IBM Power Systems und Systems Management Symposium 30.05, - 01.06.2011 Rapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC LtdRSTC Ltd © based in Bristol, UK * and Uim, Germany © http:/www.rste-Itd.co.uk/ Email: andreas leibI@rsto-Itd.co.uk If you have any questions about the talk please send me an email or contact me in © Linkedin: http:/wwwlinkedin.com/in/aleib| * Xing: httos:/www.xing.com/profile/Andreas_Leib!Agenda e AIX Security ¢ Trusted Execution (TE) & Trusted Computing Base (TCB) ¢ System Integrity Check e Runtime Integrity Check © Trusted Path * Adding your own files IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASEAIX & Security « UNIX type security (accounts & permissions) « Role Based Access Control (enhanced RBAC) * enhanced in AIX 7.1 with Domain RBAC ¢ Trusted Execution (TE) IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASERBAC * Role Based Access Control ¢ Fine granular control ¢ Kernel level, applications need not be modified ¢ No privilege escalation through faulty programs or shell escapes ¢ Users gain privileges through roles which allow them to execute certain operations * Superior to sudo . IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASEDomain RBAC ¢ RBAC enhancement in AIX 7.1 ¢ Allows restrictions of privileges to certain objects ¢ Example: Right to resize filesystems can be limited to certain filesystemsTrusted Execution « Replaces Trusted Computing Base (TCB) * Superior capabilities ¢ TCB still available IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASETrusted Computing Base (TCB) ¢ Needs to be enabled at install time ¢ Limited to static (offline) checks (security sweeps) ¢ Default database quite limited (heavy use of VOLATILE keyword which effectively disables TCB checks for specified files) ¢ Weak checksums - low security ‘ IotPone Stee nt Stage Sms 006.01 08201 ln stintTE vs. TCB e TE can be enabled at any time ¢ Uses cryptographically strong hashes ¢ Hashes can be cryptographically signed ¢ Runtime (online) checks in addition to static (offline) checksTE Protection ¢ Trojan horses * Root kits ¢ Any tampering with critical files ¢ Can easily be extended to include user filesTrusted Execution Requirements © AIX6.1 or 7.1 © CryptoLight for C library (clic.rte.*) from expansion pack # Isipp -1 ‘clic.* Fil Level state Description Path: /usr/1ib/objrepos clic.rte.kernext 4.7.0.0 COMMITTED cryptoLite for c Kernel clic.rte.1ib 4.7.0.0 COMMITTED cryptoLite for c Library Path: /etc/objrepos clic.rte-kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel * IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASETE: Strong Hashes ¢ One way hash functions generate secure fingerprint of files ¢ Default hash algorithm: SHA256 * Also available: SHA1 (160 bits), SHA512 ¢ Can sign the hashes in the TE database for added security ¢ AIX files come with signed hashes from IBMTrusted Signature Database # can use grep ~p or the proper command to see stanzas in the TE database: # trustchk ~q /usr/bin/1s Juse/bin/1s: owner = bin group = bin mode = 555 type = FILE hardlinks = symlinks = size = 26732 cert_tag = 00d3cbd2922627b209 signature = 964b£2d53b4e0bGe 3be62e2569ab9dal92634a69d5£2d1586109Geb7 475093£044549057 1dab27eaded7b528 864alc82e25cb#585733dede88dc649b5306d£b7 42 7b32C29ac37#259ed5£6598C415£682abda422e0309497 937£9£1£7191b32ebed467ad3ca30242505607059f Fadi feds9 3061 1674905c2F0c1dée143b1752d hash value = 49401450fe520cc2c7ed85153a90ef5£2b841aaf38£400966£734b02ad4356c8 minslabel maxslabel = int label accessauths = aix.fs.object. list innateprivs = PV_DAC_R,PV_DAC_X inheritprivs = authprivs secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MIC » IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASESystem Integrity Check ¢ TE checks all files listed in database ¢ Changed permissions are corrected * Changed files are disabled (read, write and execute permissions revoked) e¢ Run manually or by crond IotPone Stee nt Stage Sms 006.01 08201 ln tna Ll RSTPlanting a Trojan Horse # Let's do something nasty... Replacing the Is command with a malicious version that installs a backdoor and then emulates Is behaviour # my /usr/bin/1s /usr/bin/.1s # vi /usr/bin/1s # cat /usr/bin/1s #1/usr/bin/sh echo "Doing something dirty here (which you can't see)..." /asr/bin/.1s $* # chmod 555 /usr/bin/1s # 1s /home Doing something dirty here (which you can't see)... guest lost+found root #System Integrity Check in Action 7 Check only # trustchk -n ALL trustchk: Verification of attributes failed: /usr/1pp/ diagnostics/bin/ecc_mcode_get : mode trustchk: Verification of attributes failed: /usr/sbin/sshd : size trustchk: Verification of attributes failed: /usr/sbin/ ifconfig. ib : group trustchk: Verification of attributes failed: /usr/bin/1s : owner group size hashvalue signature # IotPone Stee nt Stage Sms 006.01 08201 lnSystem Integrity Check * Sometimes produces false alerts * Means: TSD wasn't updated correctly (includes permissions,SUID) * or files were removed * or properties not specified (like size in case of sshd) ¢ The -n flag only means trustchk only reports problems -> no corrective action ” IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASEChecking the Hash Modifed # want to check the hash value? Is” # openssl dgst -sha256 /usr/bin/1s SHA256(/usr/bin/1s)= 4e6da7a726bb27428£2e8321a2aea231£587e88aacc0 3ac766c0c£1a02530378 # # # openssl dgst -sha256 /usr/bin/.1s SHA256(/usr/bin/.1s)= 49d01450£e520cc2c7ed85 153a90ef5£2b84 Laat 38£40e466£734b92ad4356c8 # # # trustchk -q /usr/bin/1s | grep hash hash_value = 49d01450£e520cc2c7ed85153a90ef5£2b84 Laat 38£40e466£734b92ad4356c8 # Original TSD entrySystem Integrity Check - Interactive # Use trustchk -t to correct problems interactively # trustchk -t /usr/bin/Is trustchk: Verification of attributes failed: owner Change the file owner for /usr/bin/1s? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: group Change the file group for /usr/bin/1s? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: size Disable access to the file: /usr/bin/1s? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: hash Disable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of attributes failed: signature Disable access to the file: /usr/bin/1s? [(y)es,(n)o,(i)gnore all errors]: n trustchk: Verification of stanza failed: # 8 IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASESystem Integrity Check - Autocorrection trustehk -y = auto (think fsck -y) # trustchk -y /usr/bin/Is trustchk: Verification of attributes failed: owner trustchk: Verification of attributes failed: group trustchk: Verification of attributes failed: mode trustchk: Verification of attributes failed: size trustchk: Verification of attributes failed: hash trustchk: Verification of attributes failed: signature trustchk: Verification of stanza failed: # # /usr/bin/.1s -1 /usr/bin/1s -T 1 bin bin 93 May 28 16:07 /usr/bin/ls File disabledSystem Integrity Check - Autocorrection «¢ Wrong permissions get reset «¢ Wrong owner and group get reset ¢ Files that changed size or hash value are disabled a” IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASERuntime Integrity Check * Binaries, shared libraries, kernel extensions and shell scripts are checked before execution ¢ Kernel refuses to load/execute them if verification fails ¢ Check is repeated every time -> no window of opportunity for attackersRuntime