FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance

Video in TIB AV-Portal: FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance

Formal Metadata

FreeBSD, Capsicum, GELI and ZFS as key components of a security appliance
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
I use to talk at various BSD conferences about projects I was/am working on (GEOM, GELI, ZFS, Capsicum, HAST, auditdistd and others). This time I'd like to talk about the meeting point of reality and some of those technologies: a security appliance I was working on for the last year. The talk will demonstrate practical use of various technologies available in FreeBSD (Capsicum, GELI, ZFS and others). The appliance needs to process and store very sensitive data at high speeds, so strong sandboxing provided by Capsicum and strong encryption provided by GELI were a must. The talk will also provide practical hints how to build and manage appliance, eg. how to create installation image with all dependencies from source, how to implement secure and reliable upgrades with an option to downgrade, how to monitor health of hardware components and how to cluster multiple nodes together.
Freeware Observational study Direction (geometry) Multiplication sign Source code Coma Berenices Bit Line (geometry) Theory Product (business) Component-based software engineering Goodness of fit Key (cryptography) Musical ensemble Information security Information security
System call State of matter Weight Source code Function (mathematics) Parameter (computer programming) Database transaction Fraction (mathematics) Data model Forest Formal verification Encryption Software framework Endliche Modelltheorie Multiplication Physical system Source code Building Computer file Data storage device Ext functor Staff (military) Control flow Open set Type theory Root System programming MiniDisc Right angle Encryption Energy level Absolute value Remote procedure call Quicksort Block (periodic table) Freeware Volume Physical system Resultant Functional (mathematics) Freeware Computer file Open source Computer-generated imagery Authentication Disintegration Directory service Data storage device Theory Product (business) Revision control Causality Natural number Electric field Energy level Configuration space Mathematical optimization Installable File System Data type Pairwise comparison Key (cryptography) Weight Projective plane Commutator Directory service System call Explosion Event horizon Universe (mathematics) Revision control Formal verification Family Cloning
Point (geometry) Functional (mathematics) Freeware Run time (program lifecycle phase) Gradient Connectivity (graph theory) Virtual machine Set (mathematics) Mereology Rule of inference Product (business) Attribute grammar Medical imaging Mechanism design Operating system Cuboid Flag MiniDisc Information security Partition (number theory) Physical system Scripting language Key (cryptography) Computer file Moment (mathematics) Data storage device Physicalism Bit Database Directory service Price index Entire function Voting Film editing Process (computing) Personal digital assistant System programming Data center Configuration space Musical ensemble Cuboid Table (information) Booting
Sensitivity analysis System call Closed set Length Mehrplatzsystem Multiplication sign 1 (number) Open set Client (computing) Mereology Cryptography Different (Kate Ryan album) Semiconductor memory Befehlsprozessor Single-precision floating-point format Network socket Formal verification Logic File system Cuboid Process (computing) Information security Data compression Oracle Physical system Scripting language Namespace Closed set Computer file Data storage device Shared memory Sound effect Open set Process (computing) Befehlsprozessor Internet service provider Telecommunication System programming Sieve of Eratosthenes Website MiniDisc Configuration space Right angle Logic gate Physical system Spacetime Booting Data compression Web page Slide rule Server (computing) Freeware Service (economics) Open source Sequel Computer file Connectivity (graph theory) Authentication Directory service Data storage device Lace Login Product (business) Latent heat Telecommunication Read-only memory Spacetime Software testing Configuration space Communications protocol MiniDisc Authentication Default (computer science) Information Key (cryptography) Server (computing) Projective plane Computer network Core dump Ripping Directory service Cryptography Timestamp Software Logic Personal digital assistant Network socket Password Cuboid Communications protocol Routing Window
Serial port Multiplication sign System administrator Range (statistics) Sheaf (mathematics) Set (mathematics) Database Replication (computing) Order (biology) Different (Kate Ryan album) Single-precision floating-point format Collision Row (database) Endliche Modelltheorie Information security Multiplication Social class Physical system Exception handling Bit Open set Replication (computing) Process (computing) Identical particles Physical system Server (computing) Freeware Identifiability Table (information) Field (computer science) Number 2 (number) Revision control Average Configuration space Nichtlineares Gleichungssystem Authentication Demon Information Server (computing) Projective plane Computer network Database Number Word Integrated development environment Intrusion detection system Personal digital assistant Logic Synchronization Video game Collision Table (information)
Freeware Service (economics) Link (knot theory) System administrator Multiplication sign Control flow Mereology Theory Computer programming Product (business) Peripheral Different (Kate Ryan album) Videoconferencing Software testing Office suite Logic gate Associative property Information security Physical system Authentication Touchscreen Theory of relativity Key (cryptography) Surface Software developer Bit Hand fan Type theory Arithmetic mean Software Personal digital assistant Internet service provider Formal grammar Video game Website Quicksort Communications protocol
than the last year which is based on a if you technologies I was working on for previously um and this this is so security appliances so when mine my name is
