SlideShare ist ein Scribd-Unternehmen logo

The role of "pathname based access control" in security"

Toshiharu Harada, Ph.D
Toshiharu Harada, Ph.D

Linux Foundation Japan #8 Symposium BoF slides.

Technologie
1 von 37
Downloaden Sie, um offline zu lesen
2008.07.10 LFJ Symposium BoF The role of "pathname based access control" in security. Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Two types of access control  Label (i.e. attribute) based  SELinux  SMACK  Pathname (i.e. name) based  AppArmor  TOMOYO Linux Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 2
Pathname based access control depends on the location of a file. What happens if /etc/shadow is linked to /tmp/shadow ?  Pathname based  An attacker can access password information via /tmp/shadow if the access control allows "ln /etc/shadow /tmp/shadow" and "cat /tmp/shadow".  So, we need to restrict pathname changes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 3
Pathname based access control depends on the location of a file. What happens if /etc/shadow is linked to /tmp/shadow ?  Label based  An attacker can't access password information via /tmp/shadow even if the access control allows "ln /etc/shadow /tmp/shadow" as long as the access control forbids "cat /etc/shadow" since /tmp/shadow preserves the same attribute with /etc/shadow .  So, we needn't to care about pathname changes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 4
Pathname based access control depends on the location of a file. What happens if /etc/ is bind mounted to /tmp/ ?  Pathname based  An attacker can access files under /etc/ via /tmp/ if the access control allows "mount --bind /etc/ /tmp/" and "cat /tmp/*".  So, we need to restrict namespace manipulation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 5
Pathname based access control depends on the location of a file. What happens if /etc/ is bind mounted to /tmp/ ?  Label based  An attacker can't access files under /etc/ via /tmp/ even if the access control allows "mount --bind /etc/ /tmp/" as long as the access control forbids to access files under /etc/ since /tmp/ preserves the same attribute with /etc/ .  So, we needn't to care about namespace manipulation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 6
That's right. But...  The label based access control is indeed robust against change of pathnames and namespaces.  But that does not mean label based access control can allow changing pathnames and namespaces freely.  It is not appropriate to say "We don't need to care about the location of a file if we use label based access control."  The location of a file has a meaning. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 7
What happens if /etc/ is bind mounted to /tmp/ ?  It istrue that the content of /etc/shadow will not be read by "cat /tmp/shadow" if we use label based access control.  But, since /etc/ and /tmp/ have the same attribute, writing to /tmp/ is denied if writing to /etc/ is not permitted.  Unwritable /tmp/ causes trouble with the applications. Can you tolerate it? (I can't.) Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 8
What happens if /etc/ is bind mounted to /tmp/ ?  The matter is no longer "whether the content of /etc/shadow can be protected or not", but now "whether the system can work properly or not".  To keep the system workable, you had better not to allow "mount --bind /etc/ /tmp/" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 9
What happens if /etc/shadow is linked to /etc/nologin ?  It is true that the content of /etc/shadow will not be read by "cat /etc/nologin" if we use label based access control.  But /etc/nologin has special meaning, it prevents unprivileged users from logging into the system. Can you tolerate it? (I can't.) Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 10
What happens if /etc/shadow is linked to /etc/nologin ?  The matter is no longer "whether the content of /etc/shadow can be protected or not", but now "whether the specific pathname is allowed to be created or not".  To keep the system usable, you had better not to allow "ln /etc/shadow /etc/nologin" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 11
What happens if /var/www/html/.htpasswd is renamed to /var/www/html/index.html ?  We have to allow Apache to read both files.  Apache will send the content of index.html to clients.  Apache will not send the content of .htpasswd to clients.  Of course, we don't want Apache to leak password information, do we? Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 12
What happens if /var/www/html/.htpasswd is renamed to /var/www/html/index.html ?  The matter is no longer "whether these files are accessible or not", but now "how these files are processed".  To keep /var/www/html/.htpasswd secret, you had better not to allow "mv /var/www/html/.htpasswd /var/www/html/index.html" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 13
What happens if /usr/sbin/httpd and /usr/sbin/sshd are exchanged?  Label based access control would block execution if /usr/sbin/httpd got the label 'sshd_exec_t' and /usr/sbin/sshd got the label 'httpd_exec_t'.  But,are you happy to have a server which doesn't provide services? (I'm not.)  The matter is no longer "whether these programs can preserve appropriate attributes", but now "whether the system can continue providing services". Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 14
What happens if /usr/sbin/httpd and /usr/sbin/sshd are exchanged?  To keep the system providing services, you had better not to allow "mv /usr/sbin/httpd /usr/sbin/httpd.tmp; mv /usr/sbin/sshd /usr/sbin/httpd; mv /usr/sbin/httpd.tmp /usr/sbin/sshd" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 15
More and more examples... What happens if /bin/cat and /usr/bin/md5sum are exchanged?  You don't care because both files have the label 'bin_t'?  I do care because shell scripts will stop working properly. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 16
More and more examples... What happens if a symbolic link /bin/md5sum to /usr/bin/sha1sum is created?  Applications want to execute md5sum, but they actually execute sha1sum if environment variable PATH is something like PATH=/bin:/usr/bin . Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 17
