Solaris Security Today and Tomorrotrj1/cse544-s11/slides/solaris-security-deep-dive.pdf · Solaris Security Today and Tomorrow Technical Deep Dive Updated for Solaris 10 05/09, Solaris

Solaris Security Today and Tomorrow Technical Deep Dive Updated for Solaris 10 05/09, Solaris Next, and Solaris Furure

Dr. Christoph [email protected]

Copyright © 2009 Sun Microsystems, Inc. 2

Agenda

•Solaris Security - Goals

•Solaris 9 - Security Review>an overview of features from past releases.

•Solaris 10 - Security Deep Dive>a dive into new features including: Secure by Default, SMF, Privileges, ZFS, Zones, Trusted Extensions, and more!

•Solaris Next - Security Deep Dive

•Solaris Future - Project Outlines


#include <std/disclaimer.h>

•This presentation includes content and examples inclusive of Solaris 10 05/09

•While a lot of security controls and functionalityis discussed, there is still much more that isnot covered in the interest of brevity.

•Functionality introduced prior to Solaris 10 isdiscussed only in passing or as part of adiscussion where that functionality is updated.


Solaris Security Goals

•Defending>Provide strong assurance of system integrity.

>Defend system from unauthorized access.

•Enabling>Secure authentication of all active subjects.

>Protect communications between endpoints.

•Deploying>Emphasize an integratable stack architecture.

>Interoperate with other security architectures.

>Ease management and use of security features.

>Receive independent assessment of security.


Solaris 9 Security Review

!Access Control Lists

!Role-based Access Control

!IPsec / IKE

!Solaris Auditing

!TCP Wrappers (inetd, rpcbind)

!Flexible Crypt

!Signed Patches

!Granular Packaging

!SSL-enabled LDAP

!WAN Boot

!IKE Hardware Accel.

!Solaris Fingerprint DB

!Solaris Secure Shell

!Kerberos

!/dev/[u]random

!Enhanced PAM Framework

!Smartcard Framework

!Java Security

!SunScreen 3.2

!Solaris Security Toolkit

!sadmind DES Auth

!LDAP Password Management


Solaris 10Technical Security

Deep Dive


Reduced Networking Metacluster

Size (MB) # Set-UID # Set-GID

363 154 31 12

396 213 38 13

2500 785 68 20

3200 1034 69 20

3300 1091 83 21

3300 1902 83 21

Metacluster # Pkgs

Reduced Networking SUNWCrnet

Core SUNWCreq

End User SUNWCuser

Developer SUNWCprog

Entire SUNWCall

Entire + OEM SUNWCXall


Reduced and Minimal Configurations

•Some environments remove or simply do not install software packages that are not needed (business or technical reasons)>Less software to install, upgrade, patch, and maintain.

>Less software equates to reduced exposure to security vulnerabilities.

•Refer to Sun's Rules of Engagement for the Support of Reduced or Minimal Configurations>http://www.opensolaris.org/os/community/security/files/minimization-support-rules-ext.pdf

•Solaris Package Companion can be used to understand software package relationships and dependencies>http://www.opensolaris.org/os/project/svr4_packaging/package_companion/

http://www.opensolaris.org/os/project/svr4_packaging/package_companion/

http://www.opensolaris.org/os/community/security/files/minimization-support-rules-ext.pdf


Solaris Package Companion Examples

•EXAMPLE 1: What packages depend on StarOffice?

$ spc-v0.9.ksh -r ./s10u7.rep -l -F -f /opt/staroffice8/program/sofficeSUNWCstaroffice

$ spc-v0.9.ksh -r ./s10u7.rep -F -Z -v SUNWCstaroffice[C] SUNWCstaroffice StarOffice 8.0

•EXAMPLE 2: On what does SSH depend?

•$ spc-v0.9.ksh -r ./s10u7.rep -D -F -v SUNWCssh[C] SUNWCcs Core Solaris[C] SUNWCfwcmp Freeware Compression Utilities[C] SUNWCopenssl OpenSSL[C] SUNWCssh Secure Shell[P] SUNWcakr Core Solaris Kernel Architecture (Root)[P] SUNWcar Core Architecture, (Root)[P] SUNWgss GSSAPI V2[P] SUNWgssc GSSAPI CONFIG V2[P] SUNWkvm Core Architecture, (Kvm)

For more details and information, see the Solaris Package Companion OpenSolaris Project site at: http://opensolaris.org/os/project/svr4_packaging/package_companion/

http://opensolaris.org/os/project/svr4_packaging/package_companion/


Cryptographically Signed ELF Objects

•ELF Objects Cryptographically Signed>binaries, libraries, kernel modules, crypto modules, etc.

# file /usr/lib/ssh/sshd/usr/lib/ssh/sshd: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped

# elfsign verify -e /usr/lib/ssh/sshdelfsign: verification of /usr/lib/ssh/sshd passed.

# elfsign list -f signer -e /usr/bin/lsCN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc

•Cryptographic modules must be signed with a certificate issued by Sun.>Signature and certificate must be validated before module can be loaded.

>Crypto. modules will not load if not signed or have invalid signature.


Non-Executable Stack Example

#include <stdio.h>#include <string.h>

typedef void (*fptr)(void);

#ifdef __sparcchar shellcode[] ="\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e""\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0""\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";#endif

intmain(int argc, char **argv){ fptr f; char code[100];

memcpy(code, shellcode, sizeof(shellcode)); printf("Attempting to start a shell...\n"); f = (fptr)code; f(); return (0);}


Non-Executable Stack #1

$ cc -o myshell shell.c$ cc -o myshell-nx -M /usr/lib/ld/map.noexst shell.c

$ ./myshellAttempting to start a shell...$ exit

$ ./myshell-nxAttempting to start a shell...Segmentation Fault(coredump)

Sep 16 15:06:06 kilroy genunix: [ID 533030 kern.notice]NOTICE: shell-noexstk[23132] attempt to execute code onstack by uid 101

Stacks can be globally configured to be non-executableusing the noexec_user_stack tunable in /etc/system.


Non-Executable Stack #2

$ telnet victimhost myshellTrying 10.8.22.39...Connected to victimhost.Escape character is '^]'.finger;Login Name TTY Idle When Wheregbrunett Glenn Brunette pts/5 Wed 13:48 void\377\277\375\364: ^M: not found[...]Connection to victimhost closed.

$ telnet victimhost myshell-nxTrying 10.8.22.39...Connected to victimhost.Escape character is '^]'.Connection to victimhost closed by foreign host.

For more information on Solaris non-executable stack functionality, see: http://blogs.sun.com/gbrunett/tags/noexstk

http://blogs.sun.com/gbrunett/tags/noexstk


Service Management Facility

•Provide a uniform mechanism to disable/manage services.E.g., svcadm [disable|enable] telnet

•Support alternative service profiles

E.g., “Secure by Default” profile (since Solaris 10 11/06)

•Leverage authorizations to manage/configure services.

•Define context to permit services to be started as a specific user and group and with specific privileges.

•Support automatic service dependency resolution.E.g., svcadm enable -r nfs/client

•Facilitate delegated service restarts.


SMF Example #1

$ profilesService OperatorBasic Solaris UserAll

$ svcs network/inetdSTATE STIME FMRIonline 1:28:15 svc:/network/inetd:default

$ svcadm disable network/inetd

$ svcs -x -v network/inetdsvc:/network/inetd:default (inetd) State: disabled since Thu Jul 13 17:05:36 2008Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: man -M /usr/share/man -s 1M inetd See: /var/svc/log/network-inetd:default.logImpact: 5 dependent services are not running:


SMF Example #2

# svcprop -v -p defaults inetddefaults/bind_addr astring ""defaults/bind_fail_interval integer -1defaults/bind_fail_max integer -1defaults/con_rate_offline integer -1[...]defaults/stability astring Evolvingdefaults/tcp_trace boolean falsedefaults/tcp_wrappers boolean false

# svcprop -p config/local_only rpc/bindfalse

# svcs -x sendmailsvc:/network/smtp:sendmail (sendmail SMTP mail transfer agent) State: maintenance since Wed Dec 01 01:31:35 2007Reason: Start method failed repeatedly, last exited withstatus 208. See: http://sun.com/msg/SMF-8000-KS See: sendmail(1M)Impact: 0 services are not running.


