Rapid AIX Security Hardening with Trusted Execution (TE) · PDF fileRapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl,

© 2011 Andreas Leibl, RSTC Ltd

IBM Power Systems und Systems Management Symposium 30.05. - 01.06.2011

Rapid AIX Security Hardeningwith Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC Ltd

IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd

Andreas Leibl• RSTC Ltd

• based in Bristol, UK

• and Ulm, Germany

• http://www.rstc-ltd.co.uk/

• Email: [email protected]

• If you have any questions about the talk please send me an email or contact me in

• LinkedIn: http://www.linkedin.com/in/aleibl

• Xing: https://www.xing.com/profile/Andreas_Leibl

2


Agenda

• AIX Security

• Trusted Execution (TE) & Trusted Computing Base (TCB)

• System Integrity Check

• Runtime Integrity Check

• Trusted Path

• Adding your own files

3


AIX & Security

• UNIX type security (accounts & permissions)

• Role Based Access Control (enhanced RBAC)

• enhanced in AIX 7.1 with Domain RBAC

• Trusted Execution (TE)

4


RBAC

• Role Based Access Control

• Fine granular control

• Kernel level, applications need not be modified

• No privilege escalation through faulty programs or shell escapes

• Users gain privileges through roles which allow them to execute certain operations

• Superior to sudo

5


Domain RBAC

• RBAC enhancement in AIX 7.1

• Allows restrictions of privileges to certain objects

• Example: Right to resize filesystems can be limited to certain filesystems

6


Trusted Execution

• Replaces Trusted Computing Base (TCB)

• Superior capabilities

• TCB still available

7


Trusted Computing Base (TCB)

• Needs to be enabled at install time

• Limited to static (offline) checks (security sweeps)

• Default database quite limited (heavy use of VOLATILE keyword which effectively disables TCB checks for specified files)

• Weak checksums - low security

8


TE vs. TCB

• TE can be enabled at any time

• Uses cryptographically strong hashes

• Hashes can be cryptographically signed

• Runtime (online) checks in addition to static (offline) checks

9


TE Protection

• Trojan horses

• Root kits

• Any tampering with critical files

• Can easily be extended to include user files

10


Trusted Execution Requirements

• AIX 6.1 or 7.1

• CryptoLight for C library (clic.rte.*) from expansion pack

# lslpp -l 'clic.*' Fileset Level State Description ----------------------------------------------------------------------------Path: /usr/lib/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.7.0.0 COMMITTED CryptoLite for C Library

Path: /etc/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel#

11


TE: Strong Hashes

• One way hash functions generate secure fingerprint of files

• Default hash algorithm: SHA256

• Also available: SHA1 (160 bits), SHA512

• Can sign the hashes in the TE database for added security

• AIX files come with signed hashes from IBM

12


Trusted Signature Database# Can use grep -p or the proper command to see stanzas in the TE database:# trustchk -q /usr/bin/ls/usr/bin/ls: owner = bin group = bin mode = 555 type = FILE hardlinks = symlinks = size = 26732 cert_tag = 00d3cbd2922627b209 signature = 964bf2d53b4e0b6c3be62e2569ab9da192634a69d5f2d15861098eb7475093f0d45488571da627ea2cd7b528864a1c82e25cbf585733de4e88dc649b5306dfb7427b32c29ac37f259ed5f6598c415f682abda422ee3a9497937f9f1f7191b32ebcd467ad3ca302425c5607e59ffad1fcd69306f1674905c2f0c1d8e143b1752d hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 minslabel = maxslabel = intlabel = accessauths = aix.fs.object.list innateprivs = PV_DAC_R,PV_DAC_X inheritprivs = authprivs = secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MIC

13


System Integrity Check

• TE checks all files listed in database

• Changed permissions are corrected

• Changed files are disabled (read, write and execute permissions revoked)

• Run manually or by crond

14


Planting a Trojan Horse# Let's do something nasty...

# mv /usr/bin/ls /usr/bin/.ls# vi /usr/bin/ls...

# cat /usr/bin/ls#!/usr/bin/sh

echo "Doing something dirty here (which you can't see)..."/usr/bin/.ls $*

# chmod 555 /usr/bin/ls# ls /homeDoing something dirty here (which you can't see)...guest lost+found root #

Replacing the ls command with a malicious

version that installs a backdoor and then

emulates ls behaviour

15


System Integrity Check in Action - Check only

# trustchk -n ALLtrustchk: Verification of attributes failed: /usr/lpp/diagnostics/bin/ecc_mcode_get: modetrustchk: Verification of attributes failed: /usr/sbin/sshd: sizetrustchk: Verification of attributes failed: /usr/sbin/ifconfig.ib: grouptrustchk: Verification of attributes failed: /usr/bin/ls: owner group size hashvalue signature#

16


System Integrity Check

• Sometimes produces false alerts

• Means: TSD wasn’t updated correctly (includes permissions,SUID)

• or files were removed

• or properties not specified (like size in case of sshd)

• The -n flag only means trustchk only reports problems -> no corrective action

17


Checking the Hash

# want to check the hash value?# openssl dgst -sha256 /usr/bin/lsSHA256(/usr/bin/ls)= 4e6da7a726bb27428f2e8321a2aea231f587e88aacc03ac766c0cf1a02530378### openssl dgst -sha256 /usr/bin/.lsSHA256(/usr/bin/.ls)= 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8# ## trustchk -q /usr/bin/ls | grep hash hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8#