More and more examples... What happens if /etc/shadow is renamed to /etc/my_shadow?  Nobody will be able to login to the system. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 18
System's availability depends on the location of a file.  It is the file's *attribute* that decides "whether the file is readable and/or writable and/or executable or not", but it is the file's *name* that decides "how the file's content is processed" and "how the system behaves".  Pathname is the basis of system's availability. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 19
Need for protecting pathnames.  To prevent the system from triggering contingency, it is quite natural thing to restrict changing pathnames.  It is an indispensable prerequisite for the system to work properly that necessary files are in place with appropriate names.  Almost all files' pathnames needn't to be changed, and the range of pathname changes is not infinite. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 20
Need for protecting pathnames.  It is important to enforce the rule "Deny name changes by default. Allow name changes only by specific names." **AS MUCH AS POSSIBLE**. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 21
Need for protecting pathnames. The maximal granularity of restricting name changes.  Label based  Per a directory (when each directory is assigned a different label).  Pathname based  Per a filename (when wild card is not used). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 22
Need for protecting pathnames.  Label based access control can't restrict names within a directory.  Itis impossible for label based access control to handle cases where the names have meaning.  Pathname based access control can restrict names within a directory.  It is possible for pathname based access control to handle cases where the names have meaning.  This sometimes helps. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 23
Current Problem.  To make it possible to restrict pathname changes, I want to calculate the requested file's pathname from the LSM.  Miklos has developed the patch to pass information needed for calculating the requested file's pathname from the LSM. Iwant you to understand the meaning of the patch and send Acked-by: response. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 24
Goal for the future.  I agree that use of pathname based access control alone is not sufficient.  I hope you understand that use of label based access control alone is not sufficient neither.  Thus, I want the LSM coexist pathname based access control which is good at restricting names and label based access control which is good at restricting attributes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 25
2008.07.10 LFJ Symposium BoF What does TOMOYO Linux provide? Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Ability to minimize pathname changes. ...because unexpected pathnames leads to unexpected results.  You can check old/new pathnames together for rename()/link().  You can restrict namespace manipulation such as mount()/umount()/chroot()/pivot_root(). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 27
Ability to minimize accessible pathnames. ...because you want to allow programs to open only essential files.  You can use realpath derived by traversing up to the process's namespace's root directory. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 28
Ability to minimize program's invocation names. ...because multi-call binaries behave differently depending on argv[0].  You can check the combination of realpath and argv[0]. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 29
Ability to validate parameters for program's execution. ...because argv[] and envp[] can lead to unexpected behavior.  You can check argv[] and envp[] passed to execve(). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 30
Ability to insert a setup program before executing the requested program. ...because you want to manipulate parameters and environments.  You can insert a program for validating/modifying argv[]/envp[] and setting up environments (e.g. private namespace), at the price of ability to return to the caller when the requested program could not be executed. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 31
Ability to minimize reachable IP addresses and port numbers. ...because you want to use per-a-program iptables.  You can check peer's IP address and port number of socket operation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 32
Ability to minimize allowed system calls. ...because it is impossible to predict what system calls a program will issue.  You can control system calls which individual program can call.  Though, current granularity is far from sufficient. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 33
Ability to ...  Oops, I have no more time...  See online documentation for other abilities. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 34
Summary  TOMOYO Linux is a tool for reinforcing access control which is supposed to be performed by the userland process.  It performs access control from the perspective of subjects (i.e. processes) rather than the perspective of objects (i.e. files).  Why not do it in the userland?  Access control performed in the userland is easily bypassed by errors and improper configurations (e.g. buffer overflow, statically linked applications, environment variables like LD_PRELOAD). To make access control inevitable, it is essential to do it in the kernel. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 35
Summary  Processes are born to achieve something, and they die after they achieved the purpose.  TOMOYO Linux tracks behavior of each process and restricts requests of each process in accordance with the purpose of each process.  It can permit necessity minimum requests in each context.  TOMOYO Linux is a parameter checking tool like Web Application Firewall which is embedded into the kernel. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 36
Conclusion  Both SELinux and TOMOYO Linux perform policy based access restrictions.  But, what TOMOYO Linux is doing is different from what SELinux is doing.  I believe both restrictions are important.  TOMOYO Linux is ready to coexist with SELinux, SMACK, AppArmor, LIDS etc. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 37

