SlideShare ist ein Scribd-Unternehmen logo

TOMOYO Linux on Android (Taipei, 2009)

Toshiharu Harada, Ph.D
Toshiharu Harada, Ph.D

The document discusses operating system security and introduces TOMOYO Linux as an access control mechanism for Linux that can restrict administrator privileges and limit the damage caused by stolen devices or exploited vulnerabilities. It explains that TOMOYO Linux tracks process executions to generate security policies and allows administrators to view process histories to define access control rules. The presentation also provides an overview of SELinux and concludes with an announcement of a demonstration of TOMOYO Linux's policy learning mode capabilities.

TechnologieNews & Politik
1 von 29
Downloaden Sie, um offline zu lesen
TOMOYO LINUX ON ANDROID 2009 at Taipei October 27, 2009 (Toshiharu Harada) (Tetsuo Handa) NTT DATA CORPORATION
AGENDA Part 1: Operating System Security Overview Part 2: Demonstration Q and A
DO YOU KNOW THIS? 28 Controller of
28 is very powerful Has no intelligence Operated by the controller
is an ordinary boy (has no power) He is the owner of the controller of 28
CONTROLLER Can be used to control Communicate with wirelessly (bluetooth?)
TOTAL SCENARIO 1. looses his important controller 2. is operated by bad guys 3. takes back the controller 4. Goto line 1
OH
MY GOD!
FAULT OF No, not really is just a machine is responsible to keep the control of Like a driver is responsible for a car accident
EVER THOUGHT? Your PC/Embedded device are the same as It does not know what is good and what is bad You, as the owner of PC, has to administrate it Separating accounts and use passwords Setting access mode for files and directories
UNFORTUNATELY Those things are not sufficient Because 1. Bugs can cause buffer overflows 2. It is possible to take over administrator privilege via buffer overflows 3. Administrator privilege means all mighty
SO YOU NEED Something to restrict (or limit) the administrator privilege Windows VISTA introduced UAC Linux and other mainstream OS are equipped with a better access control mechanisms: SELinux, Smack and TOMOYO Linux
The green field is the operating system space A car is a process (program) In normal OS, car can go anywhere (can do anything) If your car is stolen, your damage is unlimited
WHY “UNLIMITED”? Operating system does not know you Operating system does not understand good operations and bad operations If one gets privilege, he is a God and can do anything (format the drive, stop the service, setting a backdoor ..)
Total idea is “limiting” the freedom You have to be careful not to limit the proper usage
The ideal state is car can go places you need, but cannot go anywhere else
YOUR ROLE Like , SELinux and TOMOYO Linux can’t know which operation is good and which is bad You have to tell them as a set of conditions, which are called “policy”
WHY IT IS DIFFICULT? Because additional access control works in the deep inside of the operating system (in Linux kernel) Linux kernel is not very user friendly world inode, file descriptor, lock … Policy is like a assembler language of computer security
pathname human inode policy
EMBEDDED TOO?
EMBEDDED, TOO? The more and more devices are using Linux A rich set of software (TCP/IP, apache, samba …) Vulnerabilities are the same with server machines Embedded devices store personal information, so security is more important Embedded devices can physically cause harm (remotely destroy/damage your possessions)
3 CHOICES SELinux (fully-featured, most robust and reliable) Smack (simplified version) TOMOYO Linux (since 2.6.30)
SELINUX Makes judge by the combination of “label” (security context information) You can see labels by executing “ls -Z”, “ps -Z” ...
TOMOYO LINUX Has a feature called “policy learning mode” It gathers information inside the kernel and shows you
TOMOYO Linux keeps track of every process executions Each process has its “history” and we call that “domain”
DEMONSTRATION
TRADEMARKS Linux is a trademark of Linus Torvalds in Japan and other countries TOMOYO is a trademark of NTT DATA CORPORATION in Japan
http://www.slideshare.net/haradats/ presentations

