SELinux & AppArmor - Comparison of Secure OSes

Similar documents
Safety measures in Linux

NSA Security-Enhanced Linux (SELinux)

Laboratory Report. An Appendix to SELinux & grsecurity: A Side-by-Side Comparison of Mandatory Access Control & Access Control List Implementations

How To Write Security Enhanced Linux On Embedded Systems (Es) On A Microsoft Linux (Amd64) (Amd32) (A Microsoft Microsoft 2.3.2) (For Microsoft) (Or

Confining the Apache Web Server with Security-Enhanced Linux

SELinux. Security Enhanced Linux

Mandatory Access Control in Linux

PARALLELS SERVER 4 BARE METAL README

Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE

Example of Standard API

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Linux Distributed Security Module 1

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

PARALLELS SERVER BARE METAL 5.0 README

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

SELinux Policy Editor RBAC(Role Based Access Control) guide (for Ver 2.0))

Security Enhanced Linux and the Path Forward

Securing Your System: Security Hardening Techniques for SUSE Linux Enterprise Server 12

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Kernel Intrusion Detection System

Networking in NSA Security-Enhanced Linux

Introduction to Operating Systems

Secure computing: SELinux

Red Hat enterprise virtualization 3.0 feature comparison

Automatic updates for Websense data endpoints

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Symantec Endpoint Protection

SUSE Linux Enterprise Desktop 11

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Red Hat Linux Internals

Adobe Flash Player and Adobe AIR security

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

SUSE Linux Enterprise 10 SP2: Virtualization Technology Support

Norton Mobile Privacy Notice

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Kaspersky Anti-Virus 8.0 for Linux File Server Installation Guide

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

System Security Policy Management: Advanced Audit Tasks

Endpoint protection for physical and virtual desktops

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Acronis Backup & Recovery 11

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

Linux for Embedded and Real-Time Systems

Getting Started Guide. Getting Started With Your Dedicated Server. Setting up and hosting a domain on your Linux Dedicated Server using Plesk 8.0.

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Mandatory Access Control

Linux Operating System Security

Virtualization System Security

Securing Your System: Security Hardening Techniques for SUSE Linux Enterprise Server

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

Nixu SNS Security White Paper May 2007 Version 1.2

Worms, Trojan Horses and Root Kits

GestióIP IPAM v3.0 IP address management software Installation Guide v0.1

Computer Security DD2395

This Release Notes document is for F-Secure Linux Security.

CSE 265: System and Network Administration

ZABBIX. An Enterprise-Class Open Source Distributed Monitoring Solution. Takanori Suzuki MIRACLE LINUX CORPORATION October 22, 2009

This document describes the new features of this release and important changes since the previous one.

Operating System Structure

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

VMware ESXi 3.5 update 2

Smartphone Pentest Framework v0.1. User Guide

Kaspersky Security 10 for Mobile Implementation Guide

Parallels Virtuozzo Containers 4.7 for Linux Readme

Firewalls Overview and Best Practices. White Paper

Advanced Systems Security: Retrofitting Commercial Systems

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

NetIQ Sentinel Quick Start Guide

CSE 265: System and Network Administration. CSE 265: System and Network Administration

2X SecureRemoteDesktop. Version 1.1

Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0

CS197U: A Hands on Introduction to Unix

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Nipper Studio Beginner s Guide

Deploying Ubuntu Server Edition. Training Course Overview. (Ubuntu LTS)

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

CTERA Agent for Linux

Operating System Security Hardening for SAP HANA

A Firewall Model of File System Security

What is Web Security? Motivation

Cisco Security Agent (CSA) Network Admission Control (NAC)

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

VIRTUOZZO TM FOR LINUX 2.6.1

Using Red Hat Network Satellite Server to Manage Dell PowerEdge Servers

Thanks for choosing sentora-paranoid for your sentora hosting environment security solution

Transcription:

SELinux & AppArmor - Comparison of Secure OSes Apr 18 2007 Yuichi Nakamura Research and Development Department Hitachi Software Engineering Co., Ltd. ynakam@hitachisoft.jp

Contents 0. Background 1. Introduction of SELinux & AppArmor 2. Comparison 2.1 Feature 2.2 Porting to embedded 2.3 Performance 3. SELinux activities in Japan 2

