Professional Documents
Culture Documents
Linux Kernel Security Kca09
Linux Kernel Security Kca09
Linux Kernel Security Kca09
Overview
Kernel Conference Australia
Brisbane, 2009
James Morris
jmorris@namei.org
Introduction
Historical Background
DAC
User/group/other + read/write/execute
Extended DAC
Limited usefulness
May help eliminate setuid root binaries
Linux Namespaces
PAM integration
Netfilter
IPTables
NAT
Missing Link
Mandatory security
Assurance
Cryptography
Hashing
RNG
Cryptography
Default is AES-128/SHA-256
Per-object encryption
Memory Protection
Kernel Vulnerabilities
SELinux
AppArmor
TOMOYO
Labeled Networking
NetLabel
CIPSO
IPSec
Secmark
Utilizes iptables
Labeled NFS
NFSv4 extension
Prototype code
NFS ACLs
Anti-Malware
fsnotify
TALPA
Audit
Syscalls
LSM decisions
Seccomp
Known mitigations
Certifications
Future Directions
Extensible models
Cloud Computing
Challenges
enable features
report problems
Resources
Questions?
Useful URLs
KernelSecurityWiki
http://security.wiki.kernel.org/
LSMMailingList
http://vger.kernel.org/vgerlists.html#linuxsecuritymodule
LWNSecurityPage
http://lwn.net/Security/
TheInevitabilityofFailure:TheFlawedAssumptionofSecurityinModern
ComputingEnvironments
http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf
LSMUsenixPaper
http://www.usenix.org/event/sec02/wright.html
KernelMemoryProtection
http://lwn.net/Articles/329787/
LinuxSecurityModelComparison
http://tomoyo.sourceforge.jp/wikie/?WhatIs#comparison
Introduction
Historical Background
DAC
User/group/other + read/write/execute
Extended DAC
Limited usefulness
May help eliminate setuid root binaries
Linux Namespaces
PAM integration
Netfilter
IPTables
NAT
Missing Link
Mandatory security
Assurance
10
Cryptography
Hashing
RNG
11
Cryptography
Default is AES-128/SHA-256
13
Per-object encryption
15
Memory Protection
16
Kernel Vulnerabilities
17
SELinux
- Rationale:
- trusted systems not viable / generally useful
- Need whole-system approach (i.e. extend to
network, database, virt, desktop...)
- Mainstream MAC
- Targeted policy: limited confinement to network
facing services and base OS: made it possible to
enable by default
- Proven effectiveness, limits exploitation of vulns
- Usability addressed with high level abstractions, e.g.
kiosk mode, svirt
- Related work: SEBSD, FMAC; interop desired
- Kylin 3 (KACF), apparently B2 class
- Certified LSPP/EAL4+, also shipping enabled by
default in Fedora
- Low-level policy is complex; relies on high level
abstractions for usability, like a spreadsheet on a PC.
- Customization is still a challenge; work to be done..
20
AppArmor
21
TOMOYO
Labeled Networking
NetLabel
CIPSO
IPSec
Secmark
Utilizes iptables
23
Labeled NFS
NFSv4 extension
Prototype code
NFS ACLs
24
Labeling:
- Several closed / proprietary implementations
- No standard
- Best if open and standard, generalized
ACLs:
- Lots of variations, need interop
- NFSv3 has support for native ACLs
- uses xattr APIs
- NFSv4 ACLs are implementation of Windows model,
which is very different (see Gregs slides)
- NFSv4 code partially implemented
- ZFS, GPFS has it
- Needed for NAS interop, windows clients etc.
Anti-Malware
fsnotify
TALPA
26
Audit
Syscalls
LSM decisions
Seccomp
28
Known mitigations
Certifications
29
Future Directions
Extensible models
Cloud Computing
30
Challenges
enable features
report problems
31
Resources
32
Questions?
33
Useful URLs
KernelSecurityWiki
http://security.wiki.kernel.org/
LSMMailingList
http://vger.kernel.org/vgerlists.html#linuxsecuritymodule
LWNSecurityPage
http://lwn.net/Security/
TheInevitabilityofFailure:TheFlawedAssumptionofSecurityinModern
ComputingEnvironments
http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf
LSMUsenixPaper
http://www.usenix.org/event/sec02/wright.html
KernelMemoryProtection
http://lwn.net/Articles/329787/
LinuxSecurityModelComparison
http://tomoyo.sourceforge.jp/wikie/?WhatIs#comparison
34
35
36