Secure Operating Systems Secure Operating Systems Why is security important? Practical applications of secure operating systems in E-business Nigel Edwards Hewlett-Packard Internet Security Solutions Division [email protected] 1 University of Kent July 2001 Secure Operating Systems Web site defacement activity (May 2000 – April 2001) 2 University of Kent July 2001 Secure Operating Systems Summary of Linux security issues 1800 1600 • In June 2000 Linux was run on 30% of active web sites • Source: Netcraft (http://www.netcraft.com/survey/) 1400 • 26.5% of defaced sites ran Linux • Linux was run on 41.8% of non-Microsoft sites • 65.2% of non-Microsoft sites defaced ran Linux • January 2001 saw the first Linux “Worm” – Ramen • Adore and Lion followed • Worms may deface your site and/or do other damage All Platforms 1200 1000 Linux 800 All Platforms Excluding Microsoft 600 400 200 0 Mar-00 Jun-00 Oct-00 Jan-01 So Sowhat whatcan canyou youdo? do? Apr-01 Source: Attrition (http://www.attrition.org/mirror/attrition/os.html) University of Kent July 2001 3 University of Kent July 2001 4 Secure Operating Systems Possible operating system security strategies Secure Operating Systems HP-LX and Virtualvault in context Security/strength of mechanisms • Wait for the latest patch • Will you apply it in time? • No protection against administration errors • Layered security products • Minimal protection against attacks exploiting application bugs • Strengthen the operating system • Protects against administration errors • Protects and detects attacks exploiting application bugs • Enables “safe-sharing” of machines HP Virtualvault TRUSTED SYSTEMS X HPLX LAYERED SYSTEMS HP-UX Bastille C2 HP-UX C2 HP Webenforcer HP-UX, Linux Windows BASE SYSTEMS Ease of use/administration, performance, compatibility 5 University of Kent July 2001 Secure Operating Systems Secure Operating Systems What is HP Virtualvault? • • • • A highly secure web server Six years of installation around the world Based on HP-UX Compartmented Mode Workstation Implements the Bell and La Padula lattice security model 6 University of Kent July 2001 HP Virtualvault installation DMZ LAN Rem ot e s it es In t r a n et p r oxy h os t fir ewa ll NT s er ver + E d ify r ou t er in t er n a l s er ver s In t e rn e t Security Lattice S S L-p r ot ect ed t r a n s a ct ion d a t a ft p s er ver S QL, ot h er clien t / s er ver p r ot ocols Vir t u a lVa u lt DNS s er ver Information In t er n a l u s er s Rem ot e u s er s On t h e b ou n d a r y University of Kent July 2001 7 University of Kent July 2001 8 HP Virtualvault internals Secure Operating Systems Au d it Tr a il SYSTEM_HI Netscape 2 1 SAFE tcp 4 1 Browser sends HTTP 2 Web server invokes TCP connection 3 JVM executes servlets 4 JVM Web Server HTML Pa ges 3 In t er n a l Web S er ver S er vlet s SYSTEM In t er n a l S er ver Administration, Maintenance Tru s t ed Op er a t in g S ys tem In t er n a l Br ows er Servlet processes request, returns to client browser 9 University of Kent July 2001 Review of major HP-LX features Secure Operating Systems What is HP-LX? • A highly secure version of Linux for running applications and services • Service provider focus • Building on the success of HP Virtualvault • Balance ease of use with security • A new security model focused on Internet services and applications • Minimal kernel changes • HP will deliver: • Example services (e.g. Apache) • SDK and (eventually) integration tools INSIDE OUTSIDE In t er n et Clien t Secure Operating Systems 10 University of Kent July 2001 Secure Operating Systems Compartments Secure remote administration HP-LX ready applications Sealed Compartments System configuration lockdown Backend Servers e.g. Tomcat Apache File access control Communication control External network Internal network Compartments Compartments Compartmentsoptionally optionally “sealed” “sealed”and/or and/or“chrooted” “chrooted” Kernel-level auditing University of Kent July 2001 11 University of Kent July 2001 12 Secure Operating Systems Communication access control Secure Operating Systems Example of compartment communication rules Explicit paths in HP-LX HOST:* -> COMPARTMENT:WEB METHOD TCP PORT 80 NETDEV eth0 COMPARTMENT:WEB -> COMPARTMENT:TOMCAT1 METHOD TCP PORT 8007 NETDEV lo COMPARTMENT:WEB -> COMPARTMENT:TOMCAT2 Implicit paths in Conventional T.O.S. METHOD TCP PORT 8008 NETDEV lo COMPARTMENT:TOMCAT1 -> HOST:SERVER1 METHOD TCP PORT 8080 NETDEV eth1 No Notrusted trustedprocesses processesfor