Upload
dominic-rogers
View
215
Download
0
Embed Size (px)
Citation preview
SubDomain: Parsimonious SubDomain: Parsimonious Server SecurityServer Security
Presenter:Presenter:
Alptekin KüpçüAlptekin Küpçü
OverviewOverview
Problem DefinitionProblem Definition Problematic ExamplesProblematic Examples Previous ApproachesPrevious Approaches SubDomain ApproachSubDomain Approach Related WorkRelated Work Summing UpSumming Up DiscussionDiscussion
Problem DefinitionProblem Definition
Why do we need server security?Why do we need server security? Easier to attack than SSLEasier to attack than SSL
Why is it hard?Why is it hard? Every piece of software must be secureEvery piece of software must be secure
What should a solution look like?What should a solution look like? Small implementation: Likely to be bug-freeSmall implementation: Likely to be bug-free Simple operation: Less likely to misconfigureSimple operation: Less likely to misconfigure Fine-grained controlFine-grained control High performance and compatibilityHigh performance and compatibility
Problematic ExamplesProblematic Examples
Cause: “trusted” programsCause: “trusted” programs runs with privilidgeruns with privilidge has a bug that attacker can take advantagehas a bug that attacker can take advantage
BIND DNS Server & Microsoft IIS ServerBIND DNS Server & Microsoft IIS Server Gaining administrative privilidgesGaining administrative privilidges
Common bugsCommon bugs Buffer overflowsBuffer overflows Race conditionsRace conditions Special character processingSpecial character processing
SolutionSolution
Safety properties on integritySafety properties on integrity Not information flow issuesNot information flow issues
Principle of least privilidgePrinciple of least privilidge Minimizes possible damageMinimizes possible damage
Previous approachesPrevious approaches Minimizing user/role privilidgesMinimizing user/role privilidges setuid with synthetic userssetuid with synthetic users Hard to do in practiceHard to do in practice
• needs too much administrative workneeds too much administrative work
SubDomainSubDomain
Admin specifies “domains” for programsAdmin specifies “domains” for programs Not for usersNot for users Domain is a list of files and operationsDomain is a list of files and operations
RestrictiveRestrictive Like Linux Security ModulesLike Linux Security Modules Using SubDomain is Using SubDomain is guaranteedguaranteed to be safer to be safer
syscallssyscalls Return error if not enough privilidgesReturn error if not enough privilidges Log attempts to use in intrusion detectionLog attempts to use in intrusion detection
SubDomain DetailsSubDomain Details Child processChild process
Can inherit parent’s rightsCan inherit parent’s rights• Possibly with some extra or less rightsPossibly with some extra or less rights
Can have completely unrelated rightsCan have completely unrelated rights Finer-grainFiner-grain
Plug-ins, loadable modules or scriptsPlug-ins, loadable modules or scripts Processes must cooperate with SubDomainProcesses must cooperate with SubDomain
• by using “hat”sby using “hat”s HatHat
Must be changed before calling sub-componentMust be changed before calling sub-component Must not be changed in the sub-componentMust not be changed in the sub-component
• Use random identifiers for hatsUse random identifiers for hats• Sub-component should not be able to read process memorySub-component should not be able to read process memory
SubDomain ImplementationSubDomain Implementation
Kernel moduleKernel module No change needed on programsNo change needed on programs
Unless sub-component security is desiredUnless sub-component security is desired SubDomain profile can come with packageSubDomain profile can come with package
Always safe to installAlways safe to install Easy to understandEasy to understand But profile creation must be manualBut profile creation must be manual
• Start with no privilidgesStart with no privilidges• If source code not available, play with the application and If source code not available, play with the application and
populate the profilepopulate the profile Need to be done for all possible inputsNeed to be done for all possible inputs Should be manually recheckedShould be manually rechecked Not too complex in practiceNot too complex in practice
Differences from Related WorkDifferences from Related Work
System-wide program profilesSystem-wide program profiles Like Mandatory Access ControlLike Mandatory Access Control
Finer-grainedFiner-grained Sub-componentsSub-components
CompatibleCompatible Not language basedNot language based
Always safe to installAlways safe to install Can come pre-packagedCan come pre-packaged
Little performance overheadLittle performance overhead Small and simpleSmall and simple
4500 lines of kernel patch4500 lines of kernel patch
Some Related WorkSome Related Work
Program-based Access Control ListsProgram-based Access Control Lists Dual of SubDomainDual of SubDomain
• Each file has a list of programs that are granted Each file has a list of programs that are granted accessaccess
chrootchroot EscapableEscapable Storage and performance overheadStorage and performance overhead
Summing UpSumming Up
Least privilidge on programsLeast privilidge on programs More intuitive for server systemsMore intuitive for server systems Easy to understand and create a profileEasy to understand and create a profile
• Apache profile size: Apache profile size: 3333 lines lines Profile packaged with programsProfile packaged with programs Finer-grainedFiner-grained
DiscussionDiscussion
Easy to specify and useEasy to specify and use But still needs non-trivial administrationBut still needs non-trivial administration
Not enough evaluationNot enough evaluation 5 to 10 clients for a server?5 to 10 clients for a server?
Too much “trust” is still thereToo much “trust” is still there Is using sub-components really secure?Is using sub-components really secure?
Is this the level of security we want for our Is this the level of security we want for our servers?servers?
Compare and combine with Compare and combine with chrootchroot or or ld_preloadld_preload