

350 views • 9 slides
Logic &amp; Data Management Wim Martens University of Bayreuth Logic Mentoring Workshop @ LICS

Logic &amp; Data Management Wim Martens University of Bayreuth Logic Mentoring Workshop @ LICS

Research in Logic &amp; Data Management Wim Martens University of Bayreuth Logic Mentoring Workshop @ LICS 2020 Why Data Management? (1) It is an incredibly relevant fi eld (2) Ti e Logic Force is strong in Data Management (3) [Image removed]

633 views • 45 slides
FREE E RESID IDEN ENCE OF PEOPLE AND MOBIL ILIT ITY IN SOUTH AMERI ERICA Dr Diego Acosta

FREE E RESID IDEN ENCE OF PEOPLE AND MOBIL ILIT ITY IN SOUTH AMERI ERICA Dr Diego Acosta

FREE E RESID IDEN ENCE OF PEOPLE AND MOBIL ILIT ITY IN SOUTH AMERI ERICA Dr Diego Acosta d.acosta@bristol.ac.uk Twitter: @dacostalaw www.diegoacosta.eu Discourse The hu human right to to migration and the recognition of

354 views • 10 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 41: April

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 41: April

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 41: April 17, 2018 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 52 Importance of DAC in using &quot; Modulator

693 views • 13 slides
A history of the k-means algorithm Hans-Hermann Bock, RWTH Aachen, Allemagne 1. Clustering with

A history of the k-means algorithm Hans-Hermann Bock, RWTH Aachen, Allemagne 1. Clustering with

A history of the k-means algorithm Hans-Hermann Bock, RWTH Aachen, Allemagne 1. Clustering with SSQ and the basic k-means algorithm 1.1 Discrete case 1.2 Continuous version 2. SSQ clustering for stratified survey sampling Dalenius (1950/51) 3.

587 views • 24 slides
Efficient Parallel Verification of Galois Field Multipliers Cunxi Yu, Maciej Ciesielski ECE

Efficient Parallel Verification of Galois Field Multipliers Cunxi Yu, Maciej Ciesielski ECE

Efficient Parallel Verification of Galois Field Multipliers Cunxi Yu, Maciej Ciesielski ECE Department University of Massachusetts, Amherst Why Research on Verification ? q Verification cost n 57% in 2014 designs 61-70% n Increasing q

330 views • 29 slides
DualFS: a New Journaling Journaling File System without File System without DualFS: a New

DualFS: a New Journaling Journaling File System without File System without DualFS: a New

International Conference on Supercomputing International Conference on Supercomputing (ICS 2002) (ICS 2002) New York, New York, June 2002 New York, New York, June 2002 DualFS: a New Journaling Journaling File System without File System

352 views • 21 slides

More recommend