of the view that different so if you have been to Europe musical last year so I will promptly responsible for the and I have those but things I need to somehow work on the running my own company but they also was a whole the work on the previous day let's say my spare time and it's been almost 10 years since I got my source comedy so it was finally time to actually do something with all this stuff waited for 3 directions try to make some money but after I must admit that this will be extremely hot topic for me because of course a while handling talking about 3 b is the but on the other hand in involved commercial products people when they were not well received revival try to cross the line and know other studies to match so I will do my best not to cross the so before that I would just prefer a bit theory because and OK good governance so 1st of all the the place itself it's going to look and of course as what they could no tell you about whole
the shot cities already it is how you can I know and I looked making this up remove every single disk seperately and just inserted back or and that include cool red model free of charge with a local late so you can move the pollen the weather consistently I could do all I can tell you about all this stuff but they won't even of the the king what I will tell you the
status of the suppose 1 and I tell you how it works so for the basic research what we call a pool of Big Brother tool you put the food built into your network and in you can intercept all the remote sessions like SSH remote that could be in C and stuff like that it would intercept the session decrypt all the top store decrypted traffic and you can replace all the sessions actually see what was going on so if something bad happens to you have approved you can show what actually happened so this was their idea for the project but let's start from the beginning we of course had to choose some kind of version control system and this is pretty important that's because of course if you Nice version control system it will help you if you choose badly it can actually make your work harder so we tried we tried most of them I think you have some version mercurial therefore is indeed and we couldn't make the article and the so I came up with a great idea potentially with I came up with objective comparison of those although system itself silly 1st but bear with me so any guesses we've what powerful strides and yes the right course of course that's very cold but not for real for example he doesn't try which is pretty important OK or any guesses for the I will give you I mean and so some benefit here if you just find the proper way of comparing face it just clear you don't have the many research to actually figure out which is the best the end of the forests employees here OK so all those sort us linking calls from get OK next up building from source and this is of course important especially if you try to leverage various open source projects and we'll be tried to simplify all the products actually what you do is just enter this pop source directory this type may can be produced so that they will install nature as well as signed to in each for the of so this is very the output is very and the outcome is very easy but cause we we have to go combine not only free is looking to start the product especially you don't have to much resources you will end up leveraging many other open source and of course as you can imagine every single 1 of them have different weight actually compiled mutants and of so what we did and I have made this is the most beautiful way to do stuff and I'm sure there are many ports commuters will tell you how to use the courts to do this stuff but what we this is basically works for us or bigger problem was how to actually recorded by the stuff that changed and not to recompile every single dependency as you so there are many dependencies there so how to figure out which dependency actually changed so what we did our is to just propose simple show function which takes as the 1st arguement states of directory to enter and and Bill the Blass argument is actually common so we want to execute what when we enter the directory and you can optionally more of arguments in the middle those are additional directories we want to scale and we are looking for those of you done filing there and if the result files but people fighting there we just check if this is if there is any finding those 1 of those directories that actually is you were those of you and that's it so and it was pretty simple but warned works extremely worked well for us no so my theory about what short introduction because I'm sure most of you are aware of some of the technologies I'm using cure so we need courses generally for book level they Introduction we have this sexually and encrypt and we have so much optimisation stop encryptor framework which I didn't hear upstream but we can yes we can we can encrypt all those 12 disks without losing any performance so actually if age this provides some kind of around 120 megabytes-per-second triple we can actually traffic going to this to all those this at once using just single for cost you of course we use as an I and just provides salt of all stuff we don't really use like integrated verification or what about reserve keys and stuff like that to the there are some of the stuff and so of course we use EFS of well and Europe if you're not familiar with the we've z fast and natural underwater you were got on for the last few years but the best provides although school staff we just need a fraction of the functionality but the universe is very convenient for us we just use it subsequent that's
mean as the cool technology that is in easy now it provides 2 basic functionalities right some boxing where you just up where you just pulled up cut enter and you enter a really tight certain books I will tell I will talk this subject to death in a moment but and capabilities are I will talk more about probabilities during this summit tracker in flowers were sold but this is very important I will show you how we use it in practice OK so but that's try to build the machines the lesson we learned well let's it was the lesson that our design goal also with our previous products like of indication system was that we we never keep customer secret at our company anywhere we thought that this will never pay but then someone breaking to RSA say all the secrets and actually it start to to be very important to not keep the customer secrets are and we never did that and food would also bundled up and when the should have a box still to the customer we also include the band rice which are empty and during during fires we generate encryption keys for jelly and we store in those cases although