Information Leak Track System
Kazuki Omo: [email protected]
OSS Security Community (Facebook internal discussion community about OSS/Linux security Japan)
Concept
3
My Background
- Security Researcher (15 years)
- System Administrator (3 years)
- Security Product Implementation Engineer (10 years)
- SELinux Evangelist (4 years)
- SIEM Engineer (3 years)
- Linux Engineer (15 years)
4
My Background
Supported/Experienced for
- Protecting System from Outside……
- Tracking logs when incident happen….
5
In real World
Still we have Security Incident(information leak)...
2014 Japanese incident
- Benesse- JAL
… and more
(c) JNSAhttp://www.jnsa.org/result/incident/data/2013incident_survey_ver1.1.pdf
6
Concept
Technically, It's really hard to “Prevent” information leak.
OK, then we suppose “information will be leak”.
Then our propose is “how to track the leaking path”.
7
Concept(contd.)
This presentation is “not” sayto through out traditional protect solution. (Multi-layered Defence is important.)
Admin still needs to protect their data from Malicious People.(UTM, AntiVirus, Security-Enhanced OS, MAC onOS/DB, SIEM, etc.)
System
8
Real Case (2014/07/09 BenesseHD)
BenesseHD
System Administrator(Contract/Malicious SA)
Contact
Contact
MaliciousML broker
Customer Info
ML broker
Third Party
9
Objective
When “Leaked information” is used by“Third Party”, we wish to track wholeaked the information from where.
Put every flow information to the file?→ Hard from size limitation.
Put “current location info” and “previous location info” as fingerprint. Then we can know how the info leaked.
Fingerprint
11
Objective
What is “Fingerprint(Location Info)”?
Should be contain…. - Uniq location info
- PC name- Corp.- HW
- Who- User
… etc.
Should be contain…. - Uniq location info
- PC name- Corp.- HW
- Who- User
… etc.
Current Previous
12
Who will get information, how ?
Internal
Attacker
Malicious User
13
How attacker will “bring” information ?
Internal
Copy
Paste
1. Copy from Terminal, and Paste to Attacker's terminal. (If those information is small).
14
How Malicious User will “bring” information ?
Internal
2. Copy from Internal PC, and save to USB stick. (If those information is large.)
Create file, copy
15
How Malicious User will “bring” information ?
Internal
3. Copy from Internal PC, and send it to outside PC. (If those information is large.)
Create file, CopyMailFtpscp...
16
Categorize
I. Send information through Copy/Paste between Terminal. (1)
→ Put “fingerprint” in font, etc.
II. Send information through file. (2),(3)
→ Put “fingerprint” to the file.
I. Put “fingerprint” to font.
18
I. Put “fingerprint” in font.
Just in Idea. Now thinking more details………...
Can we put uniq information in Font?(similar as”Watermarking technology” in Fujitsu Printing)
Can we put uniq information as Font name?
http://www.fujitsu.com/downloads/MAG/vol43-2/paper06.pdf
II. Put “fingerprint” to file.
20
II.Put “fingerprint” to file.
When we put “fingerprint” to file
1. When?
2. Where?
3. How?
21
II-2. When we put “fingerprint” to file?
Process
sys_write()
/home/user
22
II-2. Where we put “fingerprint” to file?
Process
Extended file attributessys_write()
/home/user
23
II-2. How we put “fingerprint” to file?
Process
/home/user
sys_write()
Check when(sys_write) on where(/home/user)→ fanotify Check all of file? → waste of resource
Sample for II-2
25
Sample for II-2(Put “fingerprint” to file)
Sample:
Host 1Host 2
(modified linux-4.0 kernel for gettingeuid by using fanotify)
Windows Server (CIFS Server)
Host 1 Host 2
Windows Server
CIFS Mount
Demo
fanotify fanotify
26
Sample Source
I. Kernel: linux-4.0- Changed fanotify related source to get euid from the task;
--- fanotify.h.org 2015-04-10 15:21:25.971294026 +0900+++ fanotify.h 2015-04-26 16:32:22.835543920 +0900@@ -92,7 +92,8 @@ __s32 fd; __s32 pid;- kuid_t loginuid;+ //kuid_t loginuid;+ __s32 loginuid; };
--- fanotify_user.c.org 2015-04-06 08:55:25.393823267 +0900+++ fanotify_user.c 2015-04-26 16:32:17.867544077 +0900@@ -118,6 +118,9 @@ { int ret = 0; struct fanotify_event_info *event;+ struct task_struct *p; pr_debug("%s: group=%p metadata=%p event=%p\n", __func__, group, metadata, fsn_event);@@ -130,7 +133,17 @@ metadata->reserved = 0; metadata->mask = fsn_event->mask & FAN_ALL_OUTGOING_EVENTS; metadata->pid = pid_vnr(event->tgid);- metadata->uid = pid_vnr(event->tgid);++ rcu_read_lock();++ p = find_task_by_vpid(metadata->pid);+ if (p != NULL) {+ metadata->loginuid = from_kuid(&init_user_ns,p->cred->euid);+ }+ rcu_read_unlock(); if (unlikely(fsn_event->mask & FAN_Q_OVERFLOW)) metadata->fd = FAN_NOFD; else {
