Recent security features and issues in embedded systems. NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com>

Similar documents
The Linux Audit Subsystem Deep Dive. SHARE Denver Colorado Convention Center, Korbel 4b 24-Aug Noon

Linux OS-Level Security Nikitas Angelinas MSST 2015

issh v. Auditd: Intrusion Detection in High Performance Computing

Intrusion Detection using the Linux Audit Framework. Stephen Quinney School of Informatics University of Edinburgh

Leipzig, April 2013

Technical Report. Analysis of the Linux Audit System. Bruno Morisson. RHUL MA April 2015

Safety measures in Linux

NSA Security-Enhanced Linux (SELinux)

Survey of Filesystems for Embedded Linux. Presented by Gene Sally CELF

CIS 551 / TCOM 401 Computer and Network Security

...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language)

Auditing in the VNX Control Station P/N REV A01 February, 2011

CIS 551 / TCOM 401 Computer and Network Security. Spring 2005 Lecture 4

System Security Fundamentals

Chapter 7: Unix Security. Chapter 7: 1

Audit and IDS Steve Grubb, Red Hat

CHAPTER 1 INTRODUCTION 1.1 MOTIVATION FOR DATA SECURITY

CSE331: Introduction to Networks and Security. Lecture 34 Fall 2006

SELinux & AppArmor - Comparison of Secure OSes

Using an Open Source Framework to Catch the Bad Guy. Norman Mark St. Laurent Senior Solutions Architect, Red Hat

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Access Control Lists in Linux & Windows

Security Enhanced Linux and the Path Forward

TELE 301 Lecture 7: Linux/Unix file

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

NETWORK SECURITY HACKS *

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

Virtual Machine Security

NETWORK SECURITY HACKS

Mandatory Access Control in Linux

Unit objectives IBM Power Systems

storage elements and computer systems so that data transfer is secure and robust."

Analysis of the Linux Audit System 1

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

C2 Security: Is Big Brother Watching?

Utilizing Solaris 10 Security Features. Presented by: Nate Rotschafer Peter Kiewit Institute Revised: August 8, 2005

Practical Solaris 10 Security Glenn Brunette

Secure computing: SELinux

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

ENTERPRISE LINUX SECURITY ADMINISTRATION

Advanced End-to-End Linux Security for Desktop and Production Systems

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Native Host Intrusion Detection with RHEL6 and the Audit Subsystem. Steve Grubb Red Hat

EXPLORING LINUX KERNEL: THE EASY WAY!

Computer Security. Evaluation Methodology CIS Value of Independent Analysis. Evaluating Systems Chapter 21

Example of Standard API

ELCE Secure Embedded Linux Product (A Success Story)

Encrypt-FS: A Versatile Cryptographic File System for Linux

Windows and Linux Security Audit

A COMPARISON BETWEEN THE SAMBA3 AND LIKEWISE LWIOD FILE SERVERS

TransCrypt File Server Enhancements for Secure Remote Access

CIS433/533 - Computer and Network Security Operating System Security

Distributed File Systems Part I. Issues in Centralized File Systems

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Mandatory Access Control

Some basic features of UNIX

Linux Security Ideas and Tips

Guide to Snare for Linux v4.1

File System Encryption with Integrated User Management

Secure Shell Demon setup under Windows XP / Windows Server 2003

? Resource. Access Control and Operating System Security. Access control matrix. Access control. Capabilities. Two implementation concepts.