SMF Access Control

•Integrated with Solaris Roles (Rights Profiles)>Service Management

>Service Operator

•Integrated with Solaris Authorizations>Global: solaris.smf.modify

>Global: solaris.smf.manage

>Global: solaris.smf.value

>Per Service: action_authorization

•Services may have property-group specific authorizations>value_authorization – change existing property values

>modify_authorization – add, modify, or delete properties


SMF Example #3

# svcprop -p httpd -p general apache2general/enabled boolean falsegeneral/action_authorization astring sunw.apache.opergeneral/entity_stability astring Evolvinghttpd/ssl boolean falsehttpd/stability astring Evolvinghttpd/value_authorization astring sunw.apache.admin

Example taken from the Sun BluePrint: Restricting Service Administration in the Solaris 10 Operating System, http://www.sun.com/blueprints/0605/819-2887.pdf

http://www.sun.com/blueprints/0605/819-2887.pdf


SMF Execution Context

•exec methods can be forced to run as a given user:>{start, stop, etc.}/user

•exec methods can be forced to run as a given group:>{start, stop, etc.}/group

•exec methods can be forced to use specific privileges:>{start, stop, etc.}/privileges>{start, stop, etc.}/limit_privileges

•Other exec context can also be defined:>default project and resource pool, supplemental groups, etc.


SMF Example #4

# svcprop -v -p start apache2start/exec astring /lib/svc/method/http-apache2\ startstart/timeout_seconds count 60start/type astring methodstart/user astring webservdstart/group astring webservdstart/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddrstart/limit_privileges astring :defaultstart/use_profile boolean falsestart/supp_groups astring :defaultstart/working_directory astring :defaultstart/project astring :defaultstart/resource_pool astring :default

Example taken from the Sun BluePrint: Limiting Service Privileges in the Solaris 10 Operating System, http://www.sun.com/blueprints/0505/819-2680.pdf



SMF Example #5


SMF Example #6


•Only Secure Shell is reachable by default.>root use of Secure Shell is not permitted by default.

•Existing services are configured in SMF to either be:>Disabled by default

>Listening for local (e.g., loopback) connections only

•Configuration can be selected using CLI or JumpStart:>netservices: open (traditional) or limited (SBD)

>service_profile: open or limited_net

•Default installation method in Nevada/OpenSolaris:>Solaris upgrades are not changed or impacted.

>Solaris 10 initial (fresh) installations can select SBD mode.

Solaris Secure By Default


# netservicesnetservices: usage: netservices [ open | limited ]

# netservices limitedrestarting syslogdrestarting sendmaildtlogin needs to be restarted. Restart now? [Y] yrestarting dtlogin

# netstat -af inet -P tcp | grep LISTEN[...]*.sunrpc *.* 0 0 49152 0 LISTEN*.ssh *.* 0 0 49152 0 LISTENlocalhost.smtp *.* 0 0 49152 0 LISTENlocalhost.submission *.* 0 0 49152 0 LISTEN

Solaris Secure By Default Example #1


Solaris Secure By Default Example #2

Service FMRI Property Values

X11

CDE

calendar

BSD printing

rpcbind svc:/network/rpc/bind config/local_only true, false

syslog svc:/system/system-log config/log_from_remote true, false

sendmail svc:/network/smtp:sendmail config/local_only true, false

smcwebserver svc:/system/webconsole:console options/tcp_listen true, false

wbem svc:/application/management/wbem options/tcp_listen true, false

svc:/application/x11/x11-server options/tcp_listen true, false

svc:/application/graphical-login/cde-login dtlogin/args [null], -udpPort 0

ToolTalk svc:/network/rpc/cde-ttdbserver:tcp proto tcp, ticotsord

svc:/network/rpc/cde-calendar-manager proto tcp, ticlts

svc:/application/print/rfc1179:default bind_addr [null], localhost


Password and Related Controls

•Pluggable Crypt>SHA-256, SHA-512, Sun MD5 (+ rounds), BSD MD5, Blowfish

•Password Complexity Checks>Login Name != Password, White Space Permitted

>Minimum Characters by Class!Alphabetic, Non-Alphabetic, Uppercase, Lowercase, Digits, Special

>Maximum Consecutive Repeating Characters

>Local Banned Password List (Dictionary)

•Password Aging and History

•Account Lockout


Pluggable Crypt Example

# grep "^CRYPT_DEFAULT=" /etc/security/policy.confCRYPT_DEFAULT=md5

# grep "^md5" /etc/security/crypt.confmd5 crypt_sunmd5.so.1 rounds=8000

# grep "^root" /etc/shadowroot:$md5,rounds=8000$kS9FT1JC$$mnUrRO618lLah5iazwJ9m1:13776::::::

$ john ./mypasswdNo password hashes loaded

$ Crack ./mypasswd$ Reporter | grep -w rootE:1190747899:StoreDataHook: invalid ciphertext: root $md5,rounds=8000$kS9FT1JC$$mnUsRO618lLah5iazwJ9m1


Password Management Example

$ passwd gbrunettEnter existing login password:New Password:passwd: The password must contain at least 1 numericor special character(s).

Please try againNew Password:passwd: The password must contain at least 1 uppercasealpha character(s).

Please try againNew Password:passwd: Too many consecutively repeating characters.Maximum allowed is 3.Permission denied

$ passwd gbrunettEnter existing login password:New Password:passwd: Password in history list.


pam_list

•Limit system access based on users and netgroups.>“allow” and “deny” lists are maintained in separate local files.

>Configurable matching policy based upon specific requirements.

• Example: Only non-role administrators can login to the system: login account requisite pam_roles.so.1login account requisite pam_list.so.1 allow=/etc/local/adminslogin account required pam_unix_account.so.1

• Example: Ban specific users from the system (all methods): other account requisite pam_roles.so.1other account required pam_unix_account.so.1other account required pam_list.so.1

deny=/etc/local/banned nohost


User Rights Management (Roles)

• Solaris Users versus Roles>Roles can only be accessed by users already logged in.

>Users cannot assume a role unless authorized.

$ id -auid=80(webservd) gid=80(webservd)

$ rolesNo roles

$ su - rootPassword:Roles can only be assumed by authorized userssu: Sorry


webservd Role Access Attempt

• Attempt to remotely access webservd role.$ ssh -l webservd websvcPassword: Password: Password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

SYSLOG Reports:

Sep 21 14:20:26 websvc sshd[2516]: [ID 800047 auth.notice] Failed keyboard-interactive for webservd from 192.168.1.110 port 57848 ssh2

Solaris Audit Reports:

header,79,2,login - ssh,,localhost,2007-09-21 14:20:27.187 -04:00subject,-1,-1,-1,-1,-1,2516,628487479,15928 71168 192.168.1.110return,failure,Authentication failedzone,websvc


User Rights Management (Rights)


User Rights Management Example #1

$ profiles -l

Object Access Management:

/usr/bin/chgrp privs=file_chown /usr/bin/chmod privs=file_owner [...]

[...]