Background Embedded devices are being connected to networks. Attackers can also reach devices Security of embedded devices is similar to Win 95. In some devices All processes are running as root No password What happened to PCs will happen in near future. Worm, virus, crackers Some devices were already exploited 3

Threats root can do everything Privilege escalation is known even running as normal user such as bugs in suid programs PDA, mobile phone If browser open malicious page Virus is executed.. Private data is stolen (by wiretap, key logger) Springboard Consumer devices (TV, DVD, audio player etc) Attackers can intrude from network interface Download virus with data Destroy system, disclose data, springboard, wiretap etc 4

Requirement for embedded security Embedded devices Restricted resource, Hard to update Security technologies Packet filtering Useful, but can not protect open ports IDS, Anti-virus Consumes resources Need update of pattern file, not effective to zero-day attack Secure OS Simple, effective even without security patch Useful for zero-day attack Hardware independent 5

Secure OS Access control feature Assign least privilege to process Example: HTTPD can access only homepage file and configuration file. MAC (Mandatory Access control) No one (including root) can not bypass Implemented in Linux kernel Policy: Important component Configuration of Secure OS: Subject, object, access type Subject object Access type /usr/sbin/httpd /var/www read /usr/sbin/httpd /etc/httpd.d read /usr/sbin/name /var/named/ read d.... 6

What Secure OS can do?: Before * Network music player Buy MP3 Remote control Cracked! Network process Player process Virus! Springboard attack etc Install wiretap, steal password etc Attackers can do everything 7

What Secure OS can do?: After * Network music player Buy MP3 Remote control Cracked! Difficult to use as springboard, install wiretap Can not exec shell, launch services, write system files etc. Network process Write ok Assign access right Secure OS Player process Read ok No access right for: Springboard attack Install wiretap etc MP3 Virus! Attackers/malwares have limited access right Effective to Zero-day attacks, without security patch 8

SELinux and AppArmor Two major Open Source Secure OSes Also two extreme security vs. usability SELinux - Strict security, hard to use Developed by NSA Included in mainline kernel(2.6), Redhat, Fedora AppArmor Not strict security, easy to use Was called Subdomain, developed by Immunix Now maintained by Novell Included in SuSE Linux 9

1. Introduction of SELinux & AppArmor

Overview of SELinux Access control feature: TE Example of policy 11

Main feature : TE (Type Enforcement) Label based access control Domain Identifier for process Type Identifier(label) for resources Controls permission between domain and type Process httpd Domain:httpd_t Permission read Resource File /var/www Type:web_contents_t 12

Fine-grained access control File, network(port number, NIC, IP), IPC, user, other privilege.. About 700 permissions 13

Configuration of policy The most important feature What domain can access what access to what types? Ex Web server(domain httpd_t :allowing access to homepage allow specify domain, type, permission allow httpd_t web_contents_t file:{ read }; Domain Type Permission Assign label(=type) to resource /var/www( /.*) system_u:object_r:web_contents_t Many lines of allows(10k-100k) are required macro is used Bunch of allows is summarized by macro 14

Example of policy bind.te: allowing acces type named_t; type named_exec_t; /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) init_daemon_domain(named_t,named_exec_t) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)...... /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) kernel_read_kernel_sysctls(named_t) /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) kernel_read_system_state(named_t) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) kernel_read_network_state(named_t) /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) kernel_tcp_recvfrom(named_t)... /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) corenet_tcp_sendrecv_all_if(named_t) corenet_raw_sendrecv_all_if(named_t) /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) corenet_udp_sendrecv_all_if(named_t) /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) corenet_tcp_sendrecv_all_nodes(named_t) /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) corenet_udp_sendrecv_all_nodes(named_t) corenet_raw_sendrecv_all_nodes(named_t) corenet_tcp_sendrecv_all_ports(named_t) corenet_udp_sendrecv_all_ports(named_t) corenet_non_ipsec_sendrecv(named_t) corenet_tcp_bind_all_nodes(named_t) corenet_udp_bind_all_nodes(named_t) 293 lines 100 kinds of macros bind.fc:assigning label ifdef(`distro_debian',` /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)...45 Difficult to understand 15

Overview of AppArmor Easier than SELinux Implemented as LKM Recently, often compared with SELinux 16

Feature 1. Access control Controls file and POSIX capability Path name-based Label is not used Profile = policy 2. GUI Tools Integrated in YaST Generating profile Log report Not so important for embedded 17