spend right you only need 1 of those spend idea of them to actually build the machine and you only need depends right during the book once that boxes rank you don't the dependence of course it depends if you can't trust physical security of the data center or not you can leave depends right if you do you should take it away from the or and of course you can with machine or access any data for that collects we've all those things right the the fact that yes it's a backup because if you lose the I you can access the data please note that the whole my were a partition layer we use we have this very small partition which is just role 4 kilobytes for a very basic configuration stuff like the serial number off of the given appliance we don't want to use system in there so it it's just a gross storage very small use for a very critical bits that indentified the books for example they of course we need a good partition and we have 3 partitions UFS partitions where we keep our operating system all those petitions when when we operate on them they buried only so in the installed the system it it never gets maltreated right so entire operating system we use is only read-only petition and we need free because this is how we operate well-being to operate we just put we both great image on next partition and we will try to remove using the petition and of course we use all swapped and the EPA's which is actually generated increase the partition with all the data we so there is no replaced the rule here is that the price of this idea read-only or crypt so how we do upgrades this is the partition that that this operating system is running a running from at this point when we store operate image on the next partition we use the GPT up tributes I that the freebies the sometime ago and we mark this new partition using 2 attributes and what's this basically means that if we try to remove that the GP the with gold would try to find partition with his book was slack will clear the flak and will try to build from if it fails on next book actually to use it's visible to well I don't want to go into too much details but the idea is that the new partition will be will will be tried only once if we failed the next book will actually because again from this partition and also we will be able to detect that that would fail so after brute we can identify and the this is what we get this will be the flag that will be set next book and we can see that our great actually fighting or it succeeds and we said only do once like without me and we have and of course when everything is done with this is done by our signal the script GP people that it will be removed the reflect from the Ford petition and said the book reflect all the faithful sh those are all the components we use for great so we have DPT book which during the books that exceed the book succeeded or failed sets up all that should be properly all that all the other ways we have to do run time we just implementing are assumed to be style scripts currently with when your those and we start them of directory and what we do there is a possibility the script that actually copies all them all the other great scripts which are not In the down there it's about directory yet the total direct was the scripts are copied we will continue the voting process and it execute all them so for example if we have to change if we have to absolute tables to database and the stuff like that this will all happen during the book and we get uh leveraging this mechanism we can actually also sets dependencies proper what should run before we walk and stuff like that and this doesn't add to the booking process because because once the script successfully execute that it is moved to down and it won't be part of the of the next books so it doesn't really cost much to to look
have many of those script the effects so they said this is a file system and the up some Microsystems what is secure who actually cofounder z 1st of some and I'm sure you will be happy for John if you all come to the visible later on today and I ported to free doing what will the gold as you can imagine we do with extremely sensitive data because if we decrypt all in the crypt of traffic there has to be some senses sensitive data but we also store stuff like user passwords and all kinds of different versus stuff so of the books have to be security for we need full account of beauty which means that every user logs in the destination true there is we can provide some struggled of education so for example you have 5 servers we've only isn't account and you all every single user to log into this route account if you put full going from global service every 1 of those users has to have individual looking only for the an individual passwords or metal-coated K and when he loves in using she's all logging the for the will switch having to and the user will be look at about the world account but for the will which user it actually is so we can we don't know if that was the user who actually break something or someone else 1 of the things I will change in open stage there is 2 by default actually log which sh she was used open the yeah that would be very useful we don't provide stronger litigation using some external of educational server that we have to provide secure storage because we have to store all those sensitive data and we have to secure all the protocols handling because hopefully will will we will support many different kinds of protocols currently we support SSH remote best years he we have my my sequel and oracle in in the works of and stuff like that for some we leverage open-source projects for example for a remote desktop we use free p mostly which is which is really great when it comes to how it is developed but military security and we can of course spend many mouse