27
Sample Source
II. Userland process- Check directory/file status by using fanotify- Modified from fanotify userland sample code.
+ strncpy(ifr.ifr_name , iface , IFNAMSIZ-1);++ ioctl(fd, SIOCGIFHWADDR, &ifr);++ close(fd);++ mac = (unsigned char *)ifr.ifr_hwaddr.sa_data;++ //display mac address+ sprintf(hardware,"%s:%.2x:%.2x:%.2x:%.2x:%.2x:%.2x " , iface, mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); ++ return 0;+}+
diff -Nru fanotify-example.org/fanotify.c fanotify-example/fanotify.c--- fanotify-example.org/fanotify.c 2015-04-05 16:04:26.936501684 +0900+++ fanotify-example/fanotify.c 2015-04-30 13:57:45.244808252 +0900@@ -13,6 +13,13 @@ #include <sys/types.h> #include <sys/stat.h> #include <unistd.h>+#include <err.h>+#include <sys/socket.h>+#include <sys/ioctl.h>+#include <net/if.h>+#include <dirent.h>+// #include <linux/fanotify.h> @@ -51,6 +58,57 @@ return mark_object(fan_fd, NULL, fd, mask, flags); } +int getmacaddr(const char *iface, char *hardware) {++ int fd;+ struct ifreq ifr;+ unsigned char *mac;++ fd = socket(AF_INET, SOCK_DGRAM, 0);++ ifr.ifr_addr.sa_family = AF_INET;
… Snip
28
Sample Result (CIFS mount)Uniq info: MAC combination(sample)
root@host1:~/src/fanotify-example# ./fanotify -c /cifs_mount -o write
root@host1:~# touch /cifs_mount/testfileroot@host1:~# getfattr -d –absolute-name /cifs_mount/testfile # file: cifs_mount/testfileuser.DESC_MAC="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host1 UID 0"
root@host2:~# touch /cifs_mount/testfile root@host2:~# getfattr -d –absolute-name /cifs_mount/testfile # file: cifs_mount/testfileuser.DESC_MAC="eth1:08:00:27:1b:98:4d eth0:08:00:27:d3:7c:60 "user.DESC_MAC_PRE="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host2 UID 0"user.DESC_USER_PRE="HOST host1 UID 0"
Pre Info
Current Info
29
Sample for II-2(Put “fingerprint” to file)
Sample:
Host 1Host 2
(modified linux-4.0 kernel for gettingeuid by using fanotify)
USB (vfat / ext3)
Host 1 Host 2
Demo
fanotify fanotify
30
Sample Result (USB: vfat)Uniq info: MAC combination(sample)
[root@kazuki media]# mount/dev/sdb1 on / type ext4 (rw,noatime,discard)--snip--/dev/sdc1 on /media type vfat (rw)[root@kazuki media]# setfattr -n user.desc_mac -v "TEST" /media/testfile setfattr: /media/testfile: Operation not supported
vfat Not supported Extended-File-Attribute
31
Sample Result (USB: ext3)Uniq info: MAC combination(sample)
root@host1:~/src/fanotify-example# ./fanotify -c /media_mount -o write
root@host1:~# touch /media/testusbroot@host1:~# getfattr -d –absolute-name /media/testusb# file: media/testusbuser.DESC_MAC="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host1 UID 0"
root@host2:~# touch /media/testusb root@host2:~# getfattr -d –absolute-name /media/testusb # file: media/testusbuser.DESC_MAC="eth1:08:00:27:1b:98:4d eth0:08:00:27:d3:7c:60 "user.DESC_MAC_PRE="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host2 UID 0"user.DESC_USER_PRE="HOST host1 UID 0"
Pre Info
Current Info
Conclusion
33
Conclusion
I. Using “extended file attribute” is so restricted.- NFS is not supported.- Not so much supported FileSystem.
II. There's no way to send fingerprint to other PC if the leaked pathIs not supporting “extended file attribute”.
- ex. Send file by mail.
→ Think other way to put fingerprint on file.- ex. Create uniq file format for that.- Hook write/open syscall and crypt/decrypt file with uniq info.- Hook write/open syscall and convert the file with uniq info.- More focus to put fingerprint to not file(fonts, etc.)
→ Steganographic Solution
34
Conclusion
We need your suggestion, development help, etc.
Please feel free to contact to [email protected]