Empfohlen

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 

Empfohlen

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherMatthew McCullough
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Dalvik Vm & Jit
Dalvik Vm & JitDalvik Vm & Jit
Dalvik Vm & JitAnkit Somani
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidNational Cheng Kung University
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsLinaro
 
Linaro and Android Kernel
Linaro and Android KernelLinaro and Android Kernel
Linaro and Android KernelJohn Lee
 
Android presentation
Android presentationAndroid presentation
Android presentationSiva Ramakrishna kv
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsIndustrial Technology Research Institute (ITRI)(工業技術研究院, 工研院)
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMNational Cheng Kung University
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting ScenariosAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)Matthias Brugger
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with LinaroNational Cheng Kung University
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelAnne Nicolas
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone National Cheng Kung University
 
Csc 2313 (lecture 2)
Csc 2313 (lecture 2)Csc 2313 (lecture 2)
Csc 2313 (lecture 2)umardanjumamaiwada
 
Csc 2313 (lecture 2)
Csc 2313 (lecture 2)Csc 2313 (lecture 2)
Csc 2313 (lecture 2)umardanjumamaiwada
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Tetsuyuki Kobayashi
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsLinaro
 
Linaro and Android Kernel
Linaro and Android KernelLinaro and Android Kernel
Linaro and Android KernelJohn Lee
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)Matthias Brugger
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelAnne Nicolas
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 

Was ist angesagt? (20)

Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in Android
 
Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'Android is NOT just 'Java on Linux'
Android is NOT just 'Java on Linux'
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embedded
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
 
Linaro and Android Kernel
Linaro and Android KernelLinaro and Android Kernel
Linaro and Android Kernel
 
Android presentation
Android presentationAndroid presentation
Android presentation
 
How To Build Android for ARM Chip boards
How To Build Android for ARM Chip boardsHow To Build Android for ARM Chip boards
How To Build Android for ARM Chip boards
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting Scenarios
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
 
Accelerated Android Development with Linaro
Accelerated Android Development with LinaroAccelerated Android Development with Linaro
Accelerated Android Development with Linaro
 
Kernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernelKernel Recipes 2013 - Overview display in the Linux kernel
Kernel Recipes 2013 - Overview display in the Linux kernel
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone
 

Ähnlich wie TOMOYO Linux on Android (Taipei, 2009)

PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...Toshiharu Harada, Ph.D
 
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docx
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docxINTRODUCTION CHAP. 1 complete access to all the hardware and can.docx
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docxvrickens
 
C hapter 1 types-and_components_of_computer_system[1][1]
C hapter 1 types-and_components_of_computer_system[1][1]C hapter 1 types-and_components_of_computer_system[1][1]
C hapter 1 types-and_components_of_computer_system[1][1]Pratik Gupta
 
Ch 01-types-and-components-of-computers
Ch 01-types-and-components-of-computersCh 01-types-and-components-of-computers
Ch 01-types-and-components-of-computersmmoussa83
 
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMS
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMSBASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMS
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMSNeve Deschanel
 
Types and components of computer systems
Types and components of computer systemsTypes and components of computer systems
Types and components of computer systemsRayane619450
 
PLAYSTATION OPERATING SYSTEM
PLAYSTATION OPERATING SYSTEMPLAYSTATION OPERATING SYSTEM
PLAYSTATION OPERATING SYSTEMShubhansh Kathal
 
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxChapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxJinElias52
 
Unix shell program training
Unix shell program trainingUnix shell program training
Unix shell program trainingAditya Sharat
 
Types and components of computers
Types and components of computersTypes and components of computers
Types and components of computersCik Na Shohaili
 
EMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxEMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxMohammedtajuddinTaju
 
Hardware & software
Hardware & softwareHardware & software
Hardware & softwareIsabelop
 

Ähnlich wie TOMOYO Linux on Android (Taipei, 2009) (20)

Csc 2313 (lecture 2)
Csc 2313 (lecture 2)Csc 2313 (lecture 2)
Csc 2313 (lecture 2)
 
