IBM Power Systems und Systems Management Symposium 30.05. - 01.06.2011 Rapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC Ltd
Andreas Leibl RSTC Ltd based in Bristol, UK and Ulm, Germany http://www.rstc-ltd.co.uk/ Email: andreas.leibl@rstc-ltd.co.uk If you have any questions about the talk please send me an email or contact me in LinkedIn: http://www.linkedin.com/in/aleibl Xing: https://www.xing.com/profile/andreas_leibl 2
Agenda AIX Security Trusted Execution (TE) & Trusted Computing Base (TCB) System Integrity Check Runtime Integrity Check Trusted Path Adding your own files 3
AIX & Security UNIX type security (accounts & permissions) Role Based Access Control (enhanced RBAC) enhanced in AIX 7.1 with Domain RBAC Trusted Execution (TE) 4
RBAC Role Based Access Control Fine granular control Kernel level, applications need not be modified No privilege escalation through faulty programs or shell escapes Users gain privileges through roles which allow them to execute certain operations Superior to sudo 5
Domain RBAC RBAC enhancement in AIX 7.1 Allows restrictions of privileges to certain objects Example: Right to resize filesystems can be limited to certain filesystems 6
Trusted Execution Replaces Trusted Computing Base (TCB) Superior capabilities TCB still available 7
Trusted Computing Base (TCB) Needs to be enabled at install time Limited to static (offline) checks (security sweeps) Default database quite limited (heavy use of VOLATILE keyword which effectively disables TCB checks for specified files) Weak checksums - low security 8
TE vs. TCB TE can be enabled at any time Uses cryptographically strong hashes Hashes can be cryptographically signed Runtime (online) checks in addition to static (offline) checks 9
TE Protection Trojan horses Root kits Any tampering with critical files Can easily be extended to include user files 10
Trusted Execution Requirements AIX 6.1 or 7.1 CryptoLight for C library (clic.rte.*) from expansion pack lslpp -l 'clic.*' Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.7.0.0 COMMITTED CryptoLite for C Library Path: /etc/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel 11
TE: Strong Hashes One way hash functions generate secure fingerprint of files Default hash algorithm: SHA256 Also available: SHA1 (160 bits), SHA512 Can sign the hashes in the TE database for added security AIX files come with signed hashes from IBM 12
Trusted Signature Database Can use grep -p or the proper command to see stanzas in the TE database: trustchk -q /usr/bin/ls /usr/bin/ls: owner = bin group = bin mode = 555 type = FILE hardlinks = symlinks = size = 26732 cert_tag = 00d3cbd2922627b209 signature = 964bf2d53b4e0b6c3be62e2569ab9da192634a69d5f2d15861098eb7475093f0d45488571da627ea2cd7b528 864a1c82e25cbf585733de4e88dc649b5306dfb7427b32c29ac37f259ed5f6598c415f682abda422ee3a9497 937f9f1f7191b32ebcd467ad3ca302425c5607e59ffad1fcd69306f1674905c2f0c1d8e143b1752d hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 minslabel = maxslabel = intlabel = accessauths = aix.fs.object.list innateprivs = PV_DAC_R,PV_DAC_X inheritprivs = authprivs = secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MIC 13
System Integrity Check TE checks all files listed in database Changed permissions are corrected Changed files are disabled (read, write and execute permissions revoked) Run manually or by crond 14
Planting a Trojan Horse Let's do something nasty... mv /usr/bin/ls /usr/bin/.ls vi /usr/bin/ls... cat /usr/bin/ls!/usr/bin/sh Replacing the ls command with a malicious version that installs a backdoor and then emulates ls behaviour echo "Doing something dirty here (which you can't see)..." /usr/bin/.ls $* chmod 555 /usr/bin/ls ls /home Doing something dirty here (which you can't see)... guest lost+found root 15
System Integrity Check in Action - Check only trustchk -n ALL trustchk: Verification of attributes failed: /usr/lpp/ diagnostics/bin/ecc_mcode_get : mode trustchk: Verification of attributes failed: /usr/sbin/sshd : size trustchk: Verification of attributes failed: /usr/sbin/ ifconfig.ib : group trustchk: Verification of attributes failed: /usr/bin/ls : owner group size hashvalue signature 16
System Integrity Check Sometimes produces false alerts Means: TSD wasn t updated correctly (includes permissions,suid) or files were removed or properties not specified (like size in case of sshd) The -n flag only means trustchk only reports problems -> no corrective action 17
Checking the Hash want to check the hash value? openssl dgst -sha256 /usr/bin/ls SHA256(/usr/bin/ls)= 4e6da7a726bb27428f2e8321a2aea231f587e88aacc03ac766c0cf1a02530378 openssl dgst -sha256 /usr/bin/.ls SHA256(/usr/bin/.ls)= 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 trustchk -q /usr/bin/ls grep hash hash_value = Modifed ls Original ls TSD entry 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 18
