AV-Portal 3.23.2 (82e6d442014116effb30fa56eb6dcabdede8ee7f)

An Overview of Security in the FreeBSD Kernel

Video in TIB AV-Portal: An Overview of Security in the FreeBSD Kernel

Formal Metadata

An Overview of Security in the FreeBSD Kernel
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The FreeBSD security model has been developed over thirty years of evolving consumer needs. Many of the key developments have come from the contributions of an active security research community. This talk describes the underlying model and its practical implementation, from its origins in the UNIX process model and file permissions, to more recent additions: the Capsicum capability model, lightweight Jail virtualization, Mandatory Access Control, and security event auditing. These elements combine to meet the requirements of diverse systems ranging across hand-held computing devices, network devices, storage appliances, and Internet service-provider's large-scale hosting environments.
Slide rule Word Roundness (object) Computer animation Kernel (computing) Quicksort Video game console Information security Information security Physical system
Game controller Computer file Execution unit Density of states Maxima and minima Thermal expansion Set (mathematics) Open set Neuroinformatik Kernel (computing) Core dump Computer hardware Gastropod shell Utility software Endliche Modelltheorie Information security Booting Physical system Identity management Scalable Coherent Interface GUI widget Memory management Basis <Mathematik> Control flow Cryptography Axiom Process (computing) Befehlsprozessor Kernel (computing) Computer animation Computer hardware Internet service provider Order (biology) Video game Quicksort Information security Window Library (computing) Booting
Discrete group Gateway (telecommunications) Manufacturing execution system Scripting language State of matter Multiplication sign Mehrplatzsystem System administrator 1 (number) Set (mathematics) Software bug Mathematics Virtual reality Blog Different (Kate Ryan album) File system Flag Information security Physical system Exception handling Area Scripting language Metropolitan area network Computer file Binary code Electronic mailing list Thermal expansion Proof theory Root Process (computing) Order (biology) Dew point Configuration space MiniDisc Right angle Energy level Quicksort Bounded variation Physical system Row (database) Asynchronous Transfer Mode Point (geometry) Trail Dataflow Asynchronous Transfer Mode Game controller Freeware Service (economics) Computer file Virtual machine Control flow Directory service Streaming media Login Rule of inference Event horizon Power (physics) Zugriffskontrolle Writing Inclusion map Root Term (mathematics) Hacker (term) Computer hardware Energy level Directed set MiniDisc Summierbarkeit Booting Traffic reporting Time zone Information Cellular automaton Magneto-optical drive Directory service Trojanisches Pferd <Informatik> Binary file Computer animation Integrated development environment Software Computer hardware Musical ensemble Routing Library (computing) Flag
Email Group action View (database) System administrator Mathematical singularity Set (mathematics) Stack (abstract data type) IP address Semantics (computer science) Variance Variable (mathematics) Web 2.0 Exploratory data analysis Mathematics Web service Virtual reality Atomic number Semiconductor memory Kernel (computing) File system Moving average Cuboid Endliche Modelltheorie Library (computing) Descriptive statistics Physical system Scalable Coherent Interface Area Scripting language Metropolitan area network Computer file Binary code Electronic mailing list Maxima and minima Virtualization Bit Variable (mathematics) Category of being Arithmetic mean Process (computing) Auditory masking Internet service provider Right angle Quicksort Permian Reading (process) Writing Asynchronous Transfer Mode Wide area network Booting Point (geometry) Game controller Server (computing) Service (economics) Link (knot theory) Computer file Real number Virtual machine Maxima and minima 3 (number) Electronic mailing list RAID Rule of inference Emulation Writing Goodness of fit Root Operator (mathematics) Summierbarkeit Traffic reporting Address space Default (computer science) Socket-Schnittstelle Raw image format Information Sine Interface (computing) Debugger Computer network Directory service Binary file Word Kernel (computing) Computer animation Software Personal digital assistant Password Universe (mathematics) Video game Bus (computing) Address space
Computer program Group action View (database) Multiplication sign Execution unit Group theory Function (mathematics) Mereology Semantics (computer science) Bit rate Different (Kate Ryan album) Ubiquitous computing Core dump Set (mathematics) File system Endliche Modelltheorie Information security Position operator Physical system Social class Data storage device Electronic mailing list Bit Maxima and minima Control flow Annulus (mathematics) Type theory Message passing Process (computing) Buffer solution Normal (geometry) Absolute value Quicksort Physical system Reading (process) Spacetime Booting Classical physics Web page Point (geometry) Asynchronous Transfer Mode Game controller Freeware Module (mathematics) Computer file Virtual machine Electronic mailing list Twitter Number Product (business) Frequency Latent heat Root Term (mathematics) Hacker (term) Hierarchy Operator (mathematics) Utility software Configuration space Default (computer science) Default (computer science) Execution unit Standard deviation Interface (computing) Forcing (mathematics) Interactive television Core dump Ultraviolet photoelectron spectroscopy Directory service Semantics (computer science) System call CAN bus Algebra Computer animation Key (cryptography) Routing Window Operating system
Computer program Hoax State of matter Code Texture mapping Multiplication sign Decision theory Covering space Coroutine 1 (number) Set (mathematics) Mereology Arm Area Kernel (computing) Bus (computing) File system Flag Software framework Process (computing) Endliche Modelltheorie Information security Metropolitan area network Structural load Electronic mailing list Menu (computing) Proof theory Process (computing) Right angle Modul <Datentyp> Quicksort Information security Physical system Data integrity Dataflow Functional (mathematics) Game controller Socket-Schnittstelle Module (mathematics) MUD Computer file Infinity Regular graph Protein Gastropod shell Newton's law of universal gravitation Module (mathematics) Stapeldatei Information Projective plane Computer network Basis <Mathematik> Binary file System call CAN bus Kernel (computing) Computer animation Function (mathematics)