$ ls -ld mntdrwxr-xr-x 2 gbrunett gbrunett 512 Nov 7 12:54 mnt

$ chown bin:bin mntchown: mnt: Not owner

$ pfexec chown bin:bin mnt

$ ls -ld mntdrwxr-xr-x 2 bin bin 512 Nov 7 12:54 mnt



# svcprop -p httpd -p general apache2general/enabled boolean falsegeneral/action_authorization astring sunw.apache.opergeneral/entity_stability astring Evolvinghttpd/ssl boolean falsehttpd/stability astring Evolving

# auths webopersunw.apache.oper

# profiles -l weboper

Apache Operator: /usr/sbin/svcadm /usr/bin/svcs



$ svcs -o state,ctid,fmri apache2STATE CTID FMRIonline 91050 svc:/network/http:apache2

$ svcadm restart apache2

$ svcs -o state,ctid,fmri apache2STATE CTID FMRIonline 91064 svc:/network/http:apache2

$ lsls: not found

$ echo *local.cshrc local.login local.profile


Process Privileges

!Solaris kernel checks for privileges and not just UID == 0!>Division of root authority into over 60 discrete privileges.

>Privileges can be granted to processes based on need.

>Privileges can be disabled or dropped when not needed.

>Child processes can have different (fewer) privileges than the parent.

•Completely backward compatible and extensible.>No changes required to use existing code.

•Privilege bracketing helps to mitigate effects of future flaws.>e.g., proc_fork and proc_exec

>e.g., proc_info


Process Privilege Sets

Effective

Permitted Inheritable

Limit

•E - Effective>Privileges in effect

•P - Permitted set>Upper bound of E

•I - Inheritable set>Privileges of executed programs

•L - Limit set>Upper bound for the process and all its descendants


•Limit (L) is unchanged

•L is used to bound privileges in Inheritable (I)>I' = I ! L

•Child's Permitted (P') & Effective (E') are:>P' = E' = I'

•Typical process>P = E = I = {basic}

>L = {all privileges}

>Since P = E = I, children run with same privileges

Process Privilege Inheritance


•“basic” privileges>file_link_any, proc_exec, proc_fork,proc_info, proc_session

•“all” privileges>includes “basic” + over 60 administrative privileges>dtrace_kernel, file_dac_write, net_privaddr,proc_priocntl, sys_net_config, etc.

•“zone” privileges>the set of privileges available to a Solaris zone.

•Trusted Extensions privileges>privileges specific for use when TX is enabled.

Process Privileges


•root owns all configuration/system files>UID 0 is therefore still very powerful

•Privilege escalation prevention>Require ALL privs to modify objects owned by root when euid " 0

>Fine tuning in certain policy routines

>Not all privileges, only nosuid mounts

•Prefer services be non-UID 0 + privileges>Additive approach is safer than UID 0 – privileges

Root Account Still Special


Using Process Privileges

•ppriv(1)

# ppriv -e -D -s -proc_fork,-proc_exec /bin/sh -c fingersh[387]: missing privilege "proc_fork" (euid = 0, syscall = 143) needed at cfork+0x18/bin/sh: permission denied

•User Rights Management (RBAC)

# grep “Network Management” /etc/security/exec_attrNetwork Management:solaris:cmd:::/sbin/ifconfig:privs=sys_net_configNetwork Management:solaris:cmd:::/sbin/route:privs=sys_net_config

•Service Management Framework (SMF)

# svcprop -p start rpc/bind | grep privilegesstart/privileges astring basic,file_chown,file_chown_self,file_owner,net_privaddr,proc_setid,sys_nfs,net_bindmlpstop/limit_privileges astring :default

•Privilege Aware Commands / Services• e.g., ping, rmformat, quota, rpcbind, nfsd, mountd


Process Privileges Example #1

$ ppriv $$ $ ppriv -l basic28983: bash file_link_anyflags = <none> proc_exec E: basic proc_fork I: basic proc_info P: basic proc_session L: all

$ ppriv -De cat /etc/shadowcat[3988]: missing privilege "file_dac_read" (euid = 101, syscall = 225) needed at ufs_iaccess+0xc9cat: cannot open /etc/shadow

$ ppriv -s -proc_fork,-proc_exec -De /bin/vi[attempt to run a command/escape to a shell]vi[4180]: missing privilege "proc_fork" (euid = 101,syscall = 143) needed at cfork+0x3b


Process Privileges Example #2

# ppriv -S `pgrep rpcbind`933: /usr/sbin/rpcbindflags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none

# ppriv -S `pgrep statd`5139: /usr/lib/nfs/statdflags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none


Process Privileges Example #3usr/src/lib/print/libpapi-lpd/common/lpd-port.c

#ifdef PRIV_ALLSETSif ((priv_set(PRIV_ON, PRIV_EFFECTIVE,

PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) {syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m");return (-1);

}#else

seteuid(0);#endif

/* open the sequence file */if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT))

fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644);

syslog(LOG_DEBUG, "sequence file fd: %d", fd);

#ifdef PRIV_ALLSETS/* drop file access privilege */priv_set(PRIV_OFF, PRIV_PERMITTED,

PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL);#else

seteuid(getuid());#endif




}#else

seteuid(0);#endif







Turn Required Privileges On





}#else

seteuid(0);#endif








Perform the Privileged Operation(s)





}#else

seteuid(0);#endif








Perform the Privileged Operation(s)

Turn Required Privileges Off



Process Privilege Debugging

web_svc zone: # svcadm disable apache2

global zone: # privdebug -v -f -n httpd

web_svc zone: # svcadm enable apache2

global zone: [output of privdebug command]

STAT TIMESTAMP PPID PID PRIV CMDUSED 273414882013890 4642 4647 net_privaddr httpdUSED 273415726182812 4642 4647 proc_fork httpdUSED 273416683669622 1 4648 proc_fork httpdUSED 273416689205882 1 4648 proc_fork httpdUSED 273416694002223 1 4648 proc_fork httpdUSED 273416698814788 1 4648 proc_fork httpdUSED 273416703377226 1 4648 proc_fork httpd

privdebug is available from the OpenSolaris Security Community, http://www.opensolaris.org/os/community/security/projects/privdebug/

http://www.opensolaris.org/os/community/security/projects/privdebug/


Zones

!Zones are virtualized application environments.>No direct access to hardware.

!Zones have security boundaries around them.

•Zones have their own:>root directory, naming service configuration, process containment,resource controls, devices, etc.

•Zones communicate via network only (default).>shared vs. exclusive IP

•Zones operate with fewer privileges (default).>some privileges can be added or removed


Why run services in Zones?

!Restricted Operations for Enhanced Security!Individual Solaris OS hardening and RBAC configurations.!Prohibited from directly accessing the kernel or raw memory.!Prohibited from manipulating network interfaces* and kernel modules.

!Enforcement with Integrity!Configurable privileges, sparse root zones, IP Instances, IP Filter, etc.

!Resource Control and Management!CPU, Memory, Disk, Networking, Devices, etc.

!Observability with Integrity>BART, Solaris Auditing, etc.

•

*: Applies to shared IP configurations only.


Zones Security – System Calls

•Permitted System Calls:>chmod(2), chroot(2), chown(2), and setuid(2), etc.

•Prohibited System Calls:>memcntl(2), mknod(2), stime(2), and pset_create(2), etc.

•Limited System Calls:>kill(2), etc.


Zones Security – Devices

•/dev Permitted System Calls:>chmod(2), chown(2), and chgrp(1)

•/dev Prohibited System Calls:>rename(2), unlink(2), symlink(2), link(2), creat(2), and mknod(2)

•Forced nodevices mount option>Prevents import of malicious device files from NFS and otherforeign sources.

•Security audit performed on all drivers included indefault zone configuration.


•Mandatory privileges>Privileges required by a non-global zone.>proc_fork, proc_exec, proc_mount, ...

•Restricted privileges>Privileges prohibited from use in a non-global zone.>dtrace_kernel, sys_config, sys_net_config, ...