Empfohlen

7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
phanleson
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : Introduction
Open Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrong
Open Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP caching
Open Source School
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a2
 
How to install Open Atrium over LAMP stack
How to install Open Atrium over LAMP stackHow to install Open Atrium over LAMP stack
How to install Open Atrium over LAMP stack
cercer
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network library
Shuo Chen
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail Whale
Erin Willingham
 

Empfohlen

7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
phanleson
 
PostgreSQL : Introduction
PostgreSQL : IntroductionPostgreSQL : Introduction
PostgreSQL : Introduction
Open Source School
 
Monitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrongMonitoring : The art of knowing when and why things go wrong
Monitoring : The art of knowing when and why things go wrong
Open Source School
 
Varnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP cachingVarnish : Advanced and high-performance HTTP caching
Varnish : Advanced and high-performance HTTP caching
Open Source School
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a2
 
How to install Open Atrium over LAMP stack
How to install Open Atrium over LAMP stackHow to install Open Atrium over LAMP stack
How to install Open Atrium over LAMP stack
cercer
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network library
Shuo Chen
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail Whale
Erin Willingham
 
LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementation
Open Source School
 
Zurg part 1
Zurg part 1Zurg part 1
Zurg part 1
Shuo Chen
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
Attaporn Ninsuwan
 
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10
Jo Hoon
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav Bisht
Raghav Bisht
 
Deep inside TOMOYO Linux
Deep inside TOMOYO LinuxDeep inside TOMOYO Linux
Deep inside TOMOYO Linux
Toshiharu Harada, Ph.D
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
Kazuki Omo
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
Mihir Shah
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
kuza55
 
Download It
Download ItDownload It
Download It
webhostingguy
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
Steffen Gebert
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
PROIDEA
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
Robert Lemke
 
Big data interview questions and answers
Big data interview questions and answersBig data interview questions and answers
Big data interview questions and answers
Kalyan Hadoop
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
SecurityTube.Net
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
Top 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance SecurityTop 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance Security
9 series
 
Tails os
Tails osTails os
Tails os
SADEED AMEEN
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
grim_radical
 
Ubuntu getting started
Ubuntu getting startedUbuntu getting started
Ubuntu getting started
Ernesto Celis
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
Ashwin Pawar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
 

Was ist angesagt? (6)

LDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementationLDAP : Theory and OpenLDAP implementation
LDAP : Theory and OpenLDAP implementation
 
Zurg part 1
Zurg part 1Zurg part 1
Zurg part 1
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
 
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav Bisht
 

Ähnlich wie The role of "pathname based access control" in security"

Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
SecurityTube.Net
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
grim_radical
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 

Ähnlich wie The role of "pathname based access control" in security" (20)

Deep inside TOMOYO Linux
Deep inside TOMOYO LinuxDeep inside TOMOYO Linux
Deep inside TOMOYO Linux
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Download It
Download ItDownload It
Download It
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
Big data interview questions and answers
Big data interview questions and answersBig data interview questions and answers
Big data interview questions and answers
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
Top 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance SecurityTop 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance Security
 
Tails os
Tails osTails os
Tails os
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
 
Ubuntu getting started
Ubuntu getting startedUbuntu getting started
Ubuntu getting started
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
 
Enabling interoperable and rights-aware DRM using the Semantic Web
Enabling interoperable and rights-aware DRM using the Semantic WebEnabling interoperable and rights-aware DRM using the Semantic Web
Enabling interoperable and rights-aware DRM using the Semantic Web
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 

Mehr von Toshiharu Harada, Ph.D

僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ
Toshiharu Harada, Ph.D
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
Toshiharu Harada, Ph.D
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
Toshiharu Harada, Ph.D
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Toshiharu Harada, Ph.D
 

Mehr von Toshiharu Harada, Ph.D (20)

20090703 tomoyo thankyou
20090703 tomoyo thankyou20090703 tomoyo thankyou
20090703 tomoyo thankyou
 
Job's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitJob's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation Kit
 
’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says
 
CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御
 
TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介
 
LSM Leaks
LSM LeaksLSM Leaks
LSM Leaks
 
Tomoyo linux introduction
Tomoyo linux introductionTomoyo linux introduction
Tomoyo linux introduction
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策
 
僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ
 
Why TOMOYO Linux?
Why TOMOYO Linux?Why TOMOYO Linux?
Why TOMOYO Linux?
 
ComSys2009
ComSys2009ComSys2009
ComSys2009
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
 
プロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムプロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システム
 
TOMOYO Linux
TOMOYO LinuxTOMOYO Linux
TOMOYO Linux
 
使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して
 
TOMOYO Linuxへの道
TOMOYO Linuxへの道TOMOYO Linuxへの道
TOMOYO Linuxへの道
 
Linuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャルLinuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャル
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

The role of "pathname based access control" in security"

