Rapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC Ltd

Transcription

1 IBM Power Systems und Systems Management Symposium Rapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC Ltd

2 Andreas Leibl RSTC Ltd based in Bristol, UK and Ulm, Germany If you have any questions about the talk please send me an or contact me in LinkedIn: Xing: 2

3 Agenda AIX Security Trusted Execution (TE) & Trusted Computing Base (TCB) System Integrity Check Runtime Integrity Check Trusted Path Adding your own files 3

4 AIX & Security UNIX type security (accounts & permissions) Role Based Access Control (enhanced RBAC) enhanced in AIX 7.1 with Domain RBAC Trusted Execution (TE) 4

5 RBAC Role Based Access Control Fine granular control Kernel level, applications need not be modified No privilege escalation through faulty programs or shell escapes Users gain privileges through roles which allow them to execute certain operations Superior to sudo 5

6 Domain RBAC RBAC enhancement in AIX 7.1 Allows restrictions of privileges to certain objects Example: Right to resize filesystems can be limited to certain filesystems 6

7 Trusted Execution Replaces Trusted Computing Base (TCB) Superior capabilities TCB still available 7

8 Trusted Computing Base (TCB) Needs to be enabled at install time Limited to static (offline) checks (security sweeps) Default database quite limited (heavy use of VOLATILE keyword which effectively disables TCB checks for specified files) Weak checksums - low security 8

9 TE vs. TCB TE can be enabled at any time Uses cryptographically strong hashes Hashes can be cryptographically signed Runtime (online) checks in addition to static (offline) checks 9

10 TE Protection Trojan horses Root kits Any tampering with critical files Can easily be extended to include user files 10

11 Trusted Execution Requirements AIX 6.1 or 7.1 CryptoLight for C library (clic.rte.*) from expansion pack lslpp -l 'clic.*' Fileset Level State Description Path: /usr/lib/objrepos clic.rte.kernext COMMITTED CryptoLite for C Kernel clic.rte.lib COMMITTED CryptoLite for C Library Path: /etc/objrepos clic.rte.kernext COMMITTED CryptoLite for C Kernel 11

12 TE: Strong Hashes One way hash functions generate secure fingerprint of files Default hash algorithm: SHA256 Also available: SHA1 (160 bits), SHA512 Can sign the hashes in the TE database for added security AIX files come with signed hashes from IBM 12

13 Trusted Signature Database Can use grep -p or the proper command to see stanzas in the TE database: trustchk -q /usr/bin/ls /usr/bin/ls: owner = bin group = bin mode = 555 type = FILE hardlinks = symlinks = size = cert_tag = 00d3cbd b209 signature = 964bf2d53b4e0b6c3be62e2569ab9da192634a69d5f2d eb f0d da627ea2cd7b a1c82e25cbf585733de4e88dc649b5306dfb7427b32c29ac37f259ed5f6598c415f682abda422ee3a f9f1f7191b32ebcd467ad3ca302425c5607e59ffad1fcd69306f c2f0c1d8e143b1752d hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 minslabel = maxslabel = intlabel = accessauths = aix.fs.object.list innateprivs = PV_DAC_R,PV_DAC_X inheritprivs = authprivs = secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MIC 13

14 System Integrity Check TE checks all files listed in database Changed permissions are corrected Changed files are disabled (read, write and execute permissions revoked) Run manually or by crond 14

15 Planting a Trojan Horse Let's do something nasty... mv /usr/bin/ls /usr/bin/.ls vi /usr/bin/ls... cat /usr/bin/ls!/usr/bin/sh Replacing the ls command with a malicious version that installs a backdoor and then emulates ls behaviour echo "Doing something dirty here (which you can't see)..." /usr/bin/.ls $* chmod 555 /usr/bin/ls ls /home Doing something dirty here (which you can't see)... guest lost+found root 15

16 System Integrity Check in Action - Check only trustchk -n ALL trustchk: Verification of attributes failed: /usr/lpp/ diagnostics/bin/ecc_mcode_get : mode trustchk: Verification of attributes failed: /usr/sbin/sshd : size trustchk: Verification of attributes failed: /usr/sbin/ ifconfig.ib : group trustchk: Verification of attributes failed: /usr/bin/ls : owner group size hashvalue signature 16

17 System Integrity Check Sometimes produces false alerts Means: TSD wasn t updated correctly (includes permissions,suid) or files were removed or properties not specified (like size in case of sshd) The -n flag only means trustchk only reports problems -> no corrective action 17

18 Checking the Hash want to check the hash value? openssl dgst -sha256 /usr/bin/ls SHA256(/usr/bin/ls)= 4e6da7a726bb27428f2e8321a2aea231f587e88aacc03ac766c0cf1a openssl dgst -sha256 /usr/bin/.ls SHA256(/usr/bin/.ls)= 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 trustchk -q /usr/bin/ls grep hash hash_value = Modifed ls Original ls TSD entry 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 18