•Optional privileges>Privileges that can be added to a non-global zone.>dtrace_user, proc_lock_memory, sys_time, ...

•Other default privileges can be taken away!

Zones Security – Privileges


Zones Example #1

# modload autofsInsufficient privileges to load a module

# modunload -i 101Insufficient privileges to unload a module

# snoopsnoop: No network interface devices found

# mdb -kmdb: failed to open /dev/ksyms: No such file or directory

# dtrace -l ID PROVIDER MODULE FUNCTION NAME

# ppriv -D -e route add net default 10.1.2.3route[4676]: missing privilege "sys_net_config"(euid = 0, syscall = 4) needed at ip_rts_request+0x138add net default: gateway 10.1.2.3: insufficient privileges


Zones Example #2

# mount -p/ - / zfs - no rw,devices,setuid,exec,atime/dev - /dev lofs - no zonedevfs/lib - /lib lofs - no ro,nodevices,nosub/platform - /platform lofs - no ro,nodevices,nosub/sbin - /sbin lofs - no ro,nodevices,nosub/usr - /usr lofs - no ro,nodevices,nosub[...]

# mv /usr/bin/login /usr/bin/login.foomv: cannot rename /usr/bin/login to /usr/bin/login.foo: Read-only file system


Zones Example #3

# zonecfg -z myzone info limitprivlimitpriv: default,sys_time

# zlogin myzone ppriv -l zone | grep sys_timesys_time

# zlogin myzone svcs -v ntpSTATE NSTATE STIME CTID FMRIonline - 10:17:58 214 svc:/network/ntp:default

# zlogin myzone ntpq -c peers remote refid st t when poll reach [...]================================================[...]*blackhole 129.146.228.54 3 u 48 64 77 [...]

# ssh blackhole date ; date ; zlogin myzone dateThu Jun 15 10:25:25 EDT 2006Thu Jun 15 10:25:25 EDT 2006Thu Jun 15 10:25:25 EDT 2006


Virtualization / Compartmentalization

Dynamic SystemDomains

Solaris Containers (Zones + SRM)

Solaris Trusted Extensions

Solaris Containers for Linux Applications

Solaris ResourceManager

(SRM)

Logical Domains

Xen

VMware

Microsoft Virtual Server

Hard Partitions Virtual Machines OS Virtualization Resource Management

Server

OS

App

Multiple OSs Single OS

CalendarServer

DatabaseWeb

ServerSunRayServer

AppServer

DatabaseMail

ServerWeb

ServerFile

ServerIdentityServer

AppServer

Database

Trend to flexibility Trend to isolationTrend to flexibility Trend to isolation


ZFS Data Integrity

•Everything is “copy on write”>Never overwrites live data>On disk state is always valid

>No need to fsck(1M)

•Everything is transactional>Related changes succeed or fail as a whole

>No need for journaling

•Everything is validated with a 256-bit checksum>No silent data corruption

>No panics due to corrupted meta-data

>“Bad data” can be healed using mirrored copies


ZFS Data Security

•NFSv4 / NTFS-style Access Control Lists>Granular access can be allowed/denied (w/inheritance)

•Authentication with Cryptographic Checksums>Selectable 256-bit checksum algorithms, including SHA-256

>Uber-checksum provides check for the entire ZFS pool

•File system Snapshots>Read-only version of a file system at a specific point in time.

•File system Quotas and Reservations>Set maximum (quota) or minimum (reservation) usage limits.

>Can set quota limit on current content or all referenced content, e.g., snapshots (quota vs. refquota)


ZFS Example #1

$ touch testfile

$ chmod 600 testfile$ chmod A+user:gmb:read_data:allow testfile

$ ls -l testfile-rw-------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile

$ ls -v testfile-rw-------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile 0:user:gmb:read_data:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/ write_attributes/write_acl/write_owner:allow 3:group@:read_data/write_data/append_data/execute:deny 4:group@::allow 5:everyone@:read_data/write_data/append_data/write_xattr/ execute/write_attributes/write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/ synchronize:allow


ZFS Example #2

$ touch test-xattr

$ runat test-xattr cp /etc/motd .

$ runat test-xattr lsmotd

$ touch test-no-xattr

$ chmod A+user:gbrunett:write_xattr:deny test-no-xattr

$ runat test-no-xattr cp /etc/motd .runat: cannot open attribute directory for test-no-xattr: Permission denied


ZFS Example #3

$ profiles[...]ZFS File System Management[...]Basic Solaris UserAll

$ pfexec zfs set quota=4g laptop/ws

$ pfexec zfs list -o name,mountpoint,quotaNAME MOUNTPOINT QUOTAlaptop /laptop nonelaptop/briefcase /laptop/briefcase nonelaptop/ws /laptop/ws 4G


ZFS Delegated Administration

•Grant or revoke specific rights to ZFS pools and volumes.>create, destroy, clone, snapshot, mount, etc.

•Set specific properties on ZFS pools and volumes.>mountpoint, sharenfs, compression, setuid, etc.

•Assignments can be made to both users and groups.>assigned rights can optionally be granted to other users and groups.


ZFS Example #4

$ iduid=102(gmb) gid=102(gmb)

$ zfs list -r pool/home/gmbNAME USED AVAIL REFER MOUNTPOINTpool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmb

$ zfs allow pool/home/gmb$ zfs snapshot pool/home/gmb@backupcannot create snapshot 'pool/home/gmb@backup': permission denied

$ pfexec zfs allow gmb snapshot,mount pool/home/gmb$ zfs allow pool/home/gmb -------------------------------------------------------------Local+Descendent permissions on (pool/home/gmb) user gmb mount,snapshot-------------------------------------------------------------$ zfs snapshot pool/home/gmb@backup$ zfs list -r pool/home/gmbNAME USED AVAIL REFER MOUNTPOINTpool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmbpool/home/gmb@backup 0 - 19.5K -


ZFS Command History

$ pfexec zpool history -l

History for 'pool':

2008-10-09.15:55:12 zpool create pool c0d1[user gmb on myhost:global]

2008-10-17.13:46:48 zfs create pool/tmp[user gmb on myhost:global]

2008-10-17.13:49:46 zfs recv -F -d pool[user gmb on myhost:global]

2008-10-17.13:51:38 zfs destroy pool/bin@2008-10-17-001[user gmb on myhost:global]

2008-10-17.13:51:38 zfs destroy pool/etc@2008-10-17-001[user gmb on myhost:global]


Cryptographic Framework

!Standards-based, pluggable framework>Kernel support as well as user-land (PKCS#11)

>Supports administrative policies (e.g., FIPS 140 algorithms only)

!By default, supports major algorithms.>Encryption : AES, ECC, Blowfish, RC4, DES, 3DES, RSA

>Digest : MD5, SHA-1, SHA-256, SHA-384, SHA-512

>MAC : DES MAC, MD5 HMAC, SHA-1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC

>Optimized for both SPARC, Intel and AMD

•Framework supports pluggable hardware/software providers:>e.g., UltraSPARC T1/T2 and the Sun CryptoAccelerator 6000



• Now the framework for • cryptography is standardized• and extensible.

•• Your current cryptographic • choices and any future • technology can easily plug in • and just work.

•!Standards-based framework

•Same API, software or hardware

•Extensible for future technologies

Open SourceWeb Server

Sun JavaWeb Server

Java VMApplication

OpenSSLNSS JavaEnterprise

System

JCE JavaCrypto.

Extensions

Consumer Interface (PKCS 11)


Sun SoftwareCrypto. Plug-in

(DES, 3DES, AES, Blowfish, RSA,MD5, SHA_, RC4)

Provider Interface (PKCS 11)

Commercial App PKCS 11

HardwareAccelerator

UltraSPARC T1UltraSPARC T2

HardwareCrypto.