strength the every single probable called use or use capsule and of course the performance is also very important because for every cryptographic session we have to pay the price of people want apply the costs by pre because if we terminate SSH session we have to talk to this client this is 1 of 1 place where you pay the cost of cryptography that we have to collect the destination server and this is the only difference sessions so we have to pay the price again and we have to store the data so also we have to pay the price because although they so what we do the product of the data we used journey of course we've years in xt mold we store the keys of the explained on depends right we use the infrastructure so as to say that this page a 256 that's why we don't for use during verification which is maybe not beat weaker but enough we of course have to use that as a yes and I acceleration in India allows us to do all those the that cryptography really really fast we also support trusted thinks time being sexual you can contact song some other site and actually ask them to do time stamp and the given sessions so we know that nobody played with the session of the war and the of right the 2 so any 2 disks we have in the box can fail we will still operate when world trusted them so basically means that was the session is done we we calculate harsh from the social like S H A 1 and we use remote sigh there are there are sites which provides trust and buying something and those are trusted sites that say and the sign such harsh and we store the assigned harsh so then we know that the session was quantified later and that for some very important yes for the 1st we use only those will look for the verification of course but the key ones for us his friends compression especially for SSH sessions it save us all of space and we are looking forward to actually integrate as before and we use nuptials to replicate the session data we did the cluster how we protect session this is for me this is the most exciting part of the book which I cannot share with my customers because they don't care but I will show you every single session has 2 processes that are that the handle the given such we have a master process which is just a generative process he doesn't know anything about the probable itself and we could slave process which implements the specific protocol SSH from all this a master of course has to have some privileges and this length is closing substance and a slave process all the logic master is initially responsible only for open education and master also provides all the resources and capabilities of the slaves needs starchily so when we execute slide it doesn't get much we provide 1 2nd of CPU time it has 5 minutes to actually of authenticate the given user provided graphical looking window don't work in case of SSH interprets the protocol specific information such we extract username and password and it gets only 32 megabytes of memory and access to read only access to configuration directory so it has to provide graphical login window very this is where the graphics it and of course the test because have communication socket with must approach I yes what it cannot oxen thanks to capsicums because no access close to any other file in the system which is very important because the other files are probably sessions sensitive data it cannot access networking it can please processes and of course if we drop uh privileges to some other privileged there might be different processes with the same UUID running which we could be traced signal and stuff like that for a couple being the most you cannot access any global namespace actually so In capsicum like systems you only have access to the resources that will be delegated to you so flavor has almost no resources of all where you know it's just a process in single processing so like this is responsible for extracting all the credentials once he gets he gets username and password to get a sense he sends the username and password to the master process must process has to authenticate open credentials in the master process the sites in the user actually provide correct possible or not if he we will add some additional memory will removed CPU leaving and will also provide up and only descriptor to the session that so now he can actually write something to the disks but only up and so if he breaks into the session later he cannot really even more defined by what was stored or but even after authentication it's still cannot open any other network collection and the true mentioned in the previous slide if the user is so that it correctly we also provide descriptor with the connection to the
destination server because life of course on its own cannot comment anywhere so even after authentication slaves to cannot access any other server or any other fighting the system or actually anything except for processing this particular session so it's really strong security provided by cops we try to leverage in the project and each word going if you were wondering OK what's want to master clustering here this is something we other than the that long ago we replicate everything sections we because we don't really need to do anything like anything better than that we use a z of plus and received actually replicated data and we use or only the most replicate database but there are a few challenges sexually to implement because of course there are a few potential problems when you replicated database and very sorry about environment 3 of the database guys so maybe this is all of solve so the question we asked what we lose if we if we replicated data passing note saying because if we need to replicate it doesn't translate we have to discussed which is block-level replication but of course what you want to do when you replicate the section with the logic us as high as possible as high as as possible it is the more information you actually know if there is walls of the brain or not and stuff like that so do we have to assume from us we replicated data or not 1 of the great another 1 how do we avoid collisions offer identifier's for 4 Table roles or how to distinguish it from the let's say 2 also collect and 1 has of industry and the other doesn't and how can we figure out if actually this once someone on this no this the entry or someone of this the is the entry and we should replicate the innocent or we should intuition and of course how the youth of the collisions the same role was undertaken to notes for the love of so the solution In our case we lose nothing by doing us a replication what the user sees is actually of the straight on 1 node adds new user and the user will appear in 5 seconds on another world that's really not a problem so for us we don't really needs to transfer replication so it saves all local out of a collision so of course what we came up with every single node in the cluster as some serial so what we did we actually we start ID numbers on every on each cluster we multiply the serial numbers so we still have a few a few bits left because the I and the identifier's or 64 bits so we just start out some number and we just know that