Linux-kernel security enhancements

Karri Huhtanen <khuhtanen@iki.fi>

Why?

● Linux is used more and more in network appliances, routers and other critical systems.

● Critical systems like these often cannot be upgraded and rebooted instantly when new security hole and fix is found.

● Plain vanilla Linux kernel and system is very vulnerable compared to specialized router operating systems because of the basic Unix kernel security features.

● Linux kernel has no encryption support for securing communications or data in plain vanilla kernel (at least yet)

● Thus there is a need for hardened Linux kernel and security enhancements

How?

● Designed security architecture needed – just closing security holes is not the solution

● Buffer overflow & memory protection/restrictions, “sandboxes” for services, processes and users

● Resource restrictions/limitations within kernel or outside (e.g. Fork bomb protection, firewall rules that limit the number of open connections etc.)

● Mandatory Access Controls (“Root has too much power”), subject/object -model based access control

● Logging, traceability of actions, integrity checks

● Hiding existence i.e. network transparency

● Communications / data encryption support (e.g. IPSEC stack, filesystem encryption)

Integrity and Access Control● NSA Security-Enhanced Linux ( www.nsa.gov/selinux/)

– A result of several NSA security research projects, from design to implementation approach

– “Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system.” -- NSA SELinux FAQ

– A starting point and a theoretical model for future kernel development and Linux Security Module work (http://lsm.immunix.org/)

● LIDS (www.lids.org)

– “Root has too much power.”

– Access Control List implementation patch for Linux kernel

– file/process protection and capabilities control

– An opensource community's equivalent of NSA SELinux?

● grsecurity (www.grsecurity.net)

– A large collection of security enhancement patches for Linux kernel

– Buffer overflow/memory protections, ACLs for files/sockets/consoles/processes/whatever,, logging, resource restrictions/limits, network invisibility/OS signature hiding etc.

Communications and Data Encryption● FreeS/WAN IPSEC stack:

– WWW site: www.freeswan.org

– X.509 certificate support: www.strongsec.com/freeswan/

– The leading free open source Linux IPSEC stack, commercial IPSEC stacks available for network appliance developers available from for example SSH Communications, SecGo, (F-Secure?)

– Advantages: free, open source, available for all, (cheap), interoperable

– Disadvantages: no management software, only 3DES encryption, limited hardware encryption and modern IP technologies support

● International Crypto API for GNU/Linux:

– WWW site: sourceforge.net/projects/cryptoapi/

– Provides kernel modules for creating encrypted loopback devices to encrypt for example your home partition

– Based on international crypto patch for GNU/Linux

– Advantages: free, open source, available for all, cheap, several encryption algorithms implemented (blowfish, AES etc.)

– Disadvantages: documentation, encryption of whole disk/swap is not possible

About this presentation and report

● This presentation will be soon added in several formats in: iki.fi/khuhtanen/interests/security/

● The report, which presents these security enhancements in detail will be published on the same web page.

● The report will also most likely contain a report of the practical experiment where some or all of the presented security enhancements are combined in single kernel. The success or failure of this experiment as well as the succesful/failing combination is documented in the report.

● Questions? Suggestions of things to note in the report?