Csc 2313 (lecture 2)
Csc 2313 (lecture 2)Csc 2313 (lecture 2)
Csc 2313 (lecture 2)
 
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
 
Day1 ubuntu boot camp
Day1 ubuntu boot campDay1 ubuntu boot camp
Day1 ubuntu boot camp
 
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docx
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docxINTRODUCTION CHAP. 1 complete access to all the hardware and can.docx
INTRODUCTION CHAP. 1 complete access to all the hardware and can.docx
 
C hapter 1 types-and_components_of_computer_system[1][1]
C hapter 1 types-and_components_of_computer_system[1][1]C hapter 1 types-and_components_of_computer_system[1][1]
C hapter 1 types-and_components_of_computer_system[1][1]
 
Main notes (1)
Main notes (1)Main notes (1)
Main notes (1)
 
Ch 01-types-and-components-of-computers
Ch 01-types-and-components-of-computersCh 01-types-and-components-of-computers
Ch 01-types-and-components-of-computers
 
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMS
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMSBASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMS
BASIC COMPUTER PERIPHERALS/DEVICES/SYSTEMS
 
Types and components of computer systems
Types and components of computer systemsTypes and components of computer systems
Types and components of computer systems
 
Comparative Research In Recent Times, Various Designs And Functionalities In ...
Comparative Research In Recent Times, Various Designs And Functionalities In ...Comparative Research In Recent Times, Various Designs And Functionalities In ...
Comparative Research In Recent Times, Various Designs And Functionalities In ...
 
PLAYSTATION OPERATING SYSTEM
PLAYSTATION OPERATING SYSTEMPLAYSTATION OPERATING SYSTEM
PLAYSTATION OPERATING SYSTEM
 
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the boxChapter 8. Kernel-Mode RootKitsIts now time to take the box
Chapter 8. Kernel-Mode RootKitsIts now time to take the box
 
Embeddedsystems
EmbeddedsystemsEmbeddedsystems
Embeddedsystems
 
Unix shell program training
Unix shell program trainingUnix shell program training
Unix shell program training
 
INTRO TO COMPUTER
INTRO TO COMPUTERINTRO TO COMPUTER
INTRO TO COMPUTER
 
Types and components of computers
Types and components of computersTypes and components of computers
Types and components of computers
 
EMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptxEMBEDDED SYSTEMS INTRODUCTION.pptx
EMBEDDED SYSTEMS INTRODUCTION.pptx
 
Unix final
Unix finalUnix final
Unix final
 
Hardware & software
Hardware & softwareHardware & software
Hardware & software
 

Mehr von Toshiharu Harada, Ph.D

Job's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitJob's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitToshiharu Harada, Ph.D
 
’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs saysToshiharu Harada, Ph.D
 
CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御Toshiharu Harada, Ph.D
 
The role of "pathname based access control" in security"
The role of "pathname based access control" in security"The role of "pathname based access control" in security"
The role of "pathname based access control" in security"Toshiharu Harada, Ph.D
 
振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策Toshiharu Harada, Ph.D
 
僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへToshiharu Harada, Ph.D
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」Toshiharu Harada, Ph.D
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」Toshiharu Harada, Ph.D
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Toshiharu Harada, Ph.D
 
プロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムプロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムToshiharu Harada, Ph.D
 
使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指してToshiharu Harada, Ph.D
 

Mehr von Toshiharu Harada, Ph.D (20)

20090703 tomoyo thankyou
20090703 tomoyo thankyou20090703 tomoyo thankyou
20090703 tomoyo thankyou
 
Job's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitJob's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation Kit
 
’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says
 
CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御
 
TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介
 
LSM Leaks
LSM LeaksLSM Leaks
LSM Leaks
 
The role of "pathname based access control" in security"
The role of "pathname based access control" in security"The role of "pathname based access control" in security"
The role of "pathname based access control" in security"
 
Tomoyo linux introduction
Tomoyo linux introductionTomoyo linux introduction
Tomoyo linux introduction
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策
 
僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ
 
Why TOMOYO Linux?
Why TOMOYO Linux?Why TOMOYO Linux?
Why TOMOYO Linux?
 