Integrity Check Policies * trustchk -p name=values sets policies ¢ = TE=[ON|OFF] : turns runtime checks on/off © CHKEXEC=[ON|OFF] : executable checking * STOP_ON_CHKFAIL= [ON|OFF] : stop executables failing the test *¢ STOP_UNTRUSTD= [ON|OFF] : stop executables not listed in /etc/security/tsd/tsd.dat © And more... » IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASERuntime Integrity Check - Modified File # trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON #1s ksh: 1s: 0403-006 Execute permission denied. # Changed command does not execute # cp /usr/bin/1s /usr/bin/.badls # cp /usr/bin/.1s /usr/bin/1s # chown bin:bin /usr/bin/1s # 1s Check is re-run every time -Xauthority the command is executedRuntime Integrity Check - Unlisted File STOP_UNTRUSTD prevents execution of commands not listed in the TSD # trustchk -p TE=ON CHKEXEC=ON STOP_UNTRUSTD=ON # /usr/bin/.1s ksh: /usr/bin/.1s: 0403-006 Execute permission denied. # 1s -1 /usr/bin/.1s crexr-xr-x 1 bin bin 26732 May 28 17:39 /usr/ bin/.1s # Command .Is (the original Is) not executed (no check failure, file permissions ok)Path Protection ¢ Trusted path ¢ Limits where programs/scripts can be started from ¢ Much more effective that restricted shell and a fixed $PATH variableTrusted Path in Action # cp /usr/bin/1s /usr/local/bin/1s # /usr/local/bin/1s -Xauthority fusr/local/bin/ not in trusted path # trustchk -p TEP=ON # /usr/local/bin/1s ksh: /usr/local/bin/1s:" 0403-006 Execute permission denied. # # trustchk -p tep TEP-oN TEP=/usr/bin: /usr/sbi: 1ib/inst1: /usr/ccs/bi # etc: /bin: /sbin: /sbin/helpers/j£s2:/usr/ usr /1il /usr/lib/securityAdding Your Own Files ¢ TE protection for your own files: EASY! ¢ Step 1: Create certificates and keys with openssl (only once) ¢ Step 2: Add to the TE database. ¢ That's it. TE takes care of the rest. » IotPone Stee nt Stage Sms 006.01 08201 lnCreating Certificates #od fte # openssl genrsa -out mycorpprivkey.perm 2048 Generating RSA private key, 2048 bit long modulus ee ste @ is 65537 (0x10001) # # openssl req -new -x509 -key mycorpprivkey,perm -outform DER -mycorpcert.der - days 3650 You are about to be asked to enter information that will be incorporated (some questions asked here) # + openssl! pkess -inform PEM -in mycorpprivkey.perm -topks -nocrypt -outform DER - out mycorpprivkey.der tls mycorpcert.der mycorpprivkey.der_mycorpprivkey.perm #Add to TE Database # trustehk -s /te/mycorpprivkey.der -v mycorpcert.der -a /ust/local/bin/myemd # trustchk -q /usr/local/bin/mycmd Just/local/bin/myomd: type = FILE owner = root group = system mode = 755 size = 47 hash_value = 48d45e86a5a8ii4c6a94dfe372367 71000 1a6c0967106233eaa84ti232foceb2 cert_tag = 008b2dd04da79dc0b5 signature = a8ecc6b2007260417a0be162 » IotPone Stee nt Stage Sms 006.01 08201 lnTest: Finding Illegal Modifications # trustchk -n /usrfocal/bin/mycmd # echo $? 0 # echo "CHANGED" >> Jusrilocal/bin/mycmd # trustehk -n Jusrjlocal/bin/myomd trustchk: Verification of attributes failed: /usr/local/bin/myomd : size hashvalue signature # echo $? 114 # IotPone Stee nt Stage Sms 006.01 08201 ln rt tna Ll ASEMaintenance ¢ Installing updates naturally changes the files ¢ Hashes in the TE database need updating ¢ AIX updates come with new signatures ¢ Need to update hashes for own filesWant to give it a go? ¢ IBM business partners can get AIX test systems for free from the Virtual Loaner Program ¢ http:/Avww.ibm.com/systems/vip ¢ Not a business partner? Sign up at www.ibm.com/partnerworld (all you need is a VAT ID)Questions? IotPone Stee nt Stage Sms 006.01 08201 ln tna dt R5TCThank you! If you think of a question later feel free to send me an email. IotPone Stee nt Stage Sms 006.01 08201 ln