Australasian Information Security Evaluation Program

Mandatory Access Control Systems

GL550 - Enterprise Linux Security Administration

Getting Started with the Linux Intrusion Detection

ENTERPRISE LINUX SECURITY ADMINISTRATION

? Resource. Outline. Access Control and Operating System Security. Access control. Access control matrix. Capabilities. Two implementation concepts

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

Hacking Linux-Powered Devices. Stefan Arentz

A Comparative Study of Security Features in FreeBSD and OpenBSD

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Certification Report

Lab 2 : Basic File Server. Introduction

KVM Security - Where Are We At, Where Are We Going

Framework for accessing TransCrypt File System over Untrusted Public Network

UNCLASSIFIED Version 1.0 May 2012

HP Education Services

Red Hat. By Karl Wirth

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Why is security important? Practical applications of secure operating systems in E-business. Web site defacement activity (May 2000 April 2001)

Chapter 23. Database Security. Security Issues. Database Security

Protection of Components based on a Smart Card Enhanced Security Module

Encrypted File Systems. Don Porter CSE 506

IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE

System Structures. Services Interface Structure

OPERATING SYSTEM SERVICES

Linux Operating System Security

MySQL Security: Best Practices

SYSTEM ADMINISTRATION MTAT LECTURE 8 SECURITY

Transcription:

Recent security features and issues in embedded systems NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com>

Security Overview Asset Vulnerability Risk Security Threat Asset and Vulnerability should be considered as a pair. Threat intend to attack vulnerabilities. Risk means possibilities the threat to be actualized. more worthwhile asset, weaker vulnerability has its risk grow. risk depends on environmental factors, organization policy. Security is a way to reduce risk. 2 Embedded Linux Conference 2008

20 years later Evolutions of Cellular-Phone in the last 20 years Value of Assets Vulnerability electronic money, Credit card Internet connectivity (Web,mail,...) The first generation cellular-phones (1987) commodity operating system Mass storage & Data exchange Java application stored privacy, individual info 3 Embedded Linux Conference 2008

Evolutions of Video/Television in the last 20 years Online firmware update Mass storages to store movie contents Value of Assets Vulnerability Charging Information Analog Video/Television 20 years ago 20 years later Internet connectable home server Privacy commodity operating system 4 Embedded Linux Conference 2008

Evolutions of OS security in the last 20 years What kind of security features are currently available within the operating system? SELinux, Cryptograph, ACL,... Can we apply them on embedded systems? Is it really comprehensive? Traditional UNIX permission 20 years later [kaigai@mailsv ~]$ ls -l /etc -rw-r--r-- 1 root root 23954 Apr 1 18:21 /etc/aliases -rw-r--r-- 1 root root 17 Jul 24 2000 /etc/host.conf -rw-r--r-- 2 root root 147 Nov 30 2005 /etc/hosts -rw-r--r-- 1 root root 161 Jan 13 2000 /etc/hosts.allow -rw-r--r-- 1 root root 347 Jan 13 2000 /etc/hosts.deny -rw-r--r-- 1 root root 1666 Aug 29 2005 /etc/inittab -rw-r--r-- 1 root root 5553 Mar 19 08:46 /etc/passwd drwxr-xr-x 10 root root 4096 Nov 13 14:10 /etc/rc.d/ -r-------- 1 root root 5563 Mar 19 08:46 /etc/shadow : : : : : : : 5 Embedded Linux Conference 2008

Today's Topics Sorting out security requirements ISO15408 framework makes it clearly categorized. Recent security futures can be mapped on the categories. Recent security feature and its issue Introductions/Overviews of recent security features Possible difficulty in applying security features to embedded systems Why? differences in CPU, Filesystem, Memory size,... This session shows the issues to be resolved when we apply recent security features on embedded systems. 6 Embedded Linux Conference 2008

ISO/IEC15408 The purpose of ISO/IEC15408 Common criteria to evaluate security functionalities of IT products, not only software Essentials more than 20 years history since TCSEC, ITSEC 11 functional categories, 8 assurance ones Developers can select functional ones suitable for them. We can use it as a comprehensive catalog of security functionalities. 7 Embedded Linux Conference 2008