Deep inside TOMOYO Linux
Deep inside TOMOYO LinuxDeep inside TOMOYO Linux
Deep inside TOMOYO Linux
 
ComSys2009
ComSys2009ComSys2009
ComSys2009
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
 
プロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムプロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システム
 
TOMOYO Linux
TOMOYO LinuxTOMOYO Linux
TOMOYO Linux
 
使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

TOMOYO Linux on Android (Taipei, 2009)

  • 1. TOMOYO LINUX ON ANDROID 2009 at Taipei October 27, 2009 (Toshiharu Harada) (Tetsuo Handa) NTT DATA CORPORATION
  • 2. AGENDA Part 1: Operating System Security Overview Part 2: Demonstration Q and A
  • 3. DO YOU KNOW THIS? 28 Controller of
  • 4. 28 is very powerful Has no intelligence Operated by the controller
  • 5. is an ordinary boy (has no power) He is the owner of the controller of 28
  • 6. CONTROLLER Can be used to control Communicate with wirelessly (bluetooth?)
  • 7. TOTAL SCENARIO 1. looses his important controller 2. is operated by bad guys 3. takes back the controller 4. Goto line 1
  • 8. OH
  • 10. FAULT OF No, not really is just a machine is responsible to keep the control of Like a driver is responsible for a car accident
  • 11. EVER THOUGHT? Your PC/Embedded device are the same as It does not know what is good and what is bad You, as the owner of PC, has to administrate it Separating accounts and use passwords Setting access mode for files and directories
  • 12. UNFORTUNATELY Those things are not sufficient Because 1. Bugs can cause buffer overflows 2. It is possible to take over administrator privilege via buffer overflows 3. Administrator privilege means all mighty
  • 13. SO YOU NEED Something to restrict (or limit) the administrator privilege Windows VISTA introduced UAC Linux and other mainstream OS are equipped with a better access control mechanisms: SELinux, Smack and TOMOYO Linux
  • 14. The green field is the operating system space A car is a process (program) In normal OS, car can go anywhere (can do anything) If your car is stolen, your damage is unlimited
  • 15. WHY “UNLIMITED”? Operating system does not know you Operating system does not understand good operations and bad operations If one gets privilege, he is a God and can do anything (format the drive, stop the service, setting a backdoor ..)
  • 16. Total idea is “limiting” the freedom You have to be careful not to limit the proper usage
  • 17. The ideal state is car can go places you need, but cannot go anywhere else
  • 18. YOUR ROLE Like , SELinux and TOMOYO Linux can’t know which operation is good and which is bad You have to tell them as a set of conditions, which are called “policy”
  • 19. WHY IT IS DIFFICULT? Because additional access control works in the deep inside of the operating system (in Linux kernel) Linux kernel is not very user friendly world inode, file descriptor, lock … Policy is like a assembler language of computer security
  • 20. pathname human inode policy
  • 22. EMBEDDED, TOO? The more and more devices are using Linux A rich set of software (TCP/IP, apache, samba …) Vulnerabilities are the same with server machines Embedded devices store personal information, so security is more important Embedded devices can physically cause harm (remotely destroy/damage your possessions)
  • 23. 3 CHOICES SELinux (fully-featured, most robust and reliable) Smack (simplified version) TOMOYO Linux (since 2.6.30)
  • 24. SELINUX Makes judge by the combination of “label” (security context information) You can see labels by executing “ls -Z”, “ps -Z” ...
  • 25. TOMOYO LINUX Has a feature called “policy learning mode” It gathers information inside the kernel and shows you
  • 26. TOMOYO Linux keeps track of every process executions Each process has its “history” and we call that “domain”
  • 28. TRADEMARKS Linux is a trademark of Linus Torvalds in Japan and other countries TOMOYO is a trademark of NTT DATA CORPORATION in Japan