Why is security important? Practical applications of secure operating systems in E-business

Secure
Operating
Systems
Secure
Operating
Systems
Why is security important?
Practical applications of secure
operating systems in E-business
Nigel Edwards
Hewlett-Packard Internet Security Solutions Division
nigel_edwards@hp.com
1
University of Kent July 2001
Secure
Operating
Systems
Web site defacement activity
(May 2000 – April 2001)
2
University of Kent July 2001
Secure
Operating
Systems
Summary of Linux security issues
1800
1600
• In June 2000 Linux was run on 30% of active web sites
• Source: Netcraft (http://www.netcraft.com/survey/)
1400
• 26.5% of defaced sites ran Linux
• Linux was run on 41.8% of non-Microsoft sites
• 65.2% of non-Microsoft sites defaced ran Linux
• January 2001 saw the first Linux “Worm” – Ramen
• Adore and Lion followed
• Worms may deface your site and/or do other
damage
All Platforms
1200
1000
Linux
800
All Platforms Excluding
Microsoft
600
400
200
0
Mar-00
Jun-00
Oct-00
Jan-01
So
Sowhat
whatcan
canyou
youdo?
do?
Apr-01
Source: Attrition
(http://www.attrition.org/mirror/attrition/os.html)
University of Kent July 2001
3
University of Kent July 2001
4
Secure
Operating
Systems
Possible operating system security
strategies
Secure
Operating
Systems
HP-LX and Virtualvault in context
Security/strength
of mechanisms
• Wait for the latest patch
• Will you apply it in time?
• No protection against administration errors
• Layered security products
• Minimal protection against attacks exploiting
application bugs
• Strengthen the operating system
• Protects against administration errors
• Protects and detects attacks exploiting application
bugs
• Enables “safe-sharing” of machines
HP Virtualvault
TRUSTED SYSTEMS X
HPLX
LAYERED SYSTEMS
HP-UX Bastille C2
HP-UX C2
HP Webenforcer
HP-UX, Linux
Windows
BASE SYSTEMS
Ease of use/administration, performance, compatibility
5
University of Kent July 2001
Secure
Operating
Systems
Secure
Operating
Systems
What is HP Virtualvault?
•
•
•
•
A highly secure web server
Six years of installation around the world
Based on HP-UX Compartmented Mode Workstation
Implements the Bell and La Padula lattice security
model
6
University of Kent July 2001
HP Virtualvault installation
DMZ LAN
Rem ot e s it es
In t r a n et
p r oxy h os t
fir ewa ll
NT s er ver
+ E d ify
r ou t er
in t er n a l
s er ver s
In t e rn e t
Security
Lattice
S S L-p r ot ect ed
t r a n s a ct ion d a t a
ft p s er ver
S QL, ot h er
clien t / s er ver
p r ot ocols
Vir t u a lVa u lt
DNS s er ver
Information
In t er n a l u s er s
Rem ot e u s er s
On t h e b ou n d a r y
University of Kent July 2001
7
University of Kent July 2001
8
HP Virtualvault internals
Secure
Operating
Systems
Au d it
Tr a il
SYSTEM_HI
Netscape 2
1
SAFE tcp
4
1
Browser sends HTTP
2
Web server invokes TCP
connection
3
JVM executes servlets
4
JVM
Web
Server
HTML
Pa ges
3
In t er n a l
Web
S er ver
S er vlet s
SYSTEM
In t er n a l
S er ver
Administration,
Maintenance
Tru s t ed Op er a t in g S ys tem
In t er n a l
Br ows er
Servlet processes request, returns to client browser
9
University of Kent July 2001
Review of major HP-LX features
Secure
Operating
Systems
What is HP-LX?
• A highly secure version of Linux for running
applications and services
• Service provider focus
• Building on the success of HP Virtualvault
• Balance ease of use with security
• A new security model focused on Internet services
and applications
• Minimal kernel changes
• HP will deliver:
• Example services (e.g. Apache)
• SDK and (eventually) integration tools
INSIDE
OUTSIDE
In t er n et
Clien t
Secure
Operating
Systems
10
University of Kent July 2001
Secure
Operating
Systems
Compartments
Secure remote administration
HP-LX ready applications
Sealed
Compartments
System configuration lockdown
Backend Servers
e.g. Tomcat
Apache
File access control
Communication control
External network
Internal network
Compartments
Compartments
Compartmentsoptionally
optionally
“sealed”
“sealed”and/or
and/or“chrooted”
“chrooted”
Kernel-level auditing
University of Kent July 2001
11
University of Kent July 2001
12
Secure
Operating
Systems
Communication access control
Secure
Operating
Systems
Example of compartment
communication rules
Explicit paths in
HP-LX
HOST:* -> COMPARTMENT:WEB
METHOD TCP PORT 80 NETDEV eth0
COMPARTMENT:WEB -> COMPARTMENT:TOMCAT1
METHOD TCP PORT 8007 NETDEV lo
COMPARTMENT:WEB -> COMPARTMENT:TOMCAT2
Implicit paths in
Conventional T.O.S.