Protection Profile What is Protection Profile? A set of requirements for specific categories OS, RDBME, Firewall, SmartCard, Digital-Copier, etc... Example: CAPP, LSPP, MLOSPP for OS, DBMSPP for RDBMS ISO/IEC15408 Functional Requirements Security Audit Communication Cryptographic Support User Data Protection Identification and Authentication Security Management Privacy Protection of the TSF Resource Utilization TOE Access Trusted Path/Channels Pick up Pick up Labeled Labeled Security Security Protection Protection Profile Profile Security Audit User Data Protection DBMS DBMS Protection Protection Profile Profile Security Audit Protection of the TSF User Data Protection Security Management 8 Embedded Linux Conference 2008

Technology map of Recent Security Features Re-organized major categories of security functionalities required by protection profiles for operating system. Security Audit Linux Linux Audit Audit Cryptographic dm-crypt ecryptfs Data Protection [Access [Access Control] POSIX POSIX ACL ACL [Data [Data Flow Flow Control] SELinux [Data [Data Integrity] SD-Hash, TPM TPM Others CGroup CGroup -rt -rt kernel kernel Identification & Authentication POSIX POSIX capability PAM PAM Communication IPsec IPsec openssh/ssl/pgp 9 Embedded Linux Conference 2008

Security Audit What is the purpose? To confirm what has happened later, when we get security incidents Unified event logging for both operating system and applications Well formalized audit logs, In-kernel event filter To alert system administrators Related components linux-audit Security Audit Linux Audit Cryptographic dm-crypt ecryptfs Data Protection [Access Control] POSIX ACL [Data Flow Control] SELinux [Data Integrity] Hash commands TPM Others CGroup -rt kernel Identification & Authentication POSIX capability PAM Communication IPsec openssh/ssl/pgp 10 Embedded Linux Conference 2008

linux-audit features (1/2) Designed for ISO15408 requirements System call audit In-kernel event filters Selective audit review Event notification for administrators Utilities auditd auditctl ausearch, aureport 11 Embedded Linux Conference 2008

linux-audit features (2/2) [root@saba ~]# auditctl -a exit,always -S open -F path=/etc/shadow -F exit!=0 [root@saba ~]# [kaigai@saba ~]$ less /etc/shadow /etc/shadow: Permission denied [kaigai@saba ~]$ [root@saba ~]# ausearch --file /etc/shadow ---- time->mon Mar 24 19:19:05 2008 type=path msg=audit(1206353945.330:3541): item=0 name="/etc/shadow" inode=6111049 dev=08:06 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 type=cwd msg=audit(1206353945.330:3541): cwd="/home/kaigai" type=syscall msg=audit(1206353945.330:3541): arch=40000003 syscall=5 success=no exit=-13 a0=806d010 a1=8000 a2=0 a3=8000 items=1 ppid=3638 pid=18234 auid=1001 uid=1001 gid=100 euid=1001 suid=1001 fsuid=1001 egid=100 sgid=100 fsgid=100 tty=pts6 ses=52 comm="less" exe="/usr/bin/less" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 12 Embedded Linux Conference 2008

linux-audit issues in embedded systems Architecture Limitation It hooks the entry-point of system call Implemented in assembler code Unsupported architectures Only x86, ppc, ppc64, s390, ia64, UML, sparc64 are supported now. Super-H coming soon (2.6.25) Where is ARM, MIPS? Storage size limitation smaller storage than server/desktop 13 Embedded Linux Conference 2008

Cryptographic Support What is the purpose? Crypto-key operations based on standard algorithms. Encryption/Decryption based on standard algorithms. Related components dm-crypt ecryptfs based on in-kernel crypt API Security Audit Linux Audit Cryptographic dm-crypt ecryptfs Data Protection [Access Control] POSIX ACL [Data Flow Control] SELinux [Data Integrity] Hash commands TPM Others CGroup -rt kernel Identification & Authentication POSIX capability PAM Communication IPsec openssh/ssl/pgp 14 Embedded Linux Conference 2008