  • 1. 2008.07.10 LFJ Symposium BoF The role of "pathname based access control" in security. Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
  • 2. Two types of access control  Label (i.e. attribute) based  SELinux  SMACK  Pathname (i.e. name) based  AppArmor  TOMOYO Linux Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 2
  • 3. Pathname based access control depends on the location of a file. What happens if /etc/shadow is linked to /tmp/shadow ?  Pathname based  An attacker can access password information via /tmp/shadow if the access control allows "ln /etc/shadow /tmp/shadow" and "cat /tmp/shadow".  So, we need to restrict pathname changes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 3
  • 4. Pathname based access control depends on the location of a file. What happens if /etc/shadow is linked to /tmp/shadow ?  Label based  An attacker can't access password information via /tmp/shadow even if the access control allows "ln /etc/shadow /tmp/shadow" as long as the access control forbids "cat /etc/shadow" since /tmp/shadow preserves the same attribute with /etc/shadow .  So, we needn't to care about pathname changes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 4
  • 5. Pathname based access control depends on the location of a file. What happens if /etc/ is bind mounted to /tmp/ ?  Pathname based  An attacker can access files under /etc/ via /tmp/ if the access control allows "mount --bind /etc/ /tmp/" and "cat /tmp/*".  So, we need to restrict namespace manipulation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 5
  • 6. Pathname based access control depends on the location of a file. What happens if /etc/ is bind mounted to /tmp/ ?  Label based  An attacker can't access files under /etc/ via /tmp/ even if the access control allows "mount --bind /etc/ /tmp/" as long as the access control forbids to access files under /etc/ since /tmp/ preserves the same attribute with /etc/ .  So, we needn't to care about namespace manipulation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 6
  • 7. That's right. But...  The label based access control is indeed robust against change of pathnames and namespaces.  But that does not mean label based access control can allow changing pathnames and namespaces freely.  It is not appropriate to say "We don't need to care about the location of a file if we use label based access control."  The location of a file has a meaning. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 7
  • 8. What happens if /etc/ is bind mounted to /tmp/ ?  It istrue that the content of /etc/shadow will not be read by "cat /tmp/shadow" if we use label based access control.  But, since /etc/ and /tmp/ have the same attribute, writing to /tmp/ is denied if writing to /etc/ is not permitted.  Unwritable /tmp/ causes trouble with the applications. Can you tolerate it? (I can't.) Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 8
  • 9. What happens if /etc/ is bind mounted to /tmp/ ?  The matter is no longer "whether the content of /etc/shadow can be protected or not", but now "whether the system can work properly or not".  To keep the system workable, you had better not to allow "mount --bind /etc/ /tmp/" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 9
  • 10. What happens if /etc/shadow is linked to /etc/nologin ?  It is true that the content of /etc/shadow will not be read by "cat /etc/nologin" if we use label based access control.  But /etc/nologin has special meaning, it prevents unprivileged users from logging into the system. Can you tolerate it? (I can't.) Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 10
  • 11. What happens if /etc/shadow is linked to /etc/nologin ?  The matter is no longer "whether the content of /etc/shadow can be protected or not", but now "whether the specific pathname is allowed to be created or not".  To keep the system usable, you had better not to allow "ln /etc/shadow /etc/nologin" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 11
  • 12. What happens if /var/www/html/.htpasswd is renamed to /var/www/html/index.html ?  We have to allow Apache to read both files.  Apache will send the content of index.html to clients.  Apache will not send the content of .htpasswd to clients.  Of course, we don't want Apache to leak password information, do we? Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 12
  • 13. What happens if /var/www/html/.htpasswd is renamed to /var/www/html/index.html ?  The matter is no longer "whether these files are accessible or not", but now "how these files are processed".  To keep /var/www/html/.htpasswd secret, you had better not to allow "mv /var/www/html/.htpasswd /var/www/html/index.html" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 13
  • 14. What happens if /usr/sbin/httpd and /usr/sbin/sshd are exchanged?  Label based access control would block execution if /usr/sbin/httpd got the label 'sshd_exec_t' and /usr/sbin/sshd got the label 'httpd_exec_t'.  But,are you happy to have a server which doesn't provide services? (I'm not.)  The matter is no longer "whether these programs can preserve appropriate attributes", but now "whether the system can continue providing services". Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 14
  • 15. What happens if /usr/sbin/httpd and /usr/sbin/sshd are exchanged?  To keep the system providing services, you had better not to allow "mv /usr/sbin/httpd /usr/sbin/httpd.tmp; mv /usr/sbin/sshd /usr/sbin/httpd; mv /usr/sbin/httpd.tmp /usr/sbin/sshd" from the beginning, even if you use label based access control. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 15
  • 16. More and more examples... What happens if /bin/cat and /usr/bin/md5sum are exchanged?  You don't care because both files have the label 'bin_t'?  I do care because shell scripts will stop working properly. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 16
  • 17. More and more examples... What happens if a symbolic link /bin/md5sum to /usr/bin/sha1sum is created?  Applications want to execute md5sum, but they actually execute sha1sum if environment variable PATH is something like PATH=/bin:/usr/bin . Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 17
  • 18. More and more examples... What happens if /etc/shadow is renamed to /etc/my_shadow?  Nobody will be able to login to the system. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 18