Demon Group action Thread (computing) Distribution (mathematics) Multiplication sign Decision theory Set (mathematics) Water vapor Real-time operating system Disk read-and-write head Special unitary group Data management Pointer (computer programming) Bit rate Single-precision floating-point format File system Row (database) Extension (kinesiology) Local ring Information security Physical system Wrapper (data mining) Structural load Bit Open set Connected space Radical (chemistry) Data management Order (biology) MiniDisc Website Right angle Quicksort Information security Volume Resultant Row (database) Spacetime Wide area network Point (geometry) Trail Slide rule Game controller Module (mathematics) MUD Computer file Authentication Simultaneous localization and mapping Virtual machine Maxima and minima Data storage device Content (media) Event horizon Frequency Intrusion detection system Selectivity (electronic) Data structure MiniDisc Module (mathematics) Authentication Execution unit Focus (optics) Distribution (mathematics) Demon Information Content (media) Volume (thermodynamics) Line (geometry) System call Vector potential Subset Inclusion map Explosion Event horizon Computer animation Personal digital assistant Video game
Set (mathematics) Open set Mereology Special unitary group Spherical cap Network socket Set (mathematics) Cuboid Flag Data compression Physical system Scalable Coherent Interface Metropolitan area network Constraint (mathematics) Namespace Mass Bit Connected space Arithmetic mean Sample (statistics) Uniform resource name Software testing Pattern language Modul <Datentyp> Quicksort Asynchronous Transfer Mode Point (geometry) Reading (process) Asynchronous Transfer Mode Computer file 3 (number) Event horizon Template (C++) Writing Energy level Utility software Selectivity (electronic) Socket-Schnittstelle Interface (computing) Magneto-optical drive Directory service Loop (music) Kernel (computing) Event horizon Computer animation Software Personal digital assistant Network socket Spherical cap Buffer overflow Library (computing)
Point (geometry) Demon Game controller Computer file Decision theory Multiplication sign Virtual machine Insertion loss Event horizon Theory Product (business) Mechanism design Energy level Information security Position operator Physical system Default (computer science) Information Block (periodic table) Projective plane Maxima and minima Basis <Mathematik> Trojanisches Pferd <Informatik> Variable (mathematics) Data management Kernel (computing) Computer animation Software Personal digital assistant Quicksort Arithmetic progression
the round button on the console that's what I needed to so far I I've been trying to come up with you know new talks each and every year and you can only talk about well systems for so many years before you find that you have a room with about the people still in it so I figured if I put the word security in the title that somehow that that would be that people may be more interested in coming to listen to it so what this is really is sort of a little if you will almost a history of the security of of well Unix left BST slide previously I sort of more specific as we go along so security is a
mind-set and what I mean by that really is something that you have to think about from the beginning of the the classic example of where it was thought about in the beginning is the early MS DOS life Windows systems where the computer was just sort of being used by whoever was sitting at it there was no notion of logging in Warwick having an identity Your isolating different people and when they try and glued in after the fact it just doesn't ever quite work right so unix from the very beginning had a notion of identifying users and using that identity to then have access control of files and to be in the decide how you should build manipulate and control process season should be how you should be allowed access devices and of this notion of being able to expand privilege so this set you ideas that GID what we're very very early basic concepts in units now obviously we need much more sophisticated things today but that form the core of the security model in Unix and that's still carries through 40 years later as 1 of the the that from the face pieces that you'll find in any Unix-like system now
there's intuitive modern terminology is something that's called a trusted computing base and if you will this is the you know what you have to have just 1 of axiom matically on in order to be able to build a secure system and this is really sort of looking at the the core of that so you have cost the CPU that you're running on it needs to provide certain features like memory management units in order to provide the isolation between prophecies are above that you have a kernel you have your boots scraps sort of a core utilities things like the shell that controls login things they can deal with the the core hardware like I can figure out and of course all the libraries of lived obviously is used by these things some other libraries that are the basis for the utility up on top of that you're going almost certainly have to have some kind of crypto support on so this is going to be things like open SSH and open SSL and IP stack and so on so forth and in increasingly there is hardware that helps speed cryptography and so you need to have some access to that at the heart but typically by these higher-level things OK so let
me just sort of give an overview this is really sort of walking through the expansion of our notion of security over time so very early on back in the eighties I came up with this thing called immutable and append-only flags and this is to give you a essentially tend to be able to make tamper proof the critical files and logs and so on following that but we had jails but we had sort of initial each rooted environments but they didn't really provide the full capability that we need and so jails came along which at the time were very novel things again this is an idea that you now see in zones and lots of other things are in notice of Unix-like systems but it's essentially a light produced the virtual to and then along came access control lists also called ACLs and this is to give a finer grain discretionary access control to files and directories but we then also got mandatory access controls and the difference between the ACLs which are often referred to as discretionary access control of that is to say individual users on the system can control them the mandatory access controls or system-wide controls on information flow and on access and the individual users can override that that's imposed by the state of the system that's administrating but we also have a notion of privilege but if you will the subdivision of root privileges and then but refinements to the auditing so rather than simply just keeping track of the commands were executed we have a much finer grain or the ability to have much finer grain read accounting and dealing with of how those account records are stored in cells and then the the sort of the most recent piece that's been added on a skeptical of this allows you to do sandboxing of of process right and and will take a little look at that time all this is going to be sort of high-level hand-wavy cursory stuff on capsicum in particular powers can be doing a talk on that in his entire talk is essentially what works been going on in this particular area so this interest you I suggest you go to that topic believe later today OK so let's just go
through and the 1st thing that got that it was this notion of a mutable and append-only flags this actually came about because we had brought up the what the time carbon at Berkeley and up to that point just been you people for locally logging in an initially it was just a few of our friends it would come in but as the network began to grow we might find this hard to believe but there were some characters out there that seem to have a bad intent and they would trying to log into our machine and do bad things and we didn't like that and so we we wanted to make it difficult for them to do this so we can have this idea that you could have a mutable files and if you set the flag on the pilots as it's immutable it's can be changed you can't move it you can't believe it it's just they're and then a slight variation on that is like it says it's append-only which has all the properties of immutable except that you can append data to once the data is appended of course if you can't get rid of so think of this for logs and so you would set this thing up and for the new sort of 2 sets of these flags as the ones that the users can set and if you decide you want make some change but turn off the flag and then you can it was not mutable anymore you can do what you want others also set flags that can only be set for rare and when they're set set only flights of like itself is immutable so is essentially you know when you set that flag it's burned into the iron oxide much data file the state but often it's not going anywhere and of course that makes it a little difficult to do system updates so we came up with this notion of security levels and so if you're insecure mode which is 1 2 here then and these rules are enforced and when you're insecure mode of band you can go ahead make changes so normally you're insecure mode when you're running single-user and you come up multiuser are you going to secure mode and the the idea here is that the administrator can always raise the security level so it here for example at level 1 and you wanna go to very secure mode level 2 you can do that but only processed 1 is permitted to lower the level so unless you replace and that Our then nobody inclusive user can bring it down it's only when it takes a system down the single user that it will lower the secure now courses all at things you all just opened that and go find the variable which listing that packet and so on so not in order to prevent that together came and that now become only when you're insecure mode well just go out on the desk and patched flags well any mounted disk is read only when you're insecure modes of and then you can go to very secure mode which says you just can't write any disk device so that even if you want now file system I still can go out and that's around with promise you also can do do things like new aspects of which kind of a pain so you you might want this on a gateway say we're not going to be doing for active stuff but normally just run trauma OK so this all seems like a great idea I would certainly works for a Sophoclean the the hackers with login break in and they get route and they start going around and they couldn't put in a Trojan worsened log in and so on and then later these going and trying cover the steps because it's the everything they were typing was going into the logs and they couldn't truncate the logs they couldn't move on the side and it's like and then come back and I was fine but the fact the matter is that when you sort of look at some of the issues with these immutable flags they start to have some fairly serious problem or not in terms of the security per say but it's things like mutable files can only be updated the setting of system a single user and if you're trying to run a 24 by 7 service and you need to update let's say up SSH because there's some security breach you have to take the machine down as the only way you can replace binary are and the so you like to rotate your lot you know that something that you like to have happen every morning 3 in the morning well you can't move all unless you take the system there is so much you think the system down every nite to rotate logs you can start with and the way they are and then of course you direct hardware access is restricted so especially if you're running at level 2 you continue events and other sort things that are but the real killer and the thing that really sort of puts the state the heart is that all start up activities have to be protected because if you for example you can put something in our city directory that's going to get 1 it's sort of time and then you can put something in there and then at the discretion gene-order reboot and as it reboots it'll run your script and now you since its running single-user when the scripts around it can go mess around and you bad stuff and you say yes but you know we we are machines never will go look at the bug reports is always an ongoing stream of ways that you can you know run this script that expresses the machine itself but you just have to assume that the are people going to build a review machine and what that means is that all start-up scripts and all the directories that contain them and all binary center use during start-up and all libraries that are used during start-up and any configuration it's file that use during start-up has to be immutable or you text and so all of you you end up having that walk down etc. which kind of makes a little inconvenient and you know someone decides that they're going to use some crazy you know Python script or something and suddenly the whole pipeline system and its libraries need to be secure and so if it's practically speaking you just you can get around this very well without making machine for virtually unusable by for the administrator so it was a nice idea of but it's pretty much been OK moving along
our we get J and again I'm just going to give you that that the super 20 thousand foot view here but I'm sure that many of you can tell me more about jails and I can tell you that a lot of this jails really is is getting them set up and running and there's a lot of scripts that these days to help with that process in fact there's sort of I would just say 2 competing ways that are thought of to do this and some folks here at this conference are getting together to try and hash out as you know sort of take their ideas and get together and come up with something that everybody can sort of agree on the idea that 0 is we got the big box which is what about the real machine that were running on and it has its own being dead every uses so on and it usually has a jails user jails and then you would create the various different jails we're interested so this picture shows we have a jail is going to be doing Web services another 1 that's going to be doing e-mail services and effectively mutual down into that and each of them and typically has a complete set of binary now if you're going to have a single purpose you don't need the whole set of binaries in your web area and in fact problem 1 have absolute minimum so if somebody manages to get something bad to happen but in your in your web server there's not going to be a lot of wineries to help them out of it they would have if they were running in a fully populated area OK and then we also I have this notion of of virtual networks so that you get your own network stack and so all the things that we think of a sort of global variables for the network timeouts and things like that on you can set and it only affects you were work networks so here in the in the real machines we've got the real network interface and it's got its networks that and then it creates this virtual interfaces which are sort of think of Mr. . point links almost all and so up here that the actual packets comment and then we choose to forward some of them through this interface to this jail report some of this universe that jail and so as far as its jails concerned that things got its own network and it can i have to figure out what it's Iike ifconfig uses then and so when it was in the promiscuous mode what it really is saying is what all the packets that come to my interface I wanna look at so we can still do things like hanging and so on but in fact were just working with this and the host machine is really deciding what are the package that you get to see so you know you might try and like I wanna see all the things coming in for the IP address which is 1 these other jails and the fact that matters the nothing forwarded to you so you won't see a and so in this way we we get the isolation but we get the appearance that were on our own sort of machine OK so so the rules if you will of jails is we want to be able to say you hear you your group here's the root password have good life on and in fact you can't do everything that we could do if you were on the the the bare hardware and but you can do most of it so you can decide you know but that's the wrong and about you what the user ID is you haven't provided these and who can signal wide and you can change files you mean you have the same ability to change the permissions on files that we would have on the main system except you can only see the files that are in your jails are you combine words to your jails IPA up any of its addresses and you can set up wrong diverted routing topics and so on what you can do with things that are going to affect other jails or the mean so you can find out about information on things that are running in other jails if you do a PS reduces controlled says you tell me every with every process running on this machine in fact all you're going to get back or the processes that up and you you can't change kernel variables this is controls that allow you to say next property ample you can't you can't mess with them you can't mountain unknown file systems because that would allow you to reach out and perhaps get 2 things you should get to and you can't modify the that the real network interface and you're not allowed to read that's what it tends to affect other things besides just you know and what is the front ends and purposes it looks a lot like you have your own machine and the beauty of this over of the atoms is that with the ends they have they require a huge amount of resources and so if you have a really big honkin machine you might be able to run data tended to be 20 VM's but but you at that point just sort run out of steam you run out of memory and and and things sort south on your whereas with jails although when we originally did then we had the intended goal we run 5 or 10 of them and we fairly quickly discovered that people were going way beyond I remember 1 report that came in and somebody said that it was taking in packets were taking forever to get to know that the network kept slowing down on set up jails and it's like well you know how many of you setting up 0 thousand like you're doing what because of course when a packet comes in we have to decide it's for the jet for this machine and the way you do that is to say this is 1 of our IP addresses well as we just walk through the list of 2 or 3 addresses associated with the interface and it was just now and now for every incoming packet we had to walk through a list of a thousand IP addresses and so on so you have start Hessian on this stuff and other things but you know today yes you can run a thousand jails now hopefully they're not trying to too much we're going to get bogged down by there's you this scaling that's possible is way beyond what you have build it would have yeah summary so moving
along we get access control lists now the idea of access control lists is to give us finer grain control over files then we have with the traditional what user group but not so you know with the with the traditional UNIX you you have the read write execute for the the owner of the file and read write execute the group and read write execute everything else and although you can do some sort of pull things like that for example you might have someone that you decided as a pariah that you don't actually want to be able to have access this but you want everybody else to have access so you can create a provider group and put that person in it and then you set them the permission bits to be write at execute for the owner nothing for the perioral and read write execute for for everybody and you say well yes but you know they not they don't get permission based on the group will just get it based on everybody else but in fact the way Unix does it is it 1st checks user and if you if that if you if you do not the owner and then the moves on the next 1 is or they in this group and if you're in that group then it checks the group benefits says no to your broke that's it we don't have to check in and so on you can you can sort of exclude everyone for you this 1 person and what everyone else through that way but that's still somewhat limited so the idea with ACLs is that we're going to hang a description which can be much more detailed here and so on you can say Read permission right permission execute permission then look up in the case of directory which is normally overloaded with the execute that but this is actually a separate permission and then administration of which again is normally only for the owner of the file but you can set the administration bit to say even though you this person that's administrator not the owner they can still to model so on OK so then for each of those 5 permissions you can have a list of individuals you can have a list of groups and you can still have everybody else so did you you can get very fine-grained control what in biological OK now with the the traditional operations you have a you mask and that's used to decide to how to initialize the the permissions on a file and with ACLs you typically have something where you can have either which called a faulty seal on terrible ACL to explain the next slide and that says if we haven't explicitly said it then and this should be what is given to new file and then we have some user-level commands others get violates 2 essentially tell you what they are and set ACL to set up OK so what are the semantics of ACLs will assist minor issue and
that is that the this ACLs our 1 of the least compatible thing between different systems that you will ever have the misfortune to deal with and the reason for this is 1st of all because when Unix is being standardized back in the days of Posix there was a group of posits group that was responsible for figuring out what ACL should be and it was highly political contentious in that period of time and so what ended up happening was they got a draft standard which was sort of 90 per cent of the way and then before they got a final draft they got but the other was like for various reasons that I could go into but what right now posits that cut off and after a certain date no new plastic standards could be released and they didn't make the and so all we have for politics is this draft standard and it's missing the last 10 per cent and so every vendor pick set up and those in the last 10 % their own personal way and so on they're all almost but not quite the same which is a real pain in the neck and then the other problem was that the poset standards were really standardizing things that were very tied to the Unix view of the world and it turns out that there's another system out there it comes from the Pacific Northwest of the United States and turns out a lot of people use that other systems and they have really a different way of dealing with permission and the classic style ACLs just do not work and play well at all with the windows type of that type of control and so when an the floor was being to organize was being created in the IETF they also of course needed to deal with ACLs and so they came up with the specification of which were referred to as the NFS before suspect and that 1 is designed to work and play well both with windows and with unit and so increasingly today there is there that the trend has been moving the ACL world war that interaction so as I said by design force designed to work well with Windows and with Unix of the your file system implements both the Posix style and the before and you actually when you mounted it you say I mountainous and I want to kind of as before semantics were what plastics and now this isn't something where you can like change your mind back and forth we can and and and your vessel do its best but you'll get some pretty bizarre ACLs after a while if you don't sort of pick 1 and stick with it any race it will do either 1 of the CFS implements only the NFS before of the end of class before users what are called inheritable ACLs are rather than the default style ACLs used in politics default ACL in politics but essentially you have an a but what's called the full ACL which is associated with a directory and when you create a file in that directory if you don't specify any CELP gets the 1 that's just the 1 whereas the manifest before so it has this sort of notion of this 1 is sort of floating in it it works its way down the hierarchy it's a similar idea that really that they take away from this is you can set up an easy answer than on the west of survivors with the gas and in terms of the interface are in previous we have the same command-line tools to get set the ACLs of the API to it that the utilities to with not work the same and they just what you get back to look different depending on which 1 the underlying thing is but it is capable of of X printing them out for example for the final command in a way that is comprehensible based on which kind of ACL this OK so there there you all you have to do is essentially enablement away you go erased moving
along along the next sort of idea that came along is this notion of privilege now historically in you next we had the support of all or nothing URI God or your skull and if your group then you have privileges of doing pretty much what everyone and otherwise you know you're locked down and can only things according to the normal user roles now you can expand this a little bit was set GID so if the judicious use of grew on particular files and having set GAD programs that you can give limited access so for example we have the group operator and we put the disk drives in group operator and give that read permission on them and after in the operator group of war you run a program which they don't that it is such that if it were to be set PAGE operator would be able to get access to that without having to give away the store and I to be moved to the dumpster out but that only works in a fairly limited way about the root privileges pervasive through system and so on some years ago as part of the security work that of Robert Watson and others did was to go through the operating system and find pretty much every place that initially that said if s user which is a way of saying are