dm-crypt/ecryptfs features dm-crypt One of the device-mapper modules Works in Block Layer Per-device encryption ecryptfs One of the pseudo filesystem works as NFS doing Per-file encryption Metadata as containts of files Encryption is done before compression in jffs2 ecryptfs file system dm-crypt block layer System Call MTD Layer 15 Embedded Linux Conference 2008

dm-crypt/ecryptfs issues in embedded systems dm-crypt and MTD devices I/O traffic on MTD devices don't go through block layer. Cryptographic Support on JFFS2, LogFS and so on? Feasible ideas Utilization of JFFS2 compress handlers Pseudo cryptographer device on MTD LogFS, YAFFS, etc... JFFS2 Crypt Handler Pseudo crypt MTD MTD Layer 16 Embedded Linux Conference 2008

Data Protection Essentials Access Control Data Flow Control Data Integrity What is the purpose? To protect data (including metadata) from leaking, manipulation and destruction. Related components POSIX ACL SELinux Security Audit Linux Audit Cryptographic dm-crypt ecryptfs Data Protection [Access Control] POSIX ACL [Data Flow Control] SELinux [Data Integrity] Hash commands TPM Others CGroup -rt kernel Identification & Authentication POSIX capability PAM Communication IPsec openssh/ssl/pgp 17 Embedded Linux Conference 2008

POSIX ACL The limitation in traditional permission model 'rwx' permission for owner, a group and others How POSIX ACL works It stores ACL within xattrs, used in permission checks. /opt/myfile rwx rwx rwx XATTR entry refer system.posix_acl_access = u:kaigai:rw-,g:secadm:r-x VFS permission check handler Default ACL supports POSIX ACL Issues in embedded systems XATTR supports in filesystems are needed. Busybox supports are needed. 18 Embedded Linux Conference 2008

SELinux (1/3) What is the purpose of SELinux? Mandatory Access Controls (MAC) Data Flow Controls (DFC) Higher sensitive level Classified Data TopSecret Filesystem Networks Shared memory Unclassified Data Unclassified Lower sensitive level Methods of inter-processes communication /boot bin readable executable /usr / /var sbin lib log lib readable executable checks appendwritable security policy /tmp readable writable 19 Embedded Linux Conference 2008

SELinux (2/3) Features It associates a security attribute for each subject/object. e.g) "root:object_r:var_log_t:unclassified" SELinux hooks any system-call invocation to apply its decision based on its security policy. Why we need SELinux? root can be a single-failure point Fine-grained access control A single unified security policy Generally, fewer checks are better If SELinux is disabled? Massive checks in userspace or, Quality degrading System Call Files Application System call entry point Security Context Security Context SELinux Security Policy Kernel Kernel space space reference reference monitor monitor Kernel 20 Embedded Linux Conference 2008

SELinux (3/3) SELinux issues on embedded systems Filesystem XATTR support security context of files are stored within xattr field. cramfs, LogFS, yaffs, etc... Userland utilities support Now busybox has 12 applets, 12 extensions for SELinux load_policy, setenforce, restorecon,... '-Z' option support, preserving security context,... libselinux provides fundamental facilities to userland. pam_selinux.so associate a user with its security context. Security Policy Different application, environment from server/desktop Distributors should provide its suitable base security policy 21 Embedded Linux Conference 2008

Identification and Authentification What is the purpose? To ensure a process works with correct identifier. To associate a user with correct authorities. These features are foundation for other security facilities to work correctly. Security-Audit, Access Controls,... Related components POSIX Capabilities PAM Security Audit Linux Audit Cryptographic dm-crypt ecryptfs Data Protection [Access Control] POSIX ACL [Data Flow Control] SELinux [Data Integrity] Hash commands TPM Others CGroup -rt kernel Identification & Authentication POSIX capability PAM Communication IPsec openssh/ssl/pgp 22 Embedded Linux Conference 2008