forinterintercompartment communications compartment communications 13 University of Kent July 2001 Secure Operating Systems File access control Secure Operating Systems We do: • File Control Table specifies: read, write, append • Mandatory Access Control (MAC) • Prevents web server overwriting the home page • Fine-grain control within a sealed compartment • Coarse grain (MAC) protection also available by using chroot • Integrity protection • Cryptographic hash taken of all immutable files • Tripwire University of Kent July 2001 Labels Labelsare arenot notused used to control access to control accessto to files files => =>No Nochanges changesto to what is what iswritten writtenon on disk disk 15 14 University of Kent July 2001 We don’t: University of Kent July 2001 System configuration lockdown •• Removed Removedfrom fromsensitive sensitiveprograms programsSet-UID Set-UID(and (andSetSetGID) GID) ••at, at,… … •• Enable Enablepassword passwordaging aging •• Secure permissions Secure permissionson onexecutables executables •• Enhance the default system Enhance the default systemlogging logging •• Etc Etcetc…. etc…. •• Remove Remove“unnecessary” “unnecessary”programs programs •• Ease of use (Diagnosis/maintenance) Ease of use (Diagnosis/maintenance) •• Anything AnythingininRed RedHat Hat7.1 7.1can canbe beinstalled installed •• Rely Relyon oncontainment containmentpreventing preventingabuse abuse •• Use “special” administration compartment Use “special” administration compartment 16 Audit Secure Operating Systems Possible Machine boundary Audit Reporting Program Translation API Audit Format Template Secure Operating Systems Audit configuration Audit collection daemon Trusted Application Audit API Audit API Why Why is is kernel-level kernel-level Auditing Auditing important? important? Audit API Raw audit data Application Space /dev/auditr Kernel Space /dev/auditw Answer: Answer: itit is is very very hard to by-pass hard to by-pass Syscall hooks Audit device driver Network hooks Other hooks… 17 University of Kent July 2001 Secure Operating Systems A secure administration model (1/2) other utilities & applications A secure administration model 2/2 Secure Operating Systems HP-LX administration utilities PAM SSH login System calls Authorized administrator Kernel + DLKMs tlx_admin set • HP-LX management utilities • Create, destroy, start, stop compartments • Configure communication rules for compartments • Manage audit system init SSH login SSHD tlx_admin set Shell Shell Authorized user, not authorized administrator tlx_admin cleared •• Each Eachprocess processhas hasan anadditional additionalattribute attribute •• The tlx_admin bit The tlx_admin bit •• Code Codeinside insidekernel kernelchecks checksfor forthis thisbit bitbefore beforeexecuting executing administration functions administration functions •• Works Worksininparallel parallelto toLinux Linuxcapability capabilitymechanism mechanism(which (whichwe wealso alsouse) use) •• AAmore restricted management model than capabilities more restricted management model than capabilities How do we stop the abuse of the system calls used for this? University of Kent July 2001 18 University of Kent July 2001 19 University of Kent July 2001 20 Typical HP-LX compartment configuration Secure Operating Systems Secure Operating Systems • Which Linux Distributions? • Redhat 7.1 • Will follow up with others including Debian • Platform • Dual processor 700Mhz Pentium III, 2x20GB Disk, 1GB RAM, rack mounted PC (Netserver) • Single processor 500 MHZ Pentium III, 10 GB Disk, 500MB Ram • Performance • Currently Apache on HP-LX with auditing-off is within 2% of Apache on Redhat 7.1 Administration compartment External Network Web (apache) Audit (auditd) Syslog (syslogd, klogd) Backup (Amandad) Xinetd (xinetd) Mail transport agent (sendmail) System (cron, getty, crond) Secure Operating Systems Internal Network Tomcat (tomcat) SSHD (sshd) 21 University of Kent July 2001 Summary • A new model for trusted operating systems • Using our experience of commercial MLS operation • Balance ease of use, portability and security • Configure communication patterns explicitly • Minimal kernel changes • Main features • Compartments provide containment – File and communication access control • System configuration lockdown • Audit • Secure administration model Protects you and your users from many of the most common attacks seen today University of Kent July 2001 23 Target platforms and performance University of Kent July 2001 22
© Copyright 2024