Modifed “ls”

Original “ls”

TSD entry

18


System Integrity Check - Interactive

# Use trustchk -t to correct problems interactively

# trustchk -t /usr/bin/lstrustchk: Verification of attributes failed: ownerChange the file owner for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: groupChange the file group for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: sizeDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: hashDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: signatureDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of stanza failed:#

19


System Integrity Check - Autocorrection

# trustchk -y /usr/bin/lstrustchk: Verification of attributes failed: ownertrustchk: Verification of attributes failed: grouptrustchk: Verification of attributes failed: modetrustchk: Verification of attributes failed: sizetrustchk: Verification of attributes failed: hashtrustchk: Verification of attributes failed: signaturetrustchk: Verification of stanza failed:# # /usr/bin/.ls -l /usr/bin/ls---------T 1 bin bin 93 May 28 16:07 /usr/bin/ls#

trustchk -y = auto (think fsck -y)

File disabled

20


System Integrity Check - Autocorrection

• Wrong permissions get reset

• Wrong owner and group get reset

• Files that changed size or hash value are disabled

21


Runtime Integrity Check

• Binaries, shared libraries, kernel extensions and shell scripts are checked before execution

• Kernel refuses to load/execute them if verification fails

• Check is repeated every time -> no window of opportunity for attackers

22


Runtime Integrity Check Policies

• trustchk -p name=values sets policies

• TE=[ON|OFF] : turns runtime checks on/off

• CHKEXEC=[ON|OFF] : executable checking

• STOP_ON_CHKFAIL= [ON|OFF] : stop executables failing the test

• STOP_UNTRUSTD= [ON|OFF] : stop executables not listed in /etc/security/tsd/tsd.dat

• And more...

23


Runtime Integrity Check - Modified File# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON # lsksh: ls: 0403-006 Execute permission denied.#

# cp /usr/bin/ls /usr/bin/.badls# cp /usr/bin/.ls /usr/bin/ls# chown bin:bin /usr/bin/ls# ls.Xauthority ....

Changed command does not execute

Check is re-run every time the command is executed

24


Runtime Integrity Check - Unlisted File

# trustchk -p TE=ON CHKEXEC=ON STOP_UNTRUSTD=ON# /usr/bin/.lsksh: /usr/bin/.ls: 0403-006 Execute permission denied.# ls -l /usr/bin/.ls-r-xr-xr-x 1 bin bin 26732 May 28 17:39 /usr/bin/.ls#

Command .ls (the original ls) not executed (no check failure,

file permissions ok)

STOP_UNTRUSTD prevents execution of commands

not listed in the TSD

25


Path Protection

• Trusted path

• Limits where programs/scripts can be started from

• Much more effective that restricted shell and a fixed $PATH variable

26


Trusted Path in Action

# cp /usr/bin/ls /usr/local/bin/ls# /usr/local/bin/ls.Xauthority ...

# trustchk -p TEP=ON # /usr/local/bin/lsksh: /usr/local/bin/ls: 0403-006 Execute permission denied.# # trustchk -p tepTEP=ONTEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security#

/usr/local/bin/ not in trusted path

27


Adding Your Own Files

• TE protection for your own files: EASY!

• Step 1: Create certificates and keys with openssl (only once)

• Step 2: Add to the TE database.

• That's it. TE takes care of the rest.

28


Creating Certificates# cd /te# openssl genrsa -out mycorpprivkey.perm 2048Generating RSA private key, 2048 bit long modulus.....+++................................................................................................+++e is 65537 (0x10001)#

# openssl req -new -x509 -key mycorpprivkey.perm -outform DER -mycorpcert.der -days 3650You are about to be asked to enter information that will be incorporated.... (some questions asked here) ....## openssl pkcs8 -inform PEM -in mycorpprivkey.perm -topk8 -nocrypt -outform DER -out mycorpprivkey.der# lsmycorpcert.der mycorpprivkey.der mycorpprivkey.perm#

29


Add to TE Database

# trustchk -s /te/mycorpprivkey.der -v mycorpcert.der -a /usr/local/bin/mycmd # trustchk -q /usr/local/bin/mycmd /usr/local/bin/mycmd: type = FILE owner = root group = system mode = 755 size = 47 hash_value = 48d45e86a5a8ff4c6a94dfe3723677fc0e1a6c0967f06233eaa84ff232fbceb2 cert_tag = 008b2dd04da79dc0b5 signature = a3ecc6b2c07260417a0be162....

30


Test: Finding Illegal Modifications

# trustchk -n /usr/local/bin/mycmd # echo $?0# echo "CHANGED" >> /usr/local/bin/mycmd # trustchk -n /usr/local/bin/mycmd trustchk: Verification of attributes failed: /usr/local/bin/mycmd: size hashvalue signature# echo $? 114#

31


Maintenance

• Installing updates naturally changes the files

• Hashes in the TE database need updating

• AIX updates come with new signatures

• Need to update hashes for own files

32


Want to give it a go?

• IBM business partners can get AIX test systems for free from the Virtual Loaner Program

• http://www.ibm.com/systems/vlp

• Not a business partner? Sign up at www.ibm.com/partnerworld (all you need is a VAT ID)

33


Questions?

34


Thank you!

If you think of a question later feel free to send me an email.

35

Documents

Rapid AIX Security Hardening with Trusted Execution (TE) · PDF fileRapid AIX Security Hardening with Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl,