35
Information Leak Track System Kazuki Omo: [email protected] OSS Security Community (Facebook internal discussion community about OSS/Linux security Japan)

Information track presentation_final

Embed Size (px)

Citation preview

Information Leak Track System

Kazuki Omo: [email protected]

OSS Security Community (Facebook internal discussion community about OSS/Linux security Japan)

Concept

3

My Background

- Security Researcher (15 years)

- System Administrator (3 years)

- Security Product Implementation Engineer (10 years)

- SELinux Evangelist (4 years)

- SIEM Engineer (3 years)

- Linux Engineer (15 years)

4

My Background

Supported/Experienced for

- Protecting System from Outside……

- Tracking logs when incident happen….

5

In real World

Still we have Security Incident(information leak)...

2014 Japanese incident

- Benesse- JAL

… and more

(c) JNSAhttp://www.jnsa.org/result/incident/data/2013incident_survey_ver1.1.pdf

6

Concept

Technically, It's really hard to “Prevent” information leak.

OK, then we suppose “information will be leak”.

Then our propose is “how to track the leaking path”.

7

Concept(contd.)

This presentation is “not” sayto through out traditional protect solution. (Multi-layered Defence is important.)

Admin still needs to protect their data from Malicious People.(UTM, AntiVirus, Security-Enhanced OS, MAC onOS/DB, SIEM, etc.)

System

8

Real Case (2014/07/09 BenesseHD)

BenesseHD

System Administrator(Contract/Malicious SA)

Contact

Contact

MaliciousML broker

Customer Info

ML broker

Third Party

9

Objective

When “Leaked information” is used by“Third Party”, we wish to track wholeaked the information from where.

Put every flow information to the file?→ Hard from size limitation.

Put “current location info” and “previous location info” as fingerprint. Then we can know how the info leaked.

Fingerprint

11

Objective

What is “Fingerprint(Location Info)”?

Should be contain…. - Uniq location info

- PC name- Corp.- HW

- Who- User

… etc.

Should be contain…. - Uniq location info

- PC name- Corp.- HW

- Who- User

… etc.

Current Previous

12

Who will get information, how ?

Internal

Attacker

Malicious User

13

How attacker will “bring” information ?

Internal

Copy

Paste

1. Copy from Terminal, and Paste to Attacker's terminal. (If those information is small).

14

How Malicious User will “bring” information ?

Internal

2. Copy from Internal PC, and save to USB stick. (If those information is large.)

Create file, copy

15

How Malicious User will “bring” information ?

Internal

3. Copy from Internal PC, and send it to outside PC. (If those information is large.)

Create file, CopyMailFtpscp...

16

Categorize

I. Send information through Copy/Paste between Terminal. (1)

→ Put “fingerprint” in font, etc.

II. Send information through file. (2),(3)

→ Put “fingerprint” to the file.

I. Put “fingerprint” to font.

18

I. Put “fingerprint” in font.

Just in Idea. Now thinking more details………...

Can we put uniq information in Font?(similar as”Watermarking technology” in Fujitsu Printing)

Can we put uniq information as Font name?

http://www.fujitsu.com/downloads/MAG/vol43-2/paper06.pdf

II. Put “fingerprint” to file.

20

II.Put “fingerprint” to file.

On put “fingerprint” to file

1. When?

2. Where?

3. How?

21

II-2. When we put “fingerprint” to file?

Process

sys_write()

/home/user

22

II-2. Where we put “fingerprint” to file?

Process

Extended file attributessys_write()

/home/user

23

II-2. How we put “fingerprint” to file?

Process

/home/user

sys_write()

Check when(sys_write) on where(/home/user)→ fanotify Check all of file? → waste of resource

Sample for II-2

25

Sample for II-2(Put “fingerprint” to file)

Sample:

Host 1Host 2

(modified linux-4.0 kernel for gettingeuid by using fanotify)

Windows Server (CIFS Server)

Host 1 Host 2

Windows Server

CIFS Mount

Demo

fanotify fanotify

26

Sample Source

I. Kernel: linux-4.0- Changed fanotify related source to get euid from the task;

--- fanotify.h.org 2015-04-10 15:21:25.971294026 +0900+++ fanotify.h 2015-04-26 16:32:22.835543920 +0900@@ -92,7 +92,8 @@ __s32 fd; __s32 pid;- kuid_t loginuid;+ //kuid_t loginuid;+ __s32 loginuid; };

--- fanotify_user.c.org 2015-04-06 08:55:25.393823267 +0900+++ fanotify_user.c 2015-04-26 16:32:17.867544077 +0900@@ -118,6 +118,9 @@ { int ret = 0; struct fanotify_event_info *event;+ struct task_struct *p; pr_debug("%s: group=%p metadata=%p event=%p\n", __func__, group, metadata, fsn_event);@@ -130,7 +133,17 @@ metadata->reserved = 0; metadata->mask = fsn_event->mask & FAN_ALL_OUTGOING_EVENTS; metadata->pid = pid_vnr(event->tgid);- metadata->uid = pid_vnr(event->tgid);++ rcu_read_lock();++ p = find_task_by_vpid(metadata->pid);+ if (p != NULL) {+ metadata->loginuid = from_kuid(&init_user_ns,p->cred->euid);+ }+ rcu_read_unlock(); if (unlikely(fsn_event->mask & FAN_Q_OVERFLOW)) metadata->fd = FAN_NOFD; else {

27

Sample Source

II. Userland process- Check directory/file status by using fanotify- Modified from fanotify userland sample code.

+ strncpy(ifr.ifr_name , iface , IFNAMSIZ-1);++ ioctl(fd, SIOCGIFHWADDR, &ifr);++ close(fd);++ mac = (unsigned char *)ifr.ifr_hwaddr.sa_data;++ //display mac address+ sprintf(hardware,"%s:%.2x:%.2x:%.2x:%.2x:%.2x:%.2x " , iface, mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); ++ return 0;+}+

diff -Nru fanotify-example.org/fanotify.c fanotify-example/fanotify.c--- fanotify-example.org/fanotify.c 2015-04-05 16:04:26.936501684 +0900+++ fanotify-example/fanotify.c 2015-04-30 13:57:45.244808252 +0900@@ -13,6 +13,13 @@ #include <sys/types.h> #include <sys/stat.h> #include <unistd.h>+#include <err.h>+#include <sys/socket.h>+#include <sys/ioctl.h>+#include <net/if.h>+#include <dirent.h>+// #include <linux/fanotify.h> @@ -51,6 +58,57 @@ return mark_object(fan_fd, NULL, fd, mask, flags); } +int getmacaddr(const char *iface, char *hardware) {++ int fd;+ struct ifreq ifr;+ unsigned char *mac;++ fd = socket(AF_INET, SOCK_DGRAM, 0);++ ifr.ifr_addr.sa_family = AF_INET;

… Snip

28

Sample Result (CIFS mount)Uniq info: MAC combination(sample)

root@host1:~/src/fanotify-example# ./fanotify -c /cifs_mount -o write

root@host1:~# touch /cifs_mount/testfileroot@host1:~# getfattr -d –absolute-name /cifs_mount/testfile # file: cifs_mount/testfileuser.DESC_MAC="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host1 UID 0"

root@host2:~# touch /cifs_mount/testfile root@host2:~# getfattr -d –absolute-name /cifs_mount/testfile # file: cifs_mount/testfileuser.DESC_MAC="eth1:08:00:27:1b:98:4d eth0:08:00:27:d3:7c:60 "user.DESC_MAC_PRE="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host2 UID 0"user.DESC_USER_PRE="HOST host1 UID 0"

Pre Info

Current Info

29

Sample for II-2(Put “fingerprint” to file)

Sample:

Host 1Host 2

(modified linux-4.0 kernel for gettingeuid by using fanotify)

USB (vfat / ext3)

Host 1 Host 2

Demo

fanotify fanotify

30

Sample Result (USB: vfat)Uniq info: MAC combination(sample)

[root@kazuki media]# mount/dev/sdb1 on / type ext4 (rw,noatime,discard)--snip--/dev/sdc1 on /media type vfat (rw)[root@kazuki media]# setfattr -n user.desc_mac -v "TEST" /media/testfile setfattr: /media/testfile: Operation not supported

vfat Not supported Extended-File-Attribute

31

Sample Result (USB: ext3)Uniq info: MAC combination(sample)

root@host1:~/src/fanotify-example# ./fanotify -c /media_mount -o write

root@host1:~# touch /media/testusbroot@host1:~# getfattr -d –absolute-name /media/testusb# file: media/testusbuser.DESC_MAC="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host1 UID 0"

root@host2:~# touch /media/testusb root@host2:~# getfattr -d –absolute-name /media/testusb # file: media/testusbuser.DESC_MAC="eth1:08:00:27:1b:98:4d eth0:08:00:27:d3:7c:60 "user.DESC_MAC_PRE="eth1:08:00:27:96:39:a4 eth0:08:00:27:d3:2e:a9 "user.DESC_USER="HOST host2 UID 0"user.DESC_USER_PRE="HOST host1 UID 0"

Pre Info

Current Info

Conclusion

33

Conclusion

I. Using “extended file attribute” is so restricted.- NFS is not supported.- Not so much supported FileSystem.

II. There's no way to send fingerprint to other PC if the leaked pathIs not supporting “extended file attribute”.

- ex. Send file by mail.

→ Think other way to put fingerprint on file.- ex. Create uniq file format for that.- Hook write/open syscall and crypt/decrypt file with uniq info.- Hook write/open syscall and convert the file with uniq info.- More focus to put fingerprint to not file(fonts, etc.)

→ Steganographic Solution

34

Conclusion

We need your suggestion, development help, etc.

Please feel free to contact to [email protected]

Thanks!!!