  • 19. System's availability depends on the location of a file.  It is the file's *attribute* that decides "whether the file is readable and/or writable and/or executable or not", but it is the file's *name* that decides "how the file's content is processed" and "how the system behaves".  Pathname is the basis of system's availability. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 19
  • 20. Need for protecting pathnames.  To prevent the system from triggering contingency, it is quite natural thing to restrict changing pathnames.  It is an indispensable prerequisite for the system to work properly that necessary files are in place with appropriate names.  Almost all files' pathnames needn't to be changed, and the range of pathname changes is not infinite. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 20
  • 21. Need for protecting pathnames.  It is important to enforce the rule "Deny name changes by default. Allow name changes only by specific names." **AS MUCH AS POSSIBLE**. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 21
  • 22. Need for protecting pathnames. The maximal granularity of restricting name changes.  Label based  Per a directory (when each directory is assigned a different label).  Pathname based  Per a filename (when wild card is not used). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 22
  • 23. Need for protecting pathnames.  Label based access control can't restrict names within a directory.  Itis impossible for label based access control to handle cases where the names have meaning.  Pathname based access control can restrict names within a directory.  It is possible for pathname based access control to handle cases where the names have meaning.  This sometimes helps. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 23
  • 24. Current Problem.  To make it possible to restrict pathname changes, I want to calculate the requested file's pathname from the LSM.  Miklos has developed the patch to pass information needed for calculating the requested file's pathname from the LSM. Iwant you to understand the meaning of the patch and send Acked-by: response. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 24
  • 25. Goal for the future.  I agree that use of pathname based access control alone is not sufficient.  I hope you understand that use of label based access control alone is not sufficient neither.  Thus, I want the LSM coexist pathname based access control which is good at restricting names and label based access control which is good at restricting attributes. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 25
  • 26. 2008.07.10 LFJ Symposium BoF What does TOMOYO Linux provide? Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
  • 27. Ability to minimize pathname changes. ...because unexpected pathnames leads to unexpected results.  You can check old/new pathnames together for rename()/link().  You can restrict namespace manipulation such as mount()/umount()/chroot()/pivot_root(). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 27
  • 28. Ability to minimize accessible pathnames. ...because you want to allow programs to open only essential files.  You can use realpath derived by traversing up to the process's namespace's root directory. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 28
  • 29. Ability to minimize program's invocation names. ...because multi-call binaries behave differently depending on argv[0].  You can check the combination of realpath and argv[0]. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 29
  • 30. Ability to validate parameters for program's execution. ...because argv[] and envp[] can lead to unexpected behavior.  You can check argv[] and envp[] passed to execve(). Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 30
  • 31. Ability to insert a setup program before executing the requested program. ...because you want to manipulate parameters and environments.  You can insert a program for validating/modifying argv[]/envp[] and setting up environments (e.g. private namespace), at the price of ability to return to the caller when the requested program could not be executed. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 31
  • 32. Ability to minimize reachable IP addresses and port numbers. ...because you want to use per-a-program iptables.  You can check peer's IP address and port number of socket operation. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 32
  • 33. Ability to minimize allowed system calls. ...because it is impossible to predict what system calls a program will issue.  You can control system calls which individual program can call.  Though, current granularity is far from sufficient. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 33
  • 34. Ability to ...  Oops, I have no more time...  See online documentation for other abilities. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 34
  • 35. Summary  TOMOYO Linux is a tool for reinforcing access control which is supposed to be performed by the userland process.  It performs access control from the perspective of subjects (i.e. processes) rather than the perspective of objects (i.e. files).  Why not do it in the userland?  Access control performed in the userland is easily bypassed by errors and improper configurations (e.g. buffer overflow, statically linked applications, environment variables like LD_PRELOAD). To make access control inevitable, it is essential to do it in the kernel. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 35
  • 36. Summary  Processes are born to achieve something, and they die after they achieved the purpose.  TOMOYO Linux tracks behavior of each process and restricts requests of each process in accordance with the purpose of each process.  It can permit necessity minimum requests in each context.  TOMOYO Linux is a parameter checking tool like Web Application Firewall which is embedded into the kernel. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 36
  • 37. Conclusion  Both SELinux and TOMOYO Linux perform policy based access restrictions.  But, what TOMOYO Linux is doing is different from what SELinux is doing.  I believe both restrictions are important.  TOMOYO Linux is ready to coexist with SELinux, SMACK, AppArmor, LIDS etc. Copyright(c) 2008 NTT DATA CORPORATION All rights reserved. 37