Accelerator6000


T2/Solaris Cryptographic Architecture

•Access to T2 accelerators is controlled by Solaris CF

•Userland access is via PKCS#11>Simple to modify applications to use PKCS#11 (if not used already)

>Can interface via OpenSSL

>Offload from Java (JCE)

•Kernel modules communicate directly with the kernel crypto framework>e.g. KSSL, IPsec


UltraSPARC T2 Processor Performance

•Outperforms competing processors by up to 10X> With significant core idle time that can be used for other processing

•Outperforms accelerator cards by a wide margin

•On-chip accelerators are more versatile than off-chip solutions>Cost effective to off-load even small packets with UltraSPARC T2 processor

Cipher 2.2GHz dual-core Opteron 2.7GHz quad-core Clovertown 1.4GHz UltraSPARC T2

RSA1024 2.3K Ops/sec 4.8 K Ops/sec 37.0K Ops/sec

AES-128 1.6 Gb/sec 4.2 Gb/s 44.0 Gb/sec

Cipher Sun SCA6000 Cavium Nitrox PX 1.4GHz UltraSPARC T2

RSA1024 13K Ops/sec 12K Ops/sec 37K Ops/sec

AES-128 1.0Gb/sec 2.5Gb/sec 44Gb/sec

Competitive Cryptographic Performance


Kerberos

!MIT Kerberos v1.4 Code-base Refresh

!Kerberos Ticket / Credentials Auto-Renewal

!Kerberos LDAP Backend

!KDC Incremental Propagation

!kclient Auto-configuration Tool

!pam_krb5_migrate KDC Auto-population Tool

!TCP and IPv6 Support

!AES-128, AES-256, 3DES, RC4-HMAC Support

!SPNego – GSS-API Dynamic Security Negotiation

!Bundled Remote Applications (Clients & Servers)

>telnet, ftp, rlogin, rsh, rcp, rdist, Secure Shell, Mozilla and Apache

•Public Kerberos Developer APIs


Secure Shell

!GSS-API Support

!OpenSSL Engine (optional HW Accel.) Support

!Enhanced Password Aging Support

!Keyboard “Break” Sequence Support

!X11 Forwarding “on” by default

!RC4, AES CTR mode Encryption Support

!/etc/default/login Synchronization

!SSH2 Rekeying

!Server Side Keepalives


IPsec / IKE

!Uses the Solaris Cryptographic Framework for IPsec and IKE

!NAT-Traversal (RFC 394[78]) Support

!Full Tunnel Mode Support

!AES Cipher Support for IPsec and IKE

!Diffie-Hellman modp Groups: 1024, 1536, 2048, 3072, 4096

!HMAC-SHA2 (SHA-256, SHA-384, SHA-512) for IPsec/IKE

!PKCS#11 locked RSA private keys w/on-disk PIN

!Sun Cluster 3.2 (Clustered IPsec SAs) Support


IP Filter

!Stateful and stateless packet inspection – IPv4, IPv6

!Kernel-based packet filtering

!Protocol proxies (TCP, UDP, FTP, rcmds, etc.)

!Transparent proxy support

!Text-based configuration

!Support for both NAT and PAT

!SYSLOG Logging

!Lightweight, small footprint, high performance


IP Filter Example

pass out quick all keep state keep frags

# Drop all NETBIOS traffic but don't log it.block in quick from any to any port = 137 #netbios-nsblock in quick from any to any port = 138 #netbios-dgmblock in quick from any to any port = 139 #netbios-ssn

# Allow incoming IKE/IPsecpass in quick proto udp from any to any port = ikepass in quick proto udp from any to any port = 4500pass in proto esp from any to any

# Allow pingpass in quick proto icmp from any to any icmp-type echo

# Allow routing infopass in quick proto udp from any to port = routepass in quick proto icmp from any to any icmp-type 9 # routeradvertpass in quick proto igmp from any to any

# Block and log everything else that comes inblock in log allblock in from any to 255.255.255.255block in from any to 127.0.0.1/32


TCP Wrappers

!Supports both tcpd and libwrap and integrated with:>ssh and sendmail (automatically)

>rpcbind (optionally)

•$ svcprop -p config rpc/bind | grep wrappersconfig/enable_tcpwrappers boolean false

>inetd-services (optionally, globally or per-service)

•$ svcprop -p defaults inetd | grep wrappersdefaults/tcp_wrappers boolean false

•$ inetadm -l telnet | grep wrappersdefault tcp_wrappers=FALSE

!Configured using /etc/hosts.{allow, deny} and logs to syslog:•Nov 10 15:18:03 blackhole sshd[17568]: [ID 947420 auth.warning] refused connect from 192.168.1.136


Basic Audit and Reporting Tool

• File-level integrity validation tool:>Evalutes: uid, gid, permissions/acls, contents, mtime, size, type, etc.

>Enables point-in-time comparison against a previous snapshot.

# cat ./rules/etcCHECK all

# find /etc | bart create -I > newManifest

# bart compare -r ./rules ./oldManifest ./newManifest/etc/user_attr:size control:28268 test:23520acl control:user::rw-,group::rw-,mask:r-x,other:r-- test:user::rw-,group::rw-,mask:r-x,other:rw- contents control:28dd3a3af2fcc103f422993de5b162f3

test:28893a3af2fcc103f422993de5b162f3For more information on BART, see the Sun BluePrint: Automating File Integrity Checks,http://www.sun.com/blueprints/0305/819-2259.pdf



Solaris Fingerprint Database

Searchable database of MD5 fingerprints for files included in Solaris, Trusted Solaris, and bundled software.

# digest -v -a md5 /usr/lib/ssh/sshdmd5 (/usr/lib/ssh/sshd) = b94b091a2d33dd4d6481dffa784ba632

[Process fingerprint using the Solaris Fingerprint DB]

b94b091a2d33dd4d6481dffa784ba632 - (/usr/lib/ssh/sshd) – 1 match(es) * canonical-path: /usr/lib/ssh/sshd * package: SUNWsshdu * version: 11.10.0,REV=2005.01.21.15.53 * architecture: sparc * source: Solaris 10/SPARC

For more information on the Solaris Fingerprint Database, see the Sun BluePrint: Solaris FingerprintDatabase, http://www.sun.com/blueprints/0306/816-1148.pdf



Solaris Audit

•Kernel auditing of system calls and administrative actions.>Can record events happening in any zone (from the global zone).

>Can also delegate audit configuration to local zone administrators.

>Can capture complete command line and environment.

>Records original (audit) ID as well as current credentials.

>Audit trail can be formatted as text, XML, and/or delivered via syslog.

•Example:•header,77,2,su,,tundra,2006-11-06 21:55:31.386 -08:00subject,joe,joe,other,joe,other,2444,1898931306,12114 22 marduktext,rootreturn,failure,Authentication failed

Example adapted from the Sun BluePrint: Enforcing the Two-Person Rule Via Role-based Access Control in the Solaris 10 OS, http://www.sun.com/blueprints/0805/819-3164.pdf



Trusted Solaris History

Product Year Evaluation

SunOS MLS 1.0 1990 TCSEC Conformance(1985 Orange Book)

SunOS CMW 1.0 1992 ITSEC Certified for E3 / F-B1

Trusted Solaris 1.2 1995 ITSEC Certified for E3 / F-B1

Trusted Solaris 2.5.1 1996 ITSEC Certified for E3 / F-B1

Trusted Solaris 8 2000 Common Criteria Evaluated:CAPP, RBACPP, LSPP at EAL4+

Mandatory Access Control, Labeled Desktop, Labeled Printing, Labeled Networking, Labeled Filesystems, Device Allocation, etc.


Solaris Trusted Extensions

•A redesign of the Trusted Solaris product using a layered architecture.

•An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects.

