Deep Inside Tomoyo Linux

Transcript

Linux Conf Au 2009 Linux.Conf.Au Deep inside TOMOYO Linux 2009.1.20 2009 1 20 TOMOYO Linux Project Handa Tetsuo TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan. Linux is a trademark of Linus Torvalds. Other names and trademarks are the property of their respective owners. Copyright (C) 2009 NTT DATA CORPORATION Two versions of TOMOYO • Version e s o 1.6.x 6 – Not using LSM. – Full featured version. version • This material refers to this version. – Supports many kernels/distributions including 2.4 kernels. • Version 2.2.x – Modified to use LSM for mainline inclusion inclusion. • Proposal in progress. – Minimal subset of 1 1.6.x 6x. Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? g • The e "name" a e based access co control o has as been unpopular among security professionals. professionals – Because whether a file is readable and/or writable it bl and/or d/ executable t bl d depends d on th the location of that file. • But, we had better not to neglect the role y of "name" in security. – Or, we will get undesirable consequence. Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? g • Ass long o g as a file's e s co contents e sa are e sstored o ed in an inode, the contents could be separated/protected by "label" label based access control. • But when the contents are copied to p and mixed by y applications, pp , the userspace "label" of the contents is lost. – Thus, Thus we should be aware with factors that control how the contents are processed. – The Th ""name"" is i one off such h ffactors. t Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? g • Factors ac o s that a affect a ec security secu y – Program's code – Files accessed by programs – User's input – Pathname (i.e. the location of a file) – Command line arguments g ((a.k.a. argv[]) g []) – Environment variables (a.k.a. envp[]) – and more? • TOMOYO tries to care "name" factors. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Customer's Demand • We e want a to o up upload oad web eb co contents e s via a CGI/FTP/SFTP/TAR etc. – Filename the administrator is expecting: /var/www/html/plaintext.txt – Contents C t t the th administrator d i i t t iis expecting: ti Hello world! • We want to let Apache serve the web contents. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question • How o ca can we ea avoid o d be below o case case? – Filename actually created: /var/www/html/ htaccess /var/www/html/.htaccess – Contents actually written: RedirectMatch R di tM t h ((.*) *) htt http://evil.example.com/cgi// il l / i bin/poison-it?$1 • A Apache h will ill iinterpret t t .htaccess ht and d return t "302 Moved Temporarily" to clients. – The clients will be redirected to malicious se e server. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question • People eop e are a e aware a a e with cross c oss ssite e sc scripting p g vulnerability. – It is an application level problem problem. • Are people also aware with redirection vulnerability? – http://isc.sans.org/diary.html?storyid=5150 http://isc.sans.org/diary.html?storyid 5150 – It is an OS involved problem. – Don't we e have ha e some rooms for protection? Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : TOMOYO's Solution • You ou can ca use "\-" \ ((name a e sub subtraction ac o operator) to avoid exercising unwanted pathnames. pathnames – Only access controls which care "name" f t can do. factor d • Below is an example p that doesn't allow creation of filename which begins with "." so that files like .htaccess htaccess won't won t be created created. – allow_create /var/www/html/\*\-.\* Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Customer's Demand • We e need eed to o execute e ecu e /b /bin/cat /ca /b /bin/mv / /bin/rm and some more commands from Apache's Apache s CGI. CGI Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Question • What a happens appe s if the e CGI CG has as a secu security y hole that allows below operation? – $ /bin/mv /var/www/html/ /var/www/html/.htpasswd htpasswd /var/www/html/index.html • Apache will interpret index.html and return p ((i.e. p password the contents of .htpasswd information) to clients. – The administrator won't won t want Apache to do so so. Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : TOMOYO's Solution • Control Co o what a filenames e a es a are e created/deleted/opened by the CGI. – The "name" name based access control can forbid use of inappropriate names. • C Change security context off a process program g is executed. whenever a p – /bin/cat /bin/mv /bin/rm and some more commands will have different set of pathnames that are allowed to exercise. Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Customer's Demand • We e want a to op prevent e e ad administrator s a o from o blocking general users. Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Question • What a happens appe s if the e ad administrator s a o issues ssues the following operation? – # ln /etc/resolv /etc/resolv.conf conf /etc/nologin • The administrator can prevent the general users from logging in, if the administrator is allowed to create a file named /etc/nologin . Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : TOMOYO's Solution • You ou can ca restrict es c what a names a es the e administrator and the general users can create/delete/rename/link. create/delete/rename/link • You can restrict namespace changes (e.g. mount/umount/chroot/pivot_root). Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Customer's Demand • We e want a to od divide de ad administrator's s a o s tasks. as s • We want to forbid operations that will leak /etc/shadow . /etc/shado – # cat /etc/shadow – Hey, there is a plenty room for criticizing "name" based access control! – No, that’s not what I wanted to say here. Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question • We e need eed to o grant g a read ead access to o /etc/shadow to applications which authenticate a user user. – /bin/login /bin/su /usr/sbin/sshd • Then, why not consider "How /etc/shadow y such applications?" pp is used by – I'm talking about behaviors after the contents of /etc/shadow are copied to userspace userspace. – This is not a battle of "name" versus "label". Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question • Wow! o Ca Can you accep accept this? s – Using /etc/shadow as a banner. # /usr/sbin/sshd -o o 'Banner Banner /etc/shadow' /etc/shadow # ssh localhost root:$1$d8kgaeX7$PqJEIeNsGAGPw4WwiVy0C/:14217:0:99999:7::: bi * 14189 0 99999 7 bin:*:14189:0:99999:7::: daemon:*:14189:0:99999:7::: adm:*:14189:0:99999:7::: lp:*:14189:0:99999:7::: sync:*:14189:0:99999:7::: shutdown: :14189:0:99999:7::: shutdown:*:14189:0:99999:7::: (…snipped…) kumaneko:$1$Y1sTeizV$y59KJ5302WPGh9rw8kGU50:14217:0:99999:7::: root@localhost's password: Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : TOMOYO's Solution • You ou can ca co control o co command a d line e pa parameters a ees and environment variables. – Because they are factors that control how the contents are processed. • Here are some examples. – allow_execute /usr/sbin/sshd if exec.argc=1 g – allow_execute /bin/sh if exec.argc=3 exec argv[1]="-c" exec.argv[1] c exec.argv[2] exec argv[2]="/bin/mail" /bin/mail exec.envp["PATH"]="/bin:/usr/bin" Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : Customer's Demand • We e have a e to oa allow o e execution ecu o o of /b /bin/sh /s from o our server application. • Parameters gi given en to /bin/sh are variable, ariable but we don't want to allow use of arbitrary parameters. – We want to control not onlyy commands but also command line parameters and environment variables. Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : TOMOYO's Solution • You ou can ca validate/record/detoxify a da e/ eco d/de o y parameters and do setup procedure (e.g. mounting private /tmp/ partition) using "execute_handler" keyword. • Below example lets /usr/bin/check-cgiparam intercept p p p program g execution request. – execute_handler execute handler /usr/bin/check /usr/bin/check-cgi-param cgi param Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : Customer's Demand • We e want a to o ass assign g d different e e pe permissions ss o s based on client's IP address and/or port number. number Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : TOMOYO's Solution • You ou can ca manage a age process's p ocess s sstate a e us using g "task.state" keyword. – allow_network allow network TCP accept @network1 1024 102465535 ; set task.state[0]=1 – allow_network ll t k TCP acceptt @network2 @ t k2 10241024 65535 ; set task.state[0]=2 Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : Customer's Demand • We e want a to o accep accept po policy cy violation o a o caused by software updates so that the service can restart properly after software updates updates. Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : TOMOYO's Solution • You ou can ca interactively e ac e y handle a d e po policy cy violation in enforcing mode. – To handle (library file's) file s) pathname changes changes. – To handle (irregular) signal requests. – To examine whether the restarted service can work properly. Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : Customer's Demand • We e want a to op protect o ec ou our sys system e from o SS SSH brute force attacks. – We can can'tt use public key authentication because we are not allowed to use removable media. media Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : TOMOYO's Solution • You ou can ca insert se fully u y cus customizable o ab e e extra a authentication layer between the SSH server process and the login shell process process. – TOMOYO's process invocation history allows you to t design d i process's ' state t t transition t iti diagram. – You can insert any setup programs into state transition diagram and enforce it. Copyright (C) 2009 NTT DATA CORPORATION What versions can TOMOYO 1.6.x support? pp • Vanilla a a kernels e e s ssince ce 2.4.30/2.6.11. 30/ 6 • Many distributions' latest kernels. RedHat Linux 9 Mandriva 2008.1/2009.0 Fedora Core 3/4/5/6 Turbolinux Server 10/11 Fedora Turbolinux edo a 7/8/9/10 /8/9/ 0 u bo u Client C e t 2008 008 CentOS 3.9/4.7/5.2 Debian Sarge/Etch/Lenny OpenSUSE 10 10.1/10.2/10.3/11.0/11.1 1/10 2/10 3/11 0/11 1 Ubuntu 6.06/6.10/7.04/7.10/8.04/8.10 Asianux Server 2.0/3.0 Vine Linux 4.2 42 Nature’s Linux 1.6 Gentoo H d Hardened d Gentoo G t Copyright (C) 2009 NTT DATA CORPORATION Why y TOMOYO 1.6.x doesn't use LSM? • Not o a all hooks oo s a are ep provided. o ded – Minimal hooks for implementing TOMOYO 2 2 0 were merged in 2.6.28-git4 2.2.0 2 6 28-git4 . – TOMOYO needs more LSM hooks. •H Hooks k ffor socket's k t' accept()/recvmsg() t()/ () operations. ti • Hooks for non POSIX capability. • Hooks H k ffor interactive i i enforcing f i mode. d • To support 2.4 kernels. Copyright (C) 2009 NTT DATA CORPORATION Why y TOMOYO 1.6.x doesn't use LSM? • TOMOYO O O O wants a s to o coe coexist s with o other e security mechanisms. – We now understand unexpected "name" name causes unexpected behaviors, don't we? – Controlling C t lli only l "l "label" b l" iis nott sufficient. ffi i t W We need to also control "name". • But current LSM is *exclusive*. – I hope LSM will become stackable so that we can enable multiple LSM modules at the same time time. Copyright (C) 2009 NTT DATA CORPORATION Conclusion? • The e "name" a e based MAC C is sa an inferior e o solution compared to the "label" based MAC if we care only whether a file is readable and/or writable and/or executable. • But there are "name" specific advantages p in security. y if we care other aspects • TOMOYO is a "name" based MAC which compensates for "label" label based MAC MAC's s shortage. Copyright (C) 2009 NTT DATA CORPORATION Materials? • The e role oeo of "pathname pa a e based access control" in security. – http://sourceforge.jp/projects/tomoyo/docs/lfj2 http://sourceforge jp/projects/tomoyo/docs/lfj2 008-bof.pdf • "Why TOMOYO O O O Linux?" ? – http://sourceforge.jp/projects/tomoyo/docs/tlug p g jp p j y g 200805.pdf • All materials are available at – http://sourceforge.jp/projects/tomoyo/docs/?ca t tegory_id=532&language_id=1 id 532&l id 1 Copyright (C) 2009 NTT DATA CORPORATION