you root then we're going to do this otherwise not and pretty much for all of those points putting in a hawk part and each 1 of those books was given a name so and ideas of the file sicis priv died aged lists all of them there are about 200 different privileges that are associated with the root I put just us you know him for you sort of flavor so prove account says you simply can you manage the process can I can you turn on or off max proper you are allowed to change the maximum number processes in the system are you allowed to configure the dump devices can you reboot the system can you add swept space it takes webspace away at a different group what are you allowed to look in the colonel's message buffer where you allow the localized for you allow the delete models are you allowed to adjust the time which is different than being able to absolutely set the time because it's much more evil you can do with setting the time just adjusting the rate at which it changes but are you allowed to override writing to files are allowed override reading files on and on and on and you want a good days we go look at all the privileges of productivity Renault that route has as a privilege certainly it's you know the hackers guide you know if I get rid of the machine where all the cool things aren't allowed to do at any rate I wanted subdivided this way then instead of just the generic if s user now there's a call up in to this
proof checker function and the projection function gets passed in that what what the privileges that's being asked for and now you can write a module the gets to decide on a privilege by privilege basis whether or not it should be permitted so you can sort of batch these things together so we might wanna say or a well we're going to give sort of networking based privileges or can network configuration and enable given privileges for controlling the filtering you know maybe we will let you mountain announced file-system maybe we will let you export file systems about what Colonel data and we want to access modify all those many many things that you saw there and now for each 1 of those privileges parsecs has this notion that we should be able to I have the granularity of saying permitted so you or you even allowed to have this at all and if we've set saying you you logged as you are you are not allowed to have this even if you somehow run a set UID program were still not going to do it because if you haven't been permitted is it inheritable we might say where you can have it but you can give it away and this helps a lot with that StackOverflow things so that some shell for example you you you you might be able to exact you're running a set program and you might exactly shell but we're not going to let you can that lift you religion over to that shall surely can't just start a shell but it just as regular user privileges and then there's a little flag you can turn on and off the bus and yourself on 1 turn this privilege or not now now I don't wanna have it and again it's a sort of you didn't take away my special privilege so I don't have to worry about that things happening so you might start up a programmer needs special privileges of open a file and then you put on the way of the program state and then at the very end you get it back again so you can do some final cleanup for whatever OK so there is then the notion that you can implement this up by simply coming up with 1 of these functions that you load into the kernel now the fact the matter is that although all the hooks through their this Posix notion of handing out that module although it's been prototyped has not been put in there and I asked Robert you why is that he said well there's just too many ways that could go wrong and you know so that really someone really have to think about that longer and have better things to do with my time the implication and so in fact this the hoaxer there there are other Mac models of which I'll talk a little bit about but this particular Mac model is the 1 that we have the right so this does then
get us to mandatory access control and this is where you can come up with various security policies such as the 1 I was described previously on but when you go to the privileges you really get very fine-grained control over that so it's not just what a user can do but you can also control for example when data is being written you're going to get these calls back into the privilege routines and so 1 of the things that this module can do is you can look at it can say well let's say we're trying to fit to deal with sort of military style security so we've got things the secret and things that top-secret and so if a a process running a secret is trying to write data down is top secret that's probably OK but something is top secret is trying write something down like something is running a secret that that potentially leaking information so we don't let that happen on so again because of the granularity these things you can have a very tightly defined not so things like access and use of files and pipes and sockets and you all working and not allowed to add delete load models and you the whole long list and there are several of these security modules there's a thing called the but the idea of which is 1 of these ones that has this notion of controlling information flow on there various and sundry other ones there and in particular it allows you to have the kernel not have the policy spread out all the current yield I s user was just sort of sprinkle the kernel and you know that the policy was effectively sprinkled through the kernel now what's going to the kernel or all these calls in to the approved Jack protein and so now you can load a module that gets to set with the policy years which can just be the generic your policy it can be used for military security policies it can be sort of more commercial data integrity models and in fact we could today implement jails through this policy jails is still got it in in part does come through here in part there's still some ad hoc significant amount of code because framework was available when jails were being done if we were to implement them today nearly all of it would come through here and we would probably come up with a few more books to make sure all of the hard part is getting all those folks put in the right place is actually a lot easier to write the the the model because now you have in 1 place a list of privileges and you can sort of look at all those things and decide that they either do or don't meet the policy that you're trying to do OK so moving on to the next
