Scribd Logo
Upload

Welcome to Scribd!

  • w211 Unit 5 Lectures

    Uploaded by

    Matthew Garrett
    14 views39 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views39 pages

    w211 Unit 5 Lectures

    Uploaded by

    Matthew Garrett

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 39

    Securing the Daemons

    Advanced Security Features of FreeBSD

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    What is FreeBSD?

    • Complete Operating System


    • Tools and source code
    • More than 24,000 3rd party open
    source software packages
    • Complete documentation
    • An open source community
    Who uses FreeBSD?
    • NetApp • WhatsApp
    • Dell/EMC/Isilon • Juniper Networks
    • Dell/KACE • Verisign
    • Perseus Telecom
    • Panasas
    • Sony
    • Apple • XipLink
    • Limelight Networks • McAfee
    • Swisscom • NYI
    • Sentex • Yahoo
    • Microsoft
    Why use FreeBSD?

    • Innovation
    • Great tools
    • Mature release model
    • Excellent documentation in many
    languages
    • Business friendly license
    • Open community
    Produce a whole system

    • Operating system
    • Device drivers
    • Compilers and associated tools
    • Debugging tools
    • Editors
    • Packaging system
    • Ready for coding when install is done
    Securing an Operating System
    • Against whom?
    • How?
    • Restraint
    • Preventing actors from doing bad things
    • Recording
    • Tracking down what a bad actor has done
    Security Features and FreeBSD
    • Jails (2000)
    • Mandatory Access Control (2003)
    • Audit (2006)
    • Capabilities (2010)
    Securing the Daemons
    Containing Applications with Jails

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    Jails
    • Lightweight Virtualization
    • Can scale to 1000s of instances on a
    single server
    • Easy to manage
    • Often used by ISPs
    • An apache or nginx jail
    • Mail servers
    Motivation
    • A better chroot()
    • Initially focused on the filesystem
    • Each jail has a private namespace
    • Group and isolate a set of processes
    For example:
    • nginx and mysql
    • Mail server hosting
    Implementation
    • New system calls
    • jail(2) and jail_attach(2)
    • A sprinkling of access checks throughout
    the kernel
    • prison_check*() routines
    Centralized Prison Structure
    • One struct to rule
    them all
    • Kernel maintains a list
    of prisons
    • The pr_allow field is a
    white list
    Fine Grained Privileges
    • Privileges granted by a single kernel call
    • prison_priv_check()
    • Currently 681 named privileges
    • Broken down into various sections
    • VFS
    • Network
    • Scheduler
    • etc.
    Jail Security Properties
    • Isolates processes in the filesystem
    • Each Jail operates below its own root (/)
    • Isolates processes from each other
    • Processes in a jail cannot manipulate other
    jails
    • Processes in a jail cannot manipulate the
    base OS
    • Allows cooperation
    • Processes in a jail can talk to other processes
    in the same jail
    Jails and the Network
    • Jails have independent IPs
    • Requires Kernel Virtual Networking
    (VNET)
    Securing the Daemons
    Controlling Access to Data with
    Mandatory Access Control

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    Mandatory Access Control
    • Kernel Framework for Security Policies
    • Each Policy is a Kernel Module
    • Focuses on Who can do What to Whom
    • Manages subjects and objects using
    labels
    Example Policies
    • Port ACL
    • Limits user processes binding to network ports (TCP
    or UDP)
    • BSD Extended
    • Filesystem Firewall
    • Multi-Level Security confidentiality policy (MLS)
    • Information flow based on Bell & LaPadula 1973
    • Biba data integrity policy (based on Biba 1977)
    • Strict ordering of which subjects can read or write
    which objects
    Overall Architecture
    MAC Policy Structure
    MAC Policy Lifecycle
    Securing the Daemons
    Auditing Active Systems

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    Security Event Auditing
    • Who did what to whom and when?
    • The audit system
    • Captures events from system calls
    • Produces a stream of audit records
    • Text or XML
    • Can now be accessed via DTrace
    • audit provider
    • Which has some interesting properties...
    Audit Framework
    An Audit Record (see audit_log(5) for token
    definitions)
    header,133,10,execve(2),0,Mon Sep 25
    15:58:03 2006, + 384 msec
    exec arg,finger,doug
    path,/usr/bin/finger
    attribute,555,root,wheel,90,24918,104944
    subject,robert,root,wheel,root,wheel,38439,
    38032,42086,128.232.9.100
    return,success,0
    trailer,133
    Securing the Daemons
    Sandboxing Applications

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    Capsicum
    • Capabilities for Unix
    • Intra Process Sandboxing
    • Rights attached to file descriptors
    • Ambient authority is limited
    • Rights must be added or delegated
    Some Sandboxed Programs
    • auditdistd
    • chromium
    • dhclient
    • kdump
    • pkg
    • sshd
    • tcpdump
    The Sandboxing Process (tcpdump)

    #ifdef HAVE_CAPSICUM
    cap_rights_init(&rights, CAP_READ);
    if (cap_rights_limit(fileno(pcap_file(pd)),
    &rights) < 0 && errno != ENOSYS) {
    error("unable to limit pcap descriptor");
    }
    #endif
    Limiting Rights
    • A new file descriptor has all rights
    • Once limited cannot go back
    • Rights are controlled by the kernel
    Securing the Daemons
    Wrap-up

    George Neville-Neil
    gnn@freebsd.org
    gnn@msbit.com
    Learn more about FreeBSD

    • Website: www.freebsd.org
    • FreeBSD Foundation:
    www.freebsdfoundation.org
    • GitHub: github.com/freebsd
    • Mailing Lists/Forums
    • FreeBSD Handbook
    References
    • Jails
    • P. Kamp & R. Watson, “Jails: Confining the Omnipotent Root,” Proceedings of the
    Second International System Administration and Networking Conference (SANE),
    available from http://docs.freebsd.org/44doc/papers/jail/, May 2000.
    • MAC
    • R. N. M. Watson, B. Feldman, A. Migus, & C. Vance, “Design and Implementation of
    the TrustedBSD MAC Framework,” Proceedings of the Third DARPA Information
    Survivability Conference and Exhibition (DISCEX), IEEE, April 2003. available from
    https://pdfs.semanticscholar.org/37da/67b82aec5533283b0800b3ff9f06339b050d.pdf
    • Audit
    • R. N. M. Watson & W. Salamon, “The FreeBSD Audit System,” Proceedings of
    UKUUG LISA 2006, March 2006.
    • Capabilities
    • R. N. M. Watson, B. Laurie, J. Anderson, & K. Kennaway, “Capsicum: Practical
    Capabilities for UNIX,” Proceedings of the 19th USENIX Security Symposium, August
    2010. available at
    https://www.usenix.org/legacy/event/sec10/tech/full_papers/Watson.pdf

    You might also like