Path name based access control Path name based: Identify file with path name Easy to understand Example: /usr/sbin/httpd{ /var/www/** r, } /usr/sbin/httpd can read under /var/www 18

Permission to file Basic permission: r,w,x,l r read w : write ix : execute l : link(remove file) 19

POSIX capability Controls capability Capability Important operation other than file access Example: net_bind_service: bind well-known port net_raw: use raw socket For detail: see $man capabilities 20

Configuration for profile Simple, easy to understand /usr/sbin/named { -> path to exectable #include <abstractions/base> Common #include<abstractions/nameservice> capability net_bind_service, Capability capability setgid, capability setuid, <snip> /var/lib/named/** rwl, Access to file /var/run/named.pid wl, } 21

2.1 Comparison of feature

Common : LSM Both use LSM for implementation LSM: Linux Security Module set of hooks in kernel to check security is included in mainline from 2.6 Using LSM: SELinux, AppArmor, LIDS (for 2.6) Not using TOMOYO Linux, LIDS (for 2.4) 23

Difference between SELinux and AppArmor Granularity of permission SELinux: File, network, IPC, POSIX capability etc.. AppArmor File + POSIX capability AppArmor can reach SELinux in theory, because both use LSM. How to identify resource The most fundamental -> next 24

How to identify resource Fundamental difference Affects security and usability Label based vs Path name based Label: lower usability, higher security Assign label to file SELinux Path name: higher usability, lower security Identify file with path name AppArmor, TOMOYO Linux Compare them by showing benefit and loss of pathname 25

Benefit of path-name High usability, easy to understand No need to extend file system Label base: File system have to be extended to store label Implementing policy generation tool is easier -> Next Nothing happens when i-node number is changed -> Next 26

Benefit of path-name: policy generation Example case: PHP trid to write /var/www/html/write/test.txt But, access denied by Secure OS Have to generate policy from log SELinux 1) label under /var/www/html -> httpd_sys_content_t 2) Log says.. httpd_t was denied to write to httpd_sys_content_t 3) Generate policy from log allow httpd_t httpd_sys_content_t:file write; - > allowing write access whole /var/www! Unnecessary access is granted AppArmor 1) log says /usr/sbin/httpd is denied to write /var/www/html/write/test.txt 2) Generate policy(=profile) from log /usr/sbin/httpd{ /var/www/html/write/test.txt w, Unnecessary access is _not_ granted 27

Benefit of path-name change of inode number Example /etc/mtab SELinux : Label is lost when inode number is changed Label is associated with inode /etc/mtab vi, rpm changes inode Solution file type transition configuration AppArmor Not easy for beginner Some userland have to be extended Example: rpm,vi No problem! 28

Loss by path-name Information flow tmpfiles 29

Loss by path-name Information flow analysis -> Who can access the information? Some people say path-name based security is broken because of this Ex: Information flow analysis to password information Initial state: Stored in /etc/shadow If hardlink is created to /etc/shadow, password information can be accessed via hardlink What happens in information flow analysis? Have to traverse whole file tree to find hardlink What if more hardlink is created during travarsal? SELinux: All you have to do is to check what kind of domain can access label for /etc/shadow Label is the same for hardlink 30

Loss by path-name tmp files When creating randomly named file under /tmp SELinux Can identify such file by naming label such as httpd_tmp_t AppArmor How to identify randomly named files? result in allowing whole /tmp. 31

SELinux Policy Editor(SEEDIT) (1) Tool that makes SELinux easy Open Source: http://seedit.sourceforge.net/ Originally developed by Hitachi Software Included in Fedora repository Main feature: SPDL AppArmor-like syntax to write policy example: domain httpd_t program /usr/sbin/httpd; allow /var/www/** r; path-name configuration This is converted to SELinux policy syntax type var_www_t; label is generated allow httpd_t var_www_t { file dir }: read; 32

SELinux Policy Editor(SEEDIT) (2) Still different from AppArmor Inherit drawback from label-based access control change of inode generated policy is label based Inherit good points from SELinux fine-grained permission (IPC, network) no patch to kernel Now, I am porting SPDL to work on embedded device I can demo for you after presentation! I hope I can release in future (not sure when) 33