19 System Integrity Check - Interactive Use trustchk -t to correct problems interactively trustchk -t /usr/bin/ls trustchk: Verification of attributes failed: owner Change the file owner for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: group Change the file group for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: size Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: hash Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: signature Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of stanza failed: 19

20 System Integrity Check - Autocorrection trustchk -y = auto (think fsck -y) trustchk -y /usr/bin/ls trustchk: Verification of attributes failed: owner trustchk: Verification of attributes failed: group trustchk: Verification of attributes failed: mode trustchk: Verification of attributes failed: size trustchk: Verification of attributes failed: hash trustchk: Verification of attributes failed: signature trustchk: Verification of stanza failed: /usr/bin/.ls -l /usr/bin/ls T 1 bin bin 93 May 28 16:07 /usr/bin/ls File disabled 20

21 System Integrity Check - Autocorrection Wrong permissions get reset Wrong owner and group get reset Files that changed size or hash value are disabled 21

22 Runtime Integrity Check Binaries, shared libraries, kernel extensions and shell scripts are checked before execution Kernel refuses to load/execute them if verification fails Check is repeated every time -> no window of opportunity for attackers 22

23 Runtime Integrity Check Policies trustchk -p name=values sets policies TE=[ON OFF] : turns runtime checks on/off CHKEXEC=[ON OFF] : executable checking STOP_ON_CHKFAIL= [ON OFF] : stop executables failing the test STOP_UNTRUSTD= [ON OFF] : stop executables not listed in /etc/security/tsd/tsd.dat And more... 23

24 Runtime Integrity Check - Modified File trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON ls ksh: ls: Execute permission denied. Changed command does not execute cp /usr/bin/ls /usr/bin/.badls cp /usr/bin/.ls /usr/bin/ls chown bin:bin /usr/bin/ls ls.xauthority... Check is re-run every time the command is executed 24

25 Runtime Integrity Check - Unlisted File STOP_UNTRUSTD prevents execution of commands not listed in the TSD trustchk -p TE=ON CHKEXEC=ON STOP_UNTRUSTD=ON /usr/bin/.ls ksh: /usr/bin/.ls: Execute permission denied. ls -l /usr/bin/.ls -r-xr-xr-x 1 bin bin May 28 17:39 /usr/ bin/.ls Command.ls (the original ls) not executed (no check failure, file permissions ok) 25

26 Path Protection Trusted path Limits where programs/scripts can be started from Much more effective that restricted shell and a fixed $PATH variable 26

27 Trusted Path in Action cp /usr/bin/ls /usr/local/bin/ls /usr/local/bin/ls.xauthority... /usr/local/bin/ not in trusted path trustchk -p TEP=ON /usr/local/bin/ls ksh: /usr/local/bin/ls: Execute permission denied. trustchk -p tep TEP=ON TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/ lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security 27

28 Adding Your Own Files TE protection for your own files: EASY! Step 1: Create certificates and keys with openssl (only once) Step 2: Add to the TE database. That's it. TE takes care of the rest. 28

29 Creating Certificates cd /te openssl genrsa -out mycorpprivkey.perm 2048 Generating RSA private key, 2048 bit long modulus e is (0x10001) openssl req -new -x509 -key mycorpprivkey.perm -outform DER -mycorpcert.der - days 3650 You are about to be asked to enter information that will be incorporated... (some questions asked here)... openssl pkcs8 -inform PEM -in mycorpprivkey.perm -topk8 -nocrypt -outform DER - out mycorpprivkey.der ls mycorpcert.der mycorpprivkey.der mycorpprivkey.perm 29

30 Add to TE Database trustchk -s /te/mycorpprivkey.der -v mycorpcert.der -a /usr/local/bin/mycmd trustchk -q /usr/local/bin/mycmd /usr/local/bin/mycmd: type = FILE owner = root group = system mode = 755 size = 47 hash_value = 48d45e86a5a8ff4c6a94dfe fc0e1a6c0967f06233eaa84ff232fbceb2 cert_tag = 008b2dd04da79dc0b5 signature = a3ecc6b2c a0be

31 Test: Finding Illegal Modifications trustchk -n /usr/local/bin/mycmd echo $? 0 echo "CHANGED" >> /usr/local/bin/mycmd trustchk -n /usr/local/bin/mycmd trustchk: Verification of attributes failed: /usr/local/bin/mycmd : size hashvalue signature echo $?

32 Maintenance Installing updates naturally changes the files Hashes in the TE database need updating AIX updates come with new signatures Need to update hashes for own files 32

33 Want to give it a go? IBM business partners can get AIX test systems for free from the Virtual Loaner Program Not a business partner? Sign up at (all you need is a VAT ID) 33

34 Questions? 34

35 Thank you! If you think of a question later feel free to send me an . 35