System Integrity Check - Interactive Use trustchk -t to correct problems interactively trustchk -t /usr/bin/ls trustchk: Verification of attributes failed: owner Change the file owner for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: group Change the file group for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: size Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: hash Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: signature Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of stanza failed: 19
System Integrity Check - Autocorrection trustchk -y = auto (think fsck -y) trustchk -y /usr/bin/ls trustchk: Verification of attributes failed: owner trustchk: Verification of attributes failed: group trustchk: Verification of attributes failed: mode trustchk: Verification of attributes failed: size trustchk: Verification of attributes failed: hash trustchk: Verification of attributes failed: signature trustchk: Verification of stanza failed: /usr/bin/.ls -l /usr/bin/ls ---------T 1 bin bin 93 May 28 16:07 /usr/bin/ls File disabled 20
System Integrity Check - Autocorrection Wrong permissions get reset Wrong owner and group get reset Files that changed size or hash value are disabled 21
Runtime Integrity Check Binaries, shared libraries, kernel extensions and shell scripts are checked before execution Kernel refuses to load/execute them if verification fails Check is repeated every time -> no window of opportunity for attackers 22
Runtime Integrity Check Policies trustchk -p name=values sets policies TE=[ON OFF] : turns runtime checks on/off CHKEXEC=[ON OFF] : executable checking STOP_ON_CHKFAIL= [ON OFF] : stop executables failing the test STOP_UNTRUSTD= [ON OFF] : stop executables not listed in /etc/security/tsd/tsd.dat And more... 23
Runtime Integrity Check - Modified File trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON ls ksh: ls: 0403-006 Execute permission denied. Changed command does not execute cp /usr/bin/ls /usr/bin/.badls cp /usr/bin/.ls /usr/bin/ls chown bin:bin /usr/bin/ls ls.xauthority... Check is re-run every time the command is executed 24
Runtime Integrity Check - Unlisted File STOP_UNTRUSTD prevents execution of commands not listed in the TSD trustchk -p TE=ON CHKEXEC=ON STOP_UNTRUSTD=ON /usr/bin/.ls ksh: /usr/bin/.ls: 0403-006 Execute permission denied. ls -l /usr/bin/.ls -r-xr-xr-x 1 bin bin 26732 May 28 17:39 /usr/ bin/.ls Command.ls (the original ls) not executed (no check failure, file permissions ok) 25
Path Protection Trusted path Limits where programs/scripts can be started from Much more effective that restricted shell and a fixed $PATH variable 26
Trusted Path in Action cp /usr/bin/ls /usr/local/bin/ls /usr/local/bin/ls.xauthority... /usr/local/bin/ not in trusted path trustchk -p TEP=ON /usr/local/bin/ls ksh: /usr/local/bin/ls: 0403-006 Execute permission denied. trustchk -p tep TEP=ON TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/ lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security 27
Adding Your Own Files TE protection for your own files: EASY! Step 1: Create certificates and keys with openssl (only once) Step 2: Add to the TE database. That's it. TE takes care of the rest. 28
Creating Certificates cd /te openssl genrsa -out mycorpprivkey.perm 2048 Generating RSA private key, 2048 bit long modulus...+++...+++ e is 65537 (0x10001) openssl req -new -x509 -key mycorpprivkey.perm -outform DER -mycorpcert.der - days 3650 You are about to be asked to enter information that will be incorporated... (some questions asked here)... openssl pkcs8 -inform PEM -in mycorpprivkey.perm -topk8 -nocrypt -outform DER - out mycorpprivkey.der ls mycorpcert.der mycorpprivkey.der mycorpprivkey.perm 29
Add to TE Database trustchk -s /te/mycorpprivkey.der -v mycorpcert.der -a /usr/local/bin/mycmd trustchk -q /usr/local/bin/mycmd /usr/local/bin/mycmd: type = FILE owner = root group = system mode = 755 size = 47 hash_value = 48d45e86a5a8ff4c6a94dfe3723677fc0e1a6c0967f06233eaa84ff232fbceb2 cert_tag = 008b2dd04da79dc0b5 signature = a3ecc6b2c07260417a0be162... 30
Test: Finding Illegal Modifications trustchk -n /usr/local/bin/mycmd echo $? 0 echo "CHANGED" >> /usr/local/bin/mycmd trustchk -n /usr/local/bin/mycmd trustchk: Verification of attributes failed: /usr/local/bin/mycmd : size hashvalue signature echo $? 114 31
Maintenance Installing updates naturally changes the files Hashes in the TE database need updating AIX updates come with new signatures Need to update hashes for own files 32
Want to give it a go? IBM business partners can get AIX test systems for free from the Virtual Loaner Program http://www.ibm.com/systems/vlp Not a business partner? Sign up at www.ibm.com/partnerworld (all you need is a VAT ID) 33
Questions? 34
Thank you! If you think of a question later feel free to send me an email. 35