POSIX Capabilities (1/4) The purpose of POSIX Capabilities Least privileged set Features It enables to associate a part of 'root privileges' E.g) Using network port < 1024, Ignoring DAC permission Linux kernel has this feature from 2.4.x series, however, it has been hard to utilize. Recent updates Filesystem POSIX Capability Per-process Capability Bounding Set 23 Embedded Linux Conference 2008

POSIX Capabilities (2/4) The calculation rule of capabilities on execve() P (permitted) = (F(permitted) & cap_bset) (P(inheritable) & F(inheritable)) P (effective) = F(effective)? P'(permitted) : 0 P (inheritable)= P(inheritable) Pseudo File POSIX capability bits If euid = 0 If euid!= 0 -> F(*) is set to All-1 (0xfff...fff) -> F(*) is set to All-0 (0x00...00) We had no way to represent F(*) bitmasks. Filesystem POSIX Capability stores F(*) information within xattr of executable files. We can run privileged programs with more restricted power. E.g) /bin/ping with only CAP_NET_RAW 24 Embedded Linux Conference 2008

Example POSIX Capabilities (3/4) /bin/ping with CAP_NET_RAW on F(permitted), not SetUID'ed Features comes from from filesystem XATTR The calculation rule of capabilities on execve() P (permitted) = (F(permitted) & cap_bset) (P(inheritable) & F(inheritable)) P (effective) = F(effective)? P'(permitted) : 0 P (inheritable)= P(inheritable) P'(permitted) = CAP_NET_RAW & 0xfff...fff 0 & 0 P'(effective) = (true)? CAP_NET_RAW : 0 It stores F(*) bits within filesystem XATTR region It enables to replace SetUID programs. Available on 2.6.24 or later 25 Embedded Linux Conference 2008

POSIX Capabilities (4/4) Features The calculation rule of capabilities Capability at execve() bounding-set P (permitted) = (F(permitted) & cap_bset) (P(inheritable) & F(inheritable)) P (effective) = F(effective)? P'(permitted) : 0 P (inheritable)= P(inheritable) Capability bounding-set can mask root privileges F(permitted) is 0xfff...fff when euid = 0 In 2.6.24 or former, cap_bset is system wide variable In the next kernel, we can set per-process capability bounding set, as follows. Login exec Drop CapBset User Shell exec SetUID with with limited limited capabilities 26 Embedded Linux Conference 2008

PAM PAM (Pluggable Authentication Module) A framework of authentication modules PAM Issues in Embedded systems Widely used to set up initial users security attribute security context of SELinux per-process capability bounding set It means these 'secure initial state' depends on PAM How tinylogin handle it? 27 Embedded Linux Conference 2008

Communication & Others What is the purpose? To provide secret, trusted and separated communication channel Resource utilization, trusted timestamp,... Related components SSH/SSL/PGP IPsec Sensitivity and Integrity on communication channels Cgroups/-rt kernel Resource availabilities are also required to security aspect Security Audit Linux Audit Cryptographic dm-crypt ecryptfs Data Protection [Access Control] POSIX ACL [Data Flow Control] SELinux [Data Integrity] Hash commands TPM Others CGroup -rt kernel Give us issues in this region, if you have anything. Identification & Authentication POSIX capability PAM Communication IPsec openssh/ssl/pgp 28 Embedded Linux Conference 2008

Summary (1/2) Asset Vulnerability Risk Security Threat Vulnerability Risk Security Audit Data Protection Identification & Authentication Cryptographic Others Communication 29 Embedded Linux Conference 2008

Summary (2/2) These issues should be solved to provide 'secure' embedded systems. Filesystem XATTR support Common requirement for selinux, ACL, capabilities It is now available on most of regular filesystems, but... Utilities support busybox Now, about 70% of SELinux utilities are merged into upstream Features of ACLs and capabilities are also necessary Cryptograph support on MTD devices Linux-audit support for embedded architecture 30 Embedded Linux Conference 2008

Any Question?

Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information