there will be no collisions because every single note locus different range of ideas so it can use 2 of distinguishing is from the we never really easy and how In solutions are the best in what we do instead is to actually we set we moved out role we keep removed after all for every in every table we mean to replicate and usually most ultra-low set we know that this was removed and we can replicate this as an update and how you have update collisions we have fields In every table that help us to do that so for example the the is going to send signals sent Avg dates to another node that he will ask he will ask for for for everything from it if this was modified on me I'm interested in modified at field and I compare the time from the last reputation we've modified at time so it was even if it was modified modified Only I'm interested in modified at time if it wasn't modified on me I'm more interested in received up because if I received the update from from different no it could be an hour later than it was modified I know that I have to replicate its pseudo differently so those 2 fields actually our us to replicate all the data and the influence any of and what we do for equations we just don't care because this is also easy solution because this is if tool administrators modify the same user on 2 different classes this is more or less the same as for all of them doing the the same operational 1 they can still belonging to 1 of them is to modify the same user and basically uh the 1 that did the safe later wings so this is the free model for us the exact same scenario and 4 sessions it's also easy because sessions are modified all you want 1 possible never again and good up conclusions should which done with much of another very good at convergence also around the once you should have your own version control system wisely because people may not pick it up use technology the freebies provides it's all useful for us so we are very happy with the technology don't forget what would upon probably the future of when my talks any questions
yet what is the on you what also produced and this is someone from this is from Japanese but because we can some people from japan maybe it is better you to explain what it means but it means something this was not marketing is the part of the year and and the customers actually every company that have some external contractors or cooperate with any company that actually have to conduct from from remotely companies operating to provide VPN access to anyone and they feel secure but actually if something breaks you actually don't know what breaks why and the who did that and stuff like that so it's not only about security some of our customers actually do it for to account external contractors so they can actually watch it they do the work for the session you decide so its own contractual probably the best use case for this site customers also used use it for local or other means of well and these are not happy about that about security officers are very and any other questions this so that you have to have a normally distributed training on if you were to include the character of lot formal so you find that what while invasive with all the consequent currently is used only for services that are safe facing kingdom so because when you connect to the administration of for example you it from another and for we don't some of those here but we we do want some of this as well but it's vital so it's a bit harder it will take a lot of the most critical path is where we get collect receive collection from user which is not yet opened the gate and then during the session it might be that authenticated but it might be useful so we still want to keep it in in the 7 books so the most important for this is not going to make use of the we ask that's interesting subject and in our previous product which was authentication system the distinct was pretty easy because we could calculate almost everything and it was very easy in this case where you have different kind of protocols at all required to have actually some remote assistance to flow into the stuff like that it's much harder so there is much more money will war to do it so unfortunately we can't we cannot alkylate too much on the other hand we do out late stuff like when we try to figure out how many sessions we can actually handle for 1 books we didn't get like 50 thousand sessions association very idle but we did so they're testing consists mostly manual unfortunately because I'm a big fan of ultimate interest have was 1 of the few natural and you do it yes exactly as you see there you see the screen of the user so we can but to where and we do provide some more stuff like you can watch life session you can even joined to the session and types of possible for the user and stuff like that we of course recourse if you joined the session you of course require that those are the keys or mouse movements from the web on from this administrative because that would be a weak proved if we could join the social and as do something evil and accuse user from doing so we do recalled all this stuff but this this is basically this is not really of video session because even if if user types which you cannot see In our player you actually can see all of the keys types and this program like some of the other of the we actually have a small development teams so we fit into a free for surface when you're was students before and yeah this was for our software it really help with this product the performance was not the 1st last that at the end you want yes the and all of a sudden we have really small development teams and peripherals provides some what we did plates for preference previous years about no such we extend the free license so we fit into to realize and they collapsed because of the actually realize any other questions theory no OK thank you very much but that the
and if anyone wants to 1 of these so here's rats what the 2nd thing that I is really but you would like to read the year in which the public relations you have more than 1 of the things that that was basically the Michael Littman link provides us with a lot of on more that has 1 of the founders of of of the of the problem is this sort of thing thing all of the all of the and here the 1 that works in experience here so far view of and generally I have some time and that's 1 of the things that will


  381 ms - page object


AV-Portal 3.20.1 (bea96f1033d39fbe77f82542458e108105398441)