we get auditing and detail about you know Unix his head accounting forever but auditing and accounting or not the same thing auditing is sort of counting on steroids if you will it's based on this thing called the the basic security over Basic Security Module are which again is is sort of like a document that describes what what you should be able to control and and learn are based on these records and the idea is that when you have these records we want to be able to find out potentially things about what access control was used so did they get that where they're able to do this particular thing based on the fact that they have privilege said they are war that they you utilize some particular privilege of what was the authentication that was used to decide that and then in you also have to have sort of over wrappers security management water management to make sure that people can put focus records in there to constantly style etc. and we want to be able to control the volume of the of the audit trail minutes some level the audit trails almost like k trace every single system call can be ordered with a great deal of information about that system called and obviously if you do do too much of that you're just going to blow things up so you need to be able to refine what are the things that are important that you you track and 1 of the things that you don't care about thought so we have the so called ordered preselection policy where you were sort of deciding you as the record is being built up this is something that we actually want keeper not you will then generate the audit records and then after the fact you may keep detailed records for some period of time and then you can run this thing called order reduced the sort of thing it down for your sort longer-term so you might people a full accounting for a week and then it down a bit keep that for month thing and down even further argued that for 6 months or potentially forever depending on what kind of system is running on OK so we also have this notion of the the user credentials which has the so called ordered identifier and this is the again what is the information about the user that needs to be stuck into the record is a good enough and just know the UID do we wanna know what groups therein we wanna know potential what's special privileges they have and again this is the thing that's configurable and will be stuck in so this this structure holds things like a terminal in the session and watch bits so that should be added and then also this sort of pre selection policy so when were to try decide whether we really want to generate a record not this is sort of staring at time of creation as opposed to fitting later so we
have this thing called the order the demons and it's going to manage the collection of the data and the it's so always making decisions on the content of what we want to include what are the records that we wanna rate also if things like starter ran out of disk space of so we're for not having a place to put this in acidic and makes a decision made was then it may be it wants to offload it somewhere else but it's so it's sort of a high-level policy is not having all these records coming through it rather what it's going to do is going to start a kernel thread that's going to actually be told how to deal with the distribution so what do we wanna stored in a log file system do we wanna send it across to some other machine on so for example this was compromised we we know we have records that are good at least up to the point where the compromise occurred and and love someone from 1 do is send them to an an intrusion detection the so that you can have a real time something which is looking at what's going on and it see something goes below that doesn't look right you know why is are we suddenly getting this you know TCP connection to this ProsoReport from China maybe we should you know alert somebody about that and so and and you know you can have multiple these things going on at 1 so here is an unbeatable example of an audit records obvious what point the big blobs as had a random thing there's a set of pieces that make up this particular record in a trailer accessory that's the end of it you year your typical extensible data structure and so here is a typical audit record that's been put up so if this is this says the the event here is that we have an open on a read-only file and this is the path that they're trying to open an hour and this is this line here is you know who they are so it's the UID in all the groups that the and then finally what was the result of this system call in case he was successful in return for 6 of the slides by the way I have pushed onto the website and only did it last nite because that's when it finally finished writing them and they haven't yet been uploaded of but at some point in advancement of loads what everybody's life public tonight and at that point you can just go to my talk and thing hopefully there you will read this if you actually care OK so the
last piece that I want to talk about here is capsicums on and this is sort of the latest thing that's just being the ladies been previous the now for several years but there's been a lot of work going on with it recently to try and sort of refine it to make the interface the kernel interface sort of more usable and then to actually create some system level utilities that that make use of it on both because it's a useful thing have an because they give you sort of a template should you wanna be trying to do the same thing so the idea of capsicum is that we want to be able to see and box prophecies that we don't entirely trust and the idea then is if you have let's say something and why SSH than you don't want this this whole huge glob that's SSH that necessarily run with the privilege because there might be like a big library that using the new compression or something and you don't really wanna go on at the whole thing to to make sure that there is nothing bad it doesn't have like overflows things cause trouble so would like to take these pieces that but don't need any specific privilege on the limited for special privileges and they have a sandbox them so that they can't do evil stuff well so here on the left we have the so sort the normal thing where we've got sort of our main loop and is calling in this case a library that does compression and we have a lot of the compression library in its Eugene so we we just don't want to have to deal with worrying that it might do something evil to us and so we can drop it into a subprocess here and then but it gets a set of descriptors that we control so when we set off we give it a certain set of