•A set of label-aware services which implement multilevel security.


Extending Solaris 10 Security Features

•Process Rights Management (Privileges)>Fine-grained privileges for X windows>Rights management applied to desktop actions

•User Rights Management (RBAC)>Labels and clearances>Additional desktop policies

•Solaris Containers (Zones)>Unique Sensitivity Labels>Trusted (label-based) Networking


Trusted Extensions in a Nutshell

•Every object has a label associated with it.>Files, windows, printers, devices, network packets,network interfaces, processes, etc.

•Accessing or sharing data is controlled by the relationships between the labels of different objects. >'Secret' objects can not see 'Top Secret' objects.>'Company Internal' can not send to 'Partner' networks.

•Administrators utilize Solaris Roles for duty separation.>Installation, System Admin., Security Admin., etc.


What are Label-Aware Services?

•Services that are trusted to protect multi-level information according to predefined policy.

•Trusted Extensions label-aware service include:>Labeled Desktops>Labeled Printing>Labeled Networking>Labeled Filesystems>Label Configuration and Translation>System Management Tools>Device Allocation


Labeled Desktop


Mandatory Access Control


Putting It All Together

• Solaris 10 Security – A Secure Foundation for Success:

>Reduced Networking Meta Cluster

>Signed Binary Execution

>Secure Service Management

>User Rights Management

>Process Rights Management

>Resource Management

>Kerberos, SSH, IPsec

>Cryptographic Framework

>Containers / Zones

>IP Filter, TCP Wrappers

>Auditing, BART

>Trusted Extensions


But wait! There's more!

•Network Security Improvements>Kernel SSL Proxy

>IPsec/IKE NAT Traversal

>RIPv2 Protocol Support

>Packet Filtering Hooks

>Randomized TCP/UDP Ephemeral Port Selection

•Auditing Improvements>Audit Trail Noise Reduction

>Audit Event Reclassification

!New Mount Options>noexec, nodevices


and more...

•“root” GID is now “0” (root) not “1” (other)

!ip_respond_to_timestamp now “0”.

•find(1) Support for ACLs

•“death by rm” safety

•OpenSSL libraries with a PKCS#11 engine

•Hardware RNG using Crypto Framework

•open(2) [O_NOFOLLOW], getpeerucred(3c), and many other developer enhancements...

•“Off the Record” plugin for pidgin (nee gaim)

•Sendmail support for TLS


and more...

!NFSv4>Support for GSS_API, ACLs, etc.

!Sendmail 8.13.8>Support for rate limiting and milters, TLS, etc.

•BIND 9.3.6-P1>DNSSEC, Views, IPv6 Support

•Java 5 Security (1.5.0_17-b04)>Security tokens, better support for more security standards (SASL, OCSP, TSP), various crypto and GSS security enhancements, etc.

• ... and the list keep right on going...


Actions...

Share your requirements, experiences, etc!

Join the OpenSolaris Security Community!

1

2

3

Enjoy the benefits of Solaris 10 Security today!


Solaris NextTechnical Security

Deep Dive


Solaris Next

• Kerberos Update

• Labeled IPsec

• Security Policy Administration

• ZFS Crypto


Kerberos features

! MIT Kerberos v1.6.3 resync (with PKINIT)

> PKINIT: Public Key Initial Authentication for Kerberos

> Allow various authentication mechanisms

! kdcmgr

> Configure Kerberos server through the command line interface

> Automate server configurations

> Server status information


Kerberos features (cont.)

! kclient v2 (configure Kerberos clients via command line interface)

> Option for joining various Kerberos servers

> Windows 2000, 2003, and 2008 servers

> MIT, Shishi, and Heimdal servers

> Setup Kerberos authentication for PAM

> Configure Kerberos client for cluster

> Support for dynamic clients (w/o keytab)


Kerberos future projects

! MIT Kerberos v1.7 resync

> better interoperability with MS

> negotiating mechanisms (NT Lan Manager mechanism)

> follow client principal referrals in client library when obtaining initial tickets

> CIFS (Common Internet File System from MS) with Kerberos

> DCE (Distributed Computer Environment) standard

> master key rollover support

> makes it easier to change master key passwords or encryption types

> Privilege Attribute Certificate (PAC) support


Kerberos future projects (cont.)

! Credential expiry vs. long running processes> provisions credentials for use with cron/at and long

running processes.

! PAM with PKINIT support> PAM: Pluggable Authentication Module> Will provide PKCS#11 interface for smartcard support


Labeled Networking - Problem

• Today, trusted networking involves explicitly-labeled packets.

• Today, most explicitly-labeled networks must be physically secure.> Labels can be easily forged/injected otherwise.

• IPsec can protect packets against forgery/injection> But explicit labels are IP options outside ESP's

protection.


Global Zone

Need-to-know

PublicInternal

Use

Solaris Kernel

Multilevel Network

SunRay Network

Intranet

Intranet

Intranet

Labeled Networking


CIPSO problems

• Cleartext label visible on the wire in each packet

• Not protected end-to-end against modification

• Uses extra space in every packet - complicates MTU discovery


Labeled IPsec - Solution

• Why not associate a packet's label with its IPsec cryptographic key?!?

• IKE can be either unlabeled or a single explicit label, depending on existing Trusted Networking databases.

• IPsec-protected traffic can have implicit labeling, or also implicit PLUS explicit labeling (which can be different or the same as the implicit label).

• With Labeled IPsec, the network need not be physically secure.


Labeled IPsec

• Sensitivity label is an attribute of an IPsec Security Association (SA).

• Each SA is single-label, set by Key Management at creation.

• IPsec flow policy enforces label match.

• Label made available to applications is securely bound to traffic.


Labeled IPsec: SADB Extensions

• PF_KEY (RFC 2367) planned for this 10 years ago

• Labels are SA properties

• Inner sensitivity label matches cleartext traffic

• Outer sensitivity label appears on wire in clear

• Outer sensitivity label may be omitted from packet> No extra space on the wire vs unlabeled IPsec!

• Outer label under control of key management daemon


Labeled IPsec: more information

• Limited prototype is working; not yet available

• Watch:> http://www.opensolaris.org/os/project/txipsec

• Questions/comments:> [email protected]

mailto:[email protected]

http://www.opensolaris.org/os/project/txipsec


SMC Replacement

• Replaces aging Sun Management Console functionality related to user/account management and RBAC. Includes “Separation of Duty” features.

• Adds a GUI to administer Trusted Extensions networking features.

• Based on Gnome User Manager.

• Back end of GUI interfaces with multiple command line interfaces to do the work. CLI's will also be available for scripting, or advanced users.

• User's requiring this are sites deploying Trusted Extensions (mostly Intelligence Community)


Encrypted Storage with ZFS

• Data Integrity> Historically considered “too expensive”

> Turns out, no it isn't

> Real world evidence shows silent corruption a reality

> Alternative is unacceptable

“To create a reliable storage system from

inherently unreliable components”


ZFS Elevator Pitch

• Ease of Use> Combined filesystem and volume management

> Underlying storage managed as Pools which simply admin

> Two commands: zpool & zfs> zpool: manage storage pool

– aka volume management)

> zfs: manage filesystems


Back to the Elevator Pitch

• Lets add just one word:

“To create a secured reliable

storage system from

inherently unreliable

components”


ZFS Terminology

• Pool> Collection of disks in RAID

• Dataset> Filesystem or Emulated volume (ZVOL)

• Copy on Write> Everything in ZFS is COW & checksumed, written in

transactions. Always consistent on disk.