2.2 Porting SELinux/AppArmor to embedded devices

Target device Sharp Zaurus SL-C3200 CPU: Intel XScale 416Mhz Memory: 64MB Distro: Open Zaurus 3.5.4.2-rc2 Experiences of porting SELinux and AppArmor 35

Kernel SELinux No work is needed! included in mainline AppArmor Have to obtain patch from http://developer.novell.com/wiki/index.php/novell_apparmor Very easy to patch diffstat: fs/namespace.c 3 include/linux/audit.h 5 include/linux/namespace.h 3 kernel/audit.c 6 All others: security/apparmor 36

File system SELinux: File system must support xattr ext2, ext3 supports xattr after 2.6.18 jffs2 supports xattr Fortunately, SL-C3200 uses ext3 AppArmor: No extension needed! 37

Userland SELinux Many commands load_policy, setfiles, restorecon, chcon etc.. Might want them to port to BusyBox to reduce size libselinux APIs for SELinux commands AppArmor Only apparmor_parser Profile loader Some helper shell script may needed for convenience cross-compile with minor modification 38

Policy SELinux Difficult to use sample policy (refpolicy) Intended for server use Need a lot of customize Difficult to understand, describe I used SELinux Poilcy Editor s simplified policy(spdl) AppArmor Much easier than refpolicy Like SPDL Policy generation tool Not available for both python or perl is required Have to write by hand. 39

2.3 Performance

Experiment Prepared domain/profile for 7 apps Memory usage Storage usage Unixbench/lmbench Compared with no SELinux/AppArmor kernel 41

Memory usage free command AppArmor +1M SELinux +1.7M Both need work (TODO) 42

Storage usage Total SELinux + 757k(no tuning) +244k(with tuning) -> Tuning is important AppArmor +157k (tuning not tried yet) 43

lmbench simple syscall simple read simple write simple stat simple fstat simple open/close pipe latency process fork+exit process fork+/bin/sh fork+execve -c Overhead of AppArmor(%) 0.6 31.3 42.9 30 5 114.5 8.7 1.9 17.6 18.2 Overhead of SELinux(%) 0.4 74.3 98.7 54.8 45.9 44.8 12.6 2.6 6.8 18.1 AppArmor: overhead in file open, exec SELinux: overhead after file open, exec 44

Unixbench DhryStone 2 using register variables Double-Precision Whetstone Execl FileCopy(256buf) 1024buf 4096buf Pipe Throuput Pipe-based context switch Process creation System Shell scripts call overheads Overhead of AppArmor(%) 0 15.3 6.4 0.6 0 5.6 3.9 0 19.3 0 0 Overhead of SELinux(%) 0 0 5.7 13.9 8.7 2.9 24.6 11.7 1.4 30.3 0 Less overhead than null I/O??? 45

3. SELinux activities in Japan

Our project Project in Japan SELinux Users Group (JSELUG) Our goal Prepare SELinux platform, development kit for embedded devices 2 projects sebusybox(on going), SEDiet(not public yet) Developers Current active Yuichi, KaiGai, Shinji Some other people are involved in discussion If you are interested in our project: busybox atmark kaigai.gr.jp 47

sebusybox Porting SELinux commands to BusyBox Submitted patch to BusyBox upstream Accepted: coreutils, libselinux On going: policycoreutils, netstat, find We found implicit guidelines of BusyBox such as indent rule, usage of libbb Japanese site, sorry: http://www.kaigai.gr.jp/index.php?busybox_upstream 48

SEDiet SEDiet (SELinux Diet): Activity to reduce size of SELinux Reducing size of policy, userland In progress. Submitting patch to diet libselinux More presentation in near future?? 49

Summary SELinux -> more security, less usability AppArmor -> less security, more usability SELinux needs more work, but community can change it! Project in progress SELinux Policy Editor can simplify SELinux SELinux community is bigger, upstreamed More eyeballs, better implementation, more reputation Let s contribute 50

Questions/Suggestions? Linux is a registered trademark of Linus Torvalds in the US and other countries Red Hat is a registered trademark of Red Hat,Inc in the US and other countries SUSE is a registered trademark of SUSE LINUX AG in the US and other countries AppArmor is a registered trademark of Novell, Inc in the US and other countries. TOMOYO is a registered trademark of NTT Data corporation. Other names of products, services and companies are the trademarks of their respective companies. 51

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information