descriptors and that's all against the work so it it it has no access to the global namespace it can't open you know you can open a file by pathname it can't see other sees it can't create new descriptors it can past descriptors off to somebody else it can just use things that it has any can only use them in the way that they were that their open for you read only then it's read-only and so in particular I mean you may need to allow it to do certain constraint things so you can for example given a descriptor but that's open on a directory and then it can open things relative to that directory but if you also say that 1 of the privileges that that descriptor has is the ability to use as the starting point for part a pattern of so open at basically up so by doing this then it if something goes haywire in that in that I think it can't somehow creep back and grab a special privileges that that the meaning so we actually use caps you use put up to 4 process and get set up and then you do cap entering that process and that puts it into capability mode and once its incapability mode my lab to get out of that and it can only work with its own file descriptors and has no access to the file name space so you open will fail open at work if it has a descriptor open on a directory which has permission to use so is it allows you to I get really tired of bounding on things and to give
you an idea again of the granularity of the sorts of capabilities that you can allow it to happen or not right you can look in sicis capability died aged there's about 60 of them in there again I've just taken a bit of a selection of them here on so you have can you read or receive if it's a network connection writing and sending are allowed to see are you allowed to set the file flags are you allowed the set that you can do it should or up can you change the mode can you change the owner in are you allowed to use it as a starting point for a walk up or you allowed to do polling are you allowed to host events to it are you allowed to do except if it's a socket this around the socket markings can you listen etc. so again you can just go through you can give it exactly the set of things that it should need and not anything more than that and now you can ensure that it's got a very constrained lots of things that can do in very little nasty stuff that it can get away with OK so there
you have it from start to finish 40 years of security and I am happy to attempt to answer question yes all the things you know the 1st thing that want to in the ordering you can't block events from happening per say because the that would be done from 1 of the other mechanisms like the privilege but so all you can control what gets reported but that is not the point where you're trying to make decisions about whether or not you should be allowed to do so but that's 1 of the other mechanism we you can also the you so the book and the this OK is not here and so on and on and on and on and on and on the other end of the of the of the on the same and you just what I said about the and so we that the theory that that was is the OK so much they are in the jails of this this is Control stuff is it is not a blanket you can't do things if it's on a sort of if you will variable by variable basis in some sense so for example things that are what we call global kernels of max product which affects the entire system based system of you can't manipulate that but there's what we think of as global variables associated with for example you're networking stack and because you have your own virtual networking stack the global variables what you would think of as global variables associated with the networks that you are allowed to change because really only affecting your networks and so it's not a it's not like at the top of this control where we discover no it has to go down and it has to be decided in some sense of variable OK on the previous 1 can you use privilege to override some of the things you otherwise would not be allowed to do with things running insecure along 1 of course some nonzero positive secure level of in theory yes in practice some of those things do not I think have not been put to the prove check routine so for example in able to modify i and immutable file I believe the check that says it's immutable the answer is no no matter who you are I think that happens before the called proved check out if if that's the case then I would say that's sort of a podium check it should incorporate that projection be the thing that makes that decision that is immutable or not but but my recollection is that some of those things some of them yes but I think there's some probably on and what we have here is a long I believe by by default when we go multiuser reset and minus 1 which just says we're not doing that stuff it is just the the coming down here is if you haven't been able it by default secure levels are turned off unless you enable in our system In any more questions that is not going to go to work with a lot of the and the the world the to of this of the world so what did you think you of you the loss that is what want and the and in it as 1 1 person put it you can be absolutely certain that nothing bad will happen to you by turning off your network this however is usually not a viable solution of so that really the answer is that you you try and have the system set up in a way where you limit the amount of damage that can happen and after fact you have enough information so that you can know what happened what they got what they did and potentially of the Trojan horses or anything else that they may have left behind and hopefully you figure that out quickly are that the point of being able to have a demon that sort of watching for things bad things happening in notifying you is to be found that when if you go to your management say well yes these people broken from China and they had access to the machine for 15 minutes and this is what they got what they something like that but they're going to be a lot happier than if you say well some have about 6 months ago they started breaking into our machine and we're not really sure what they've done or you know what they may have corrupted this is not going to go over nearly as well so I all we can really do is try and provide tools to give you the defenses tools to make sure that you can get the information quickly and you can quickly identify when things have gone wrong but I knew you can short of turning off the network of avoid this stuff entirely bank well time up so you have any more questions feel free to ask me I'm around progress the conference thank you few