> (POSIX) Sync write via Intent Log (ZIL)


High Level Requirements

• Support software only solution

> Including single disk laptop use case

• SPARC, Intel, AMD64

> Anything that OpenSolaris runs on and that ZFS has already been ported to

• Support keys & cryptographic operations in hardware:eg UltraSPARC T2

• Local key management:

> HSM, TPM, smart card, passphrase

• Remote/Centralised key management


High Level Requirements

• Don't break Copy-On-Write semantics

• Integrate with existing ZFS admin model

> CLI & GUI

• Support existing ZFS pools

• Delegation of key management to users, virtualized & Multi Level (MLS) environments

> ability to create encrypted datasets

> Including separation of key use vs key change


ZFS Encryption

• Set encryption policy at the ZFS data set > Most systems have only one or two pools but many (10s,

100s, 1000s,) datasets

> AES-128 and AES-256 only initially but designed to be extensible

• Encrypted iSCSI & FCoE targets via ZVOLs> No key management on Initiator

• Encrypted datasets CAN be shared using NAS: NFSv2,v3,v4 & CIFS (SMB)> No key management for NAS clients


Doing the Encryption

• Data set encryption property set at create time

• Actual encryption key is randomly generated

> wrapped by user/admin provided key

• Avoids encrypt later problem

> Avoids old clear text due to COW

• Encryption algorithm and ZFS checksum cannot be enabled or changed later for existing dataset

> ZFS checksum forced to SHA256 rather than default for data Fletcher2

• AES CCM MAC stored with checksum in block pointer.


Key Management

• Wrapping keys provided by user/admin> passphrase,

> Raw (or hex) key

> TPM/HSM/Smartcard (PKCS#11 accessible)

• Wrapping key inherited by child datasets

• Clones can have new encryption key> Opt in default is to share origin dataset key.


Key Change

• Key change supported> Doesn't actually re-encrypt data

> May support this type of mode in future.

> Changes wrapping key.

• Key Change is online> Datasets must be mounted – or at least key available

> Datasets stay mounted/shared during key change


“External” Key Management

• “Base ZFS”> Key in file, passphrase, PKCS#11 token

• API in libzfs to provide key by value or PKCS#11 object name.

• zfs(1M) scriptable interface• TPM support via PKCS#11

> Future encrypted boot may access directly using TCS API


What is encrypted ?

Yes

• All “application” data

• POSIX layer data

> Permissions, owner etc

• Directory structure

• All ZVOL data

• All the above in a snapshot

• All the above in a clone

No

• Pool metadata> Disks, raid config, etc.

> Dataset properties

Deployment Issues• Dataset names

• Dataset user properties properties


SSD Storage & Crypto

• ZFS can use SSD for two distinct purposes> ZIL – ZFS Intent Log

> Fast write device required

> L2ARC – Cache between memory and disk> Fast read device required

• SSD is persistent so data MUST be encrypted> ZIL is always encrypted anyway SSD case is no different> L2ARC encrypt on “evict” to cache device, in memory

checksum. Ephemeral key.


“The Cryptography Bit”

• Data encrypted with AES in CCM mode> Integrity of ciphertext

> ZFS Checksum (SHA256) not “keyed” -> for data verification and reconstructions.

> CCM MAC for ciphertext blocks

> ZFS has multiple block sizes: 512 bytes -> 128k

• Key wrapping also uses AES in CCM mode> Wrapped key integrity> “Correct Key” checking for free (helps key change)


CCM Params

• Data can be 512 bytes to 128k> nonceSize = 12 (13 is CCM max: too small)

• AuthDataSize = 0

• Nonce built from blkptr / zio bookmark> Txg – 64bit non repeating transaction id for pool

– Can't easily determine which txg a write for a given dataset will happen in, A single txg can contain writes for many datasets.

> Blkid

> Object

• MACsize = 16> MAC stored in high two uint64_t of zio checksum

> Low two uint64_t store truncated SHA256 (bigendian)


CCM For Key wrapping

• Also use CCM for wrapping the per dataset encryption key.

• CCM Params for wrapping:> Noncesize 13> Randomly generated Nonce

> Ensure it isn't already used on key change operations.

> MACsize 16

• Nonce & MAC stored with wrapped key in ZFS dataset property


Future Key wrapping

• NIST AES Keywrap> Once it is included in PKCS#11

• May consider wrapping using RSA

• Key wrapping algorithm will be able to be changed by doing a key change operation 'zfs key -c -o keywrap=....'

• Won't require pool/dataset to be offline.


Crypto bit for Caching

• L2ARC written to “differently” from normal IO (zio_phys_write)> Currently a “non persistent cache” - but written to

persistent media> Encryption using pool wide ephemeral key> AES_CBC not AES_CCM

> Safe enough since we have in memory checksum

> No space for MAC on disk

• L2ARC will switch to AES_CCM when it becomes “persistent” cache.


What about all the decrypted data?

• ZFS in memory cache (ARC) contains very large amounts of decrypted data> Requires full privilege to see (/dev/kmem)

> But still a risk.

• Can control use data in the cache per dataset> Primarycache (memory): none, metadata, all> Secondarycache (SSD): none, metadata, all

• Future may have encrypted data in primarycache (ARC) as well as secondarycache (L2ARC).


Unwrapped keys in RAM?

• In the pure software case yes the unwrapped keys are in host RAM

• May not be the case with some hardware crypto keystore/accelerator.

• Keys (and expanded schedule) only in kernel memory> kmem_alloc(9F) on OpenSolaris, not paged when

system swaps> OpenSolaris x86 suspend to RAM only (S3)> Solaris SPARC can suspend to disk


Current Deployment Restrictions

• Initially can't boot from encrypted dataset> /var/tmp could be a separate file system

> /tmp is backed by swap

• No support initially for encrypted crash dump devices> But Swap on an encrypted ZVOL is supported

> Encrypted crash dumps could be supported but maybe better to have support independent of ZFS.


What about when ZFS evolves

• Most storage in ZFS is via DMU layer objects

• Encryption selected per DMU object> Some objects need to be in the clear to allow pool traversal

for resilver/scrub and initial import

> 11 out of 40 in current codebase encrypted

> Encryption support is a new pool version.

• Future encryption features may version on disk format – will be upwards compatible.

• New dataset types (eg for pNFS) could have different rules to filesystem & ZVOL.


ZFS Encryption Support Availability

• OpenSolaris project> All project code is opensource (CDDL)

> Depends on OpenSolaris Crypto Framework> Porting to other OS Platforms should be relatively easy.

> http://opensolaris.org/os/project/zfs-crypto/

• Should port to other platforms that already have ZFS relatively easy.> Nothing really OpenSolaris specific

http://opensolaris.org/os/project/zfs-crypto/


Solaris FutureSecurity Project

Outlines


Solaris Future

• Stack Shadowing for SPARC

• IKE v2 - Internet Key Exchange protocol

• Kerberos

• Device Allocation

• Solaris Audit

• Read-Only Root Environments

• Validated Execution

• BART Extensions

•


Stack Shadowing for SPARC

•Stack buffer overflows widely recognized as the leading cause of security vulnerabilities>Responsible for 45% of CERT advisories>Huge customer impact

•We can completely stop this class of attack

•Very small one-time development cost


Stack Buffer Overflow

•On a typical processor, the stack contains>Local variables>Function arguments>Return address

Local variables

Arguments

Return address

Local variables

•Local variables may include an array used as a data buffer•Writing past the end of the buffer overwrites the return address

Low Addresses

High Addresses


Stack Buffer Overflow - SPARC

•SPARC passes return address and arguments in registers

•Register window contents spill to stack

Local variables

Register Save Area

Local variables

•Overwriting the stack modifies registers, including return address

•SPARC still vulnerable

Low Addresses

High Addresses


Partial Solutions

•Non-executable stacks>Default for 64-bit SPARC applications>Only stops one attack variant (code included in payload)

•Stack frame canaries>Verified upon function return>Adds run-time overhead>Can be fooled by more sophisticated attack

•Source code analysis>No tool that catches all vulnerabilities>Too much code – including code we don't control


Stack Shadowing

•Kernel maintains shadow copy of register save area

•Part of register window fault handler>Copy after register spill>Compare before register fill

•Unique advantage of SPARC architecture>Hardware provides traps exactly when we need them


Current Status

•Idea developed by NSA researcher>Presented to Sun as part of cooperative R&D agreement

•SPARC prototype developed in 2005 by Solaris Security>Proof of concept, but too simplistic for product

•Product-quality implementation now in progress


Opportunity

•Complete solution to a whole class of security vulnerabilities

•Unique opportunity for SPARC and Solaris to lead the market>Very likely in future x86 processors>Much easier for SPARC – no HW change needed>Even works on existing SPARC systems

•Requires small software development effort


IKEv2 in OpenSolaris

• Direct port of racoon2 not possible> Problem:

Both OpenSolaris and BSD (via KAME/WIDE) differ from RFC2367 in different ways

• New work-in-progress: in.ikev2d

• Design of ikev2d> MT-hot> large code-overlap from

> open-sourceable in.iked and

> racoon2's IKEv2 packet processing


Kerberos Enhancements

! Easily configure credential renewal for the user

> reduces administrative overhead

! Kerberos as a first class account authority

> tighter coupling with our PAM framework and password utilities

• Client side multi-master support for password changes

• Integrate Solaris specific code directly to MIT source base

> helps in working towards the goal of dropping in MIT source code to Solaris

• Improve KDC (Key Distribution Center) load-balancing

> provides configurable auto load-balancing on a per-host basis


Device Allocation

• Moves device allocation/deallocation and re-use to “standard” Solaris (had been in Trusted Solaris in the past).

• Meets Common Criteria device re-use requirements.

• Built on HAL and/or Device Kit I/Fs currently being added to OpenSolaris.

• Project ties into work with Gnome, SunRay, DeviceKit, and other teams.

• Required for Trusted Extensions users.


User Device Access - Architecture

HALor

DeviceKit

allo

cate

deal

loca

te

list_

devi

ces

Device Allocation“Wizard”

(Simple GUI)

Device Allocation“Manager”

(Expert GUI)

User Device Access: Design Diagram

Device AllocationPreferences(Config GUI)

gnome-volume-manager,rmvolmgr, etc...

AllocationDatabase

GNOMEPreferences

Device Allocation“Agent”

(Automation)

SolarisKernel

SunRayServer

libdevalloc

pseudo devpermission

Unix /devpermission

devfsadm

Device Allocation SMF(deallocate at boot)

Boomer

Desktop Team

SunRay Team

deva

lloca

dm

zone_enter

Boomer Team

Device Team

Security Team

Window SystemEvents

Nautilus

D-Bus System

Session

NautilusMessageForwarder

PolicyEngine


Solaris Audit

• Audit data is produced by the kernel and user program. The Administrator configures the system to record only the event classes he's interested in.

• Data written to the audit “trail” is available for forensic analysis. Can also be used (via 3rd party) for Intrustion Detection.

• Audit is required by Common Criteria, US Government, Financial Services customers, and most Enterprise-size deployments of Solaris


Solaris Audit continued

• On-going projects include:> Always-On – a project to enable Auditing without

requiring a reboot of the OS. Multiple issues related to performance are being addressed.

> Secure Remote Audit Trail – a project to securely move audit records to a remote host. A second phase will allow for Solaris to be the remote host, but initially partnering with Kinamik for consolidation.


• Boots from Read-Only Image> ZFS filesystem with readonly=on> ZFS snapshot

• System executes with unmodifiable root> Some applications/services changed to maintain state

in volatile storage> device node creation

> logadm

> account locking

Read-Only Root Environments


Validated Execution: Signed Execution

• Executables are Signed> Embedded Signatures: elfsign(1) *> Signed Manifests of Objects> Manifests from Vendors or Locally Created

• Validation of object integrity before execution use> Kernel modules validated on load> Programs and libraries: upcall to validation daemon> Executed scripts are subject to validation

* support for elfsign may be removed


ValEx: Signed Execution (cont.)

• Restrictions on use of unvalidated objects> unvalidated_privilege_cap

• Configuration controls which certificates are trusted for object validation


ValEx: unvalidated_privilege_cap

• Specifies maximum privileges of a process using unvalidated objects> svccfg -s signex setprop

application/unvalidate_privilege_cap = value

• Can deny use altogether of unvalidated objects> setprop application/unvalidate_privilege_cap = noexec

• Privilege limit reduced for use of unvalidated objects> L = L & upc

• Privileged programs restricted from use of unvalidated objects> if ((P & ~upc) != empty)

> errno = ENOTSIGNED; /* Object lacks valid signature */


ValEx: use_global_settings

• svccfg -s signex setprop application/use_global_settings = boolean

• In global zone, force all local zones to inherit signex configuration

• In local zone, configure this zone to inherit global validity determination


ValEx: Administrator, Trust Anchors

• signexadm set-administrator <token> <certificate>

> Token specifies location of administrator's private key> Can specify certificate by DN, CN, or file

• signexadm install-anchor <certificate>

> Can specify certificate by DN, CN, or file> Action requires signing by administrator> Proxies trust between administrator and software vendor


ValEx: Manifests

• signexadm install-manifest <file>

> Makes manifest available for validation> Not a trust operation

> Only need write access to manifest directory

• signexadm install-revocation <file>

> Special form of manifest rescinding signature on specific objects

> Not a trust operation> Only need write access to revocation directory


Bart

• Creates, stores, and can then compare the state of files in specified portions of the filesystems based on user-specified attributes.

• Uses cryptographic hashs to detect changes in content.

• Used by IT departments to verify/track/audit server contents. Used to track malicious changes in the filesystems.

• Outputs in either human readable, or machine readable format suitable for post processing.

• See Validated Execution project for more details


Bart Extensions

• XML-format manifests> Extensibile format> Support for content hashes beyond MD5> Updated command can create and consume legacy

format

• Manifest signatures> Standard XML signature format> sign and verify operations

• Validation against manifests


•Center for Internet Security – Solaris 10 Benchmark>http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf

•Sun/CIS Solaris 10 Benchmark Appendix>http://www.sun.com/security/docs/s10-cis-appendix-v1.1.pdf

•You can get both documents from:>http://www.sun.com/security/docs/ Solaris10_Security_Recommendations-080130.tar.gz

For more information

http://www.sun.com/security/docs/

http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf

http://www.sun.com/security/docs/s10-cis-appendix-v1.1.pdf


•Sun Security Home>http://www.sun.com/security

•OpenSolaris Security Community>http://www.opensolaris.org/os/community/security

•Sun Security Coordination Center>http://blogs.sun.com/security & [email protected]

•Sun Security BluePrints>http://www.sun.com/blueprints

•Sun Security Bloggers>http://blogs.sun.com

For more information

http://blogs.sun.com/

http://www.sun.com/security

http://www.opensolaris.org/os/community/security

http://blogs.sun.com/security

http://www.sun.com/blueprints


Special thanks to the following people who contributed to this presentation:

Stephen Browne, Casper Dik, Shawn Emery, Glenn Faden, Dan McDonald, Darren Moffat, Scott Rotondo, Christoph Schuba, Anup Sekhar, Kathy Slattery, Mark Thacker, Paul Wernau, Gary Winiger, and John Zolnowsky

Acknowledgements

Solaris SecurityTechnical Deep Dive

Dr. Christoph [email protected]

http://blogs.sun.com/schuba

Documents

Solaris Security Today and Tomorrotrj1/cse544-s11/slides/solaris-security-deep-dive.pdf · Solaris Security Today and Tomorrow Technical Deep Dive Updated for Solaris 10 05/09, Solaris