Transcript Linux kernel security enhancements

Linux-kernel security enhancements
Karri Huhtanen <[email protected]>
Why?
●
●
●
●
●
Linux is used more and more in network appliances, routers
and other critical systems.
Critical systems like these often cannot be upgraded and
rebooted instantly when new security hole and fix is found.
Plain vanilla Linux kernel and system is very vulnerable
compared to specialized router operating systems because of
the basic Unix kernel security features.
Linux kernel has no encryption support for securing
communications or data in plain vanilla kernel (at least yet)
Thus there is a need for hardened Linux kernel and security
enhancements
How?
●
●
●
●
Designed security architecture needed – just closing security holes is not the
solution
Buffer overflow & memory protection/restrictions, “sandboxes” for services,
processes and users
Resource restrictions/limitations within kernel or outside (e.g. Fork bomb
protection, firewall rules that limit the number of open connections etc.)
Mandatory Access Controls (“Root has too much power”), subject/object model based access control
●
Logging, traceability of actions, integrity checks
●
Hiding existence i.e. network transparency
●
Communications / data encryption support (e.g. IPSEC stack, filesystem
encryption)
Integrity and Access Control
●
●
●
NSA Security-Enhanced Linux ( www.nsa.gov/selinux/)
–
A result of several NSA security research projects, from design to implementation approach
–
“Security-enhanced Linux is only a research prototype that is intended to demonstrate
mandatory controls in a modern operating system like Linux and thus is very unlikely to meet
any interesting definition of secure system.” -- NSA SELinux FAQ
–
A starting point and a theoretical model for future kernel development and Linux Security
Module work (http://lsm.immunix.org/)
LIDS (www.lids.org)
–
“Root has too much power.”
–
Access Control List implementation patch for Linux kernel
–
file/process protection and capabilities control
–
An opensource community's equivalent of NSA SELinux?
grsecurity (www.grsecurity.net)
–
A large collection of security enhancement patches for Linux kernel
–
Buffer overflow/memory protections, ACLs for files/sockets/consoles/processes/whatever,,
logging, resource restrictions/limits, network invisibility/OS signature hiding etc.
Communications and Data Encryption
●
●
FreeS/WAN IPSEC stack:
–
WWW site: www.freeswan.org
–
X.509 certificate support: www.strongsec.com/freeswan/
–
The leading free open source Linux IPSEC stack, commercial IPSEC stacks available for
network appliance developers available from for example SSH Communications, SecGo, (FSecure?)
–
Advantages: free, open source, available for all, (cheap), interoperable
–
Disadvantages: no management software, only 3DES encryption, limited hardware encryption
and modern IP technologies support
International Crypto API for GNU/Linux:
–
WWW site: sourceforge.net/projects/cryptoapi/
–
Provides kernel modules for creating encrypted loopback devices to encrypt for example your
home partition
–
Based on international crypto patch for GNU/Linux
–
Advantages: free, open source, available for all, cheap, several encryption algorithms
implemented (blowfish, AES etc.)
–
Disadvantages: documentation, encryption of whole disk/swap is not possible
About this presentation and report
●
●
●
●
This presentation will be soon added in several formats in:
iki.fi/khuhtanen/interests/security/
The report, which presents these security enhancements in detail will be
published on the same web page.
The report will also most likely contain a report of the practical experiment
where some or all of the presented security enhancements are combined in
single kernel. The success or failure of this experiment as well as the
succesful/failing combination is documented in the report.
Questions? Suggestions of things to note in the report?