METHOD TCP PORT 8008 NETDEV lo
COMPARTMENT:TOMCAT1 -> HOST:SERVER1
METHOD TCP PORT 8080 NETDEV eth1
No
Notrusted
trustedprocesses
processesfor
forinterintercompartment
communications
compartment communications
13
University of Kent July 2001
Secure
Operating
Systems
File access control
Secure
Operating
Systems
We do:
• File Control Table specifies: read, write, append
• Mandatory Access Control (MAC)
• Prevents web server overwriting the home page
• Fine-grain control within a sealed compartment
• Coarse grain (MAC) protection also available by using chroot
• Integrity protection
• Cryptographic hash taken of all immutable files
• Tripwire
University of Kent July 2001
Labels
Labelsare
arenot
notused
used
to
control
access
to control accessto
to
files
files
=>
=>No
Nochanges
changesto
to
what
is
what iswritten
writtenon
on
disk
disk
15
14
University of Kent July 2001
We don’t:
University of Kent July 2001
System configuration lockdown
•• Removed
Removedfrom
fromsensitive
sensitiveprograms
programsSet-UID
Set-UID(and
(andSetSetGID)
GID)
••at,
at,…
…
•• Enable
Enablepassword
passwordaging
aging
•• Secure
permissions
Secure permissionson
onexecutables
executables
•• Enhance
the
default
system
Enhance the default systemlogging
logging
•• Etc
Etcetc….
etc….
•• Remove
Remove“unnecessary”
“unnecessary”programs
programs
•• Ease
of
use
(Diagnosis/maintenance)
Ease of use (Diagnosis/maintenance)
•• Anything
AnythingininRed
RedHat
Hat7.1
7.1can
canbe
beinstalled
installed
•• Rely
Relyon
oncontainment
containmentpreventing
preventingabuse
abuse
•• Use
“special”
administration
compartment
Use “special” administration compartment
16
Audit
Secure
Operating
Systems
Possible
Machine boundary
Audit Reporting
Program
Translation API
Audit
Format
Template
Secure
Operating
Systems
Audit
configuration
Audit collection
daemon
Trusted
Application
Audit API
Audit API
Why
Why is
is kernel-level
kernel-level
Auditing
Auditing important?
important?
Audit API
Raw audit
data
Application Space
/dev/auditr
Kernel Space
/dev/auditw
Answer:
Answer: itit is
is very
very
hard
to
by-pass
hard to by-pass
Syscall hooks
Audit device
driver
Network hooks
Other hooks…
17
University of Kent July 2001
Secure
Operating
Systems
A secure administration model (1/2)
other utilities
& applications
A secure administration model 2/2
Secure
Operating
Systems
HP-LX
administration utilities
PAM
SSH login
System calls
Authorized
administrator
Kernel + DLKMs
tlx_admin set
• HP-LX management utilities
• Create, destroy, start, stop compartments
• Configure communication rules for compartments
• Manage audit system
init
SSH login
SSHD
tlx_admin
set
Shell
Shell
Authorized user,
not authorized
administrator
tlx_admin cleared
•• Each
Eachprocess
processhas
hasan
anadditional
additionalattribute
attribute
•• The
tlx_admin
bit
The tlx_admin bit
•• Code
Codeinside
insidekernel
kernelchecks
checksfor
forthis
thisbit
bitbefore
beforeexecuting
executing
administration
functions
administration functions
•• Works
Worksininparallel
parallelto
toLinux
Linuxcapability
capabilitymechanism
mechanism(which
(whichwe
wealso
alsouse)
use)
•• AAmore
restricted
management
model
than
capabilities
more restricted management model than capabilities
How do we stop the abuse of the system calls
used for this?
University of Kent July 2001
18
University of Kent July 2001
19
University of Kent July 2001
20
Typical HP-LX compartment
configuration
Secure
Operating
Systems
Secure
Operating
Systems
• Which Linux Distributions?
• Redhat 7.1
• Will follow up with others including Debian
• Platform
• Dual processor 700Mhz Pentium III, 2x20GB Disk,
1GB RAM, rack mounted PC (Netserver)
• Single processor 500 MHZ Pentium III, 10 GB Disk,
500MB Ram
• Performance
• Currently Apache on HP-LX with auditing-off is
within 2% of Apache on Redhat 7.1
Administration compartment
External
Network
Web
(apache)
Audit
(auditd)
Syslog
(syslogd,
klogd)
Backup
(Amandad)
Xinetd
(xinetd)
Mail transport agent
(sendmail)
System
(cron, getty, crond)
Secure
Operating
Systems
Internal
Network
Tomcat
(tomcat)
SSHD
(sshd)
21
University of Kent July 2001
Summary
• A new model for trusted operating systems
• Using our experience of commercial MLS operation
• Balance ease of use, portability and security
• Configure communication patterns explicitly
• Minimal kernel changes
• Main features
• Compartments provide containment
– File and communication access control
• System configuration lockdown
• Audit
• Secure administration model
Protects you and your users from many of
the most common attacks seen today
University of Kent July 2001
23
Target platforms and performance
University of Kent July 2001
22