Securing the Daemons

Advanced Security Features of FreeBSD

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 What is FreeBSD?

• Complete Operating System

• Tools and source code
• More than 24,000 3rd party open
source software packages
• Complete documentation
• An open source community
 Who uses FreeBSD?
• NetApp • WhatsApp
• Dell/EMC/Isilon • Juniper Networks
• Dell/KACE • Verisign
• Perseus Telecom
• Panasas
• Sony
• Apple • XipLink
• Limelight Networks • McAfee
• Swisscom • NYI
• Sentex • Yahoo
• Microsoft
 Why use FreeBSD?

• Innovation
• Great tools
• Mature release model
• Excellent documentation in many
languages
• Business friendly license
• Open community
 Produce a whole system

• Operating system
• Device drivers
• Compilers and associated tools
• Debugging tools
• Editors
• Packaging system
• Ready for coding when install is done
 Securing an Operating System
• Against whom?
• How?
• Restraint
• Preventing actors from doing bad things
• Recording
• Tracking down what a bad actor has done
Security Features and FreeBSD
• Jails (2000)
• Mandatory Access Control (2003)
• Audit (2006)
• Capabilities (2010)
Securing the Daemons
Containing Applications with Jails

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 Jails
• Lightweight Virtualization
• Can scale to 1000s of instances on a
single server
• Easy to manage
• Often used by ISPs
• An apache or nginx jail
• Mail servers
 Motivation
• A better chroot()
• Initially focused on the filesystem
• Each jail has a private namespace
• Group and isolate a set of processes
For example:
• nginx and mysql
• Mail server hosting
 Implementation
• New system calls
• jail(2) and jail_attach(2)
• A sprinkling of access checks throughout
the kernel
• prison_check*() routines
 Centralized Prison Structure
• One struct to rule
them all
• Kernel maintains a list
of prisons
• The pr_allow field is a
white list
 Fine Grained Privileges
• Privileges granted by a single kernel call
• prison_priv_check()
• Currently 681 named privileges
• Broken down into various sections
• VFS
• Network
• Scheduler
• etc.
 Jail Security Properties
• Isolates processes in the filesystem
• Each Jail operates below its own root (/)
• Isolates processes from each other
• Processes in a jail cannot manipulate other
jails
• Processes in a jail cannot manipulate the
base OS
• Allows cooperation
• Processes in a jail can talk to other processes
in the same jail
 Jails and the Network
• Jails have independent IPs
• Requires Kernel Virtual Networking
(VNET)
Securing the Daemons
Controlling Access to Data with
Mandatory Access Control

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 Mandatory Access Control
• Kernel Framework for Security Policies
• Each Policy is a Kernel Module
• Focuses on Who can do What to Whom
• Manages subjects and objects using
labels
 Example Policies
• Port ACL
• Limits user processes binding to network ports (TCP
or UDP)
• BSD Extended
• Filesystem Firewall
• Multi-Level Security confidentiality policy (MLS)
• Information flow based on Bell & LaPadula 1973
• Biba data integrity policy (based on Biba 1977)
• Strict ordering of which subjects can read or write
which objects
Overall Architecture
MAC Policy Structure
MAC Policy Lifecycle
Securing the Daemons
Auditing Active Systems

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 Security Event Auditing
• Who did what to whom and when?
• The audit system
• Captures events from system calls
• Produces a stream of audit records
• Text or XML
• Can now be accessed via DTrace
• audit provider
• Which has some interesting properties...
Audit Framework
 An Audit Record (see audit_log(5) for token
definitions)
header,133,10,execve(2),0,Mon Sep 25
15:58:03 2006, + 384 msec
exec arg,finger,doug
path,/usr/bin/finger
attribute,555,root,wheel,90,24918,104944
subject,robert,root,wheel,root,wheel,38439,
38032,42086,128.232.9.100
return,success,0
trailer,133
Securing the Daemons
Sandboxing Applications

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 Capsicum
• Capabilities for Unix
• Intra Process Sandboxing
• Rights attached to file descriptors
• Ambient authority is limited
• Rights must be added or delegated
 Some Sandboxed Programs
• auditdistd
• chromium
• dhclient
• kdump
• pkg
• sshd
• tcpdump
 The Sandboxing Process (tcpdump)

#ifdef HAVE_CAPSICUM
cap_rights_init(&rights, CAP_READ);
if (cap_rights_limit(fileno(pcap_file(pd)),
&rights) < 0 && errno != ENOSYS) {
error("unable to limit pcap descriptor");
}
#endif
 Limiting Rights
• A new file descriptor has all rights
• Once limited cannot go back
• Rights are controlled by the kernel
Securing the Daemons
Wrap-up

George Neville-Neil
gnn@freebsd.org
gnn@msbit.com
 Learn more about FreeBSD

• Website: www.freebsd.org
• FreeBSD Foundation:
www.freebsdfoundation.org
• GitHub: github.com/freebsd
• Mailing Lists/Forums
• FreeBSD Handbook
 References
• Jails
• P. Kamp & R. Watson, “Jails: Confining the Omnipotent Root,” Proceedings of the
Second International System Administration and Networking Conference (SANE),
available from http://docs.freebsd.org/44doc/papers/jail/, May 2000.
• MAC
• R. N. M. Watson, B. Feldman, A. Migus, & C. Vance, “Design and Implementation of
the TrustedBSD MAC Framework,” Proceedings of the Third DARPA Information
Survivability Conference and Exhibition (DISCEX), IEEE, April 2003. available from
https://pdfs.semanticscholar.org/37da/67b82aec5533283b0800b3ff9f06339b050d.pdf
• Audit
• R. N. M. Watson & W. Salamon, “The FreeBSD Audit System,” Proceedings of
UKUUG LISA 2006, March 2006.
• Capabilities
• R. N. M. Watson, B. Laurie, J. Anderson, & K. Kennaway, “Capsicum: Practical
Capabilities for UNIX,” Proceedings of the 19th USENIX Security Symposium, August
2010. available at
https://www.usenix.org/legacy/event/sec10/tech/full_papers/Watson.pdf