Revision as of 07:58, 5 December 2008 by Toshiharu (Talk | contribs) (Security Articles)

Jump to: navigation, search

This page has information about Security technologies for Embedded Linux.

Technology/Project pages


Key Requirements and the Related Technologies

Where the technologies are defined as follows:

  1. Umbrella
  2. Linux Security Module (LSM) framework
  3. PAX patch – (currently x86 only)
  4. LOMAC
  5. LIDS
  6. Netfilter
  7. digsig/bsign/elfsig
  8. Trusted Computing Group (TCG)
  9. TPE (included with LIDS)
  10. PRAMFS
  11. ACL file system extensions
  12. Posix capabilities associated with files
Requirements Technologies
Reliability 10
Secure/trusted boot 8
Access control 1, 4, 5, 11, 12
Buffer/stack protection 3
Intrusion detection 5, 8
Configurable security 1, 2, 4, 5, 7, 9(?), 11, 12
Authentication 1, 7
Signed binaries 1, 7
Trusted connection IPSec, SSL already supported
Secure services 1, 4, 5, 7, 8
Firewall 6
API support for security hardware 8
Secure field upgradeability 9
Authentication 8

Of the listed technologies the CELF Security Working Group is studying or supporting the following:

  • Umbrella
  • PAX - only monitor for now
  • LIDS
  • Signed Binaries
  • Linux API for TCG - pending CELF NPO status and liaison discussions
  • TPE - as a part of LIDS
  • ACL file system extensions - for those that CELF needs (PRAMFS, JFFS2). Also follow LKLM discussions and maybe do implementations
  • POSIX capabilities associated with files


Security Frameworks

  • The Linux Security Modules (LSM) project provides a lightweight, general-purpose framework for access control. Contemporary computing environments are increasingly hostile. Adding enhanced access control models to the kernel improves host security and can help a server survive malicious attacks. Security research has provided many types of enhanced access controls effective for different environments. The LSM framework allows access control models to be implemented as loadable kernel modules.
  • Medusa DS9 Security Project is a project to enhance the security of Linux kernel, which implements the ZP Security Framework. The main goal of a project is to implement a framework for implementation of any security model (unlike other secure Linux kernel projects).
Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets. It contains the whole logic and implements the concrete security policy. That means that Medusa can implement any model of data protection; it depends only on configuration file, which is in fact a program in the internal programming language, somewhat similar to C.
  • Rule Set Based Access Control (RSBAC) is a flexible, powerful and fast open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused.
The standard package includes a range of access control models like MAC, RC, ACL (see below). Furthermore, the runtime registration facility (REG) makes it easy to implement your own access control model as a kernel module and get it registered at runtime.
The RSBAC framework is based on the Generalized Framework for Access Control (GFAC) by Abrams and La Padula. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
Decisions are based on the type of access (request type), the access target and on the values of attributes attached to the subject calling and to the target to be accessed. Additional independent attributes can be used by individual modules, e.g. the privacy module (PM). All attributes are stored in fully protected directories, one on each mounted device. Thus changes to attributes require special system calls provided.
  • TrustedBSD MAC Framework - Mandatory access controls extend discretionary access controls by allowing administrators to enforce additional security for all subjects (e.g. processes or sockets) and objects (e.g. sockets, file system objects, sysctl nodes) in the system. Development of those new access control models is facilitated by the development of a flexible kernel access control extension framework, the TrustedBSD MAC Framework. This permits new access control models to be introduced as kernel modules.
  • Trusted Computing Group (TCG) - TCG defines a security architecture based on the hardware-based root of trust. This is a cost effective solution to establish Trusted Computing on various platforms. For some introductory information see Seiji Munetoh and Nicholas Szeto's presentation, TCGOverviewPDF, on the Tech Conference 2005Docs page. The Trusted Platform Module (TPM) is a security chip bound to the platform and a key component of this architecture. TCG has a Mobile Phone WG which has released a use cases document that is applicable to many generic CE devices in addition to the mobile phone -- MPWG User Cases

Security Components

  • SELinux - This provides an implementation of the Flask Flux Advanced Security Kernel for Linux. SELinux started as a kernel patch which was presented by the NSA to kernel developers during the 2001 kernel summit. Feeback from this presentation started the LSM project, and the SELinux project helped define large parts of the LSM interface
  • Apparmor - Apparmor is an application security tool designed to provide an easy-to-use security framework for your applications.
  • The Linux Intrusion Defence System (LIDS) is a kernel patch and admin tools which enhances the kernel's security by implementing Mandatory Access Control (MAC). When it is in effect, chosen file access, all system network administration operations, any capability use, raw device, memory, and I/O access can be made impossible even for root. You can define which programs can access specific files. It uses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features to the kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. LIDS has two version trees, 1.2 and 2.2. LIDS 2.2 supports kernel 2.6. LIDS 1.2 supports kernel 2.4 and it provides new functions, Trusted Path Execution(TPE) and Trusted Domain Enforcement(TDE). These are useful to create a sandbox. LIDS is released under GPL.
  • Umbrella for handhelds implements a combination of process based mandatory access control (MAC) and authentication of files for Linux on top of the Linux Security Modules framework. The MAC scheme is enforced by a set of restrictions for each process.
    • Restrictions of resources
    • Restrictions of access to network interfaces
    • Restrictions on process creation and signaling
    • Signed files
  • LOMAC is a dynamically-loadable security module for Free UNIX kernels that uses Low Water-Mark Mandatory Access Control (MAC) to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised network server daemons. LOMAC is designed for compatibility and ease of use - to be a form of MAC typical users can live with.
LOMAC is an attempt to produce a form of MAC integrity protection that typical users can live with. LOMAC implements a simple form of MAC integrity protection based on Biba's Low Water-Mark model in a Loadable Kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan horses, malicious remote users, and compromised network servers without any modifications to the kernel, applications, or their existing configurations. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers, or other software present on the system. LOMAC may be used to harden currently-deployed systems simply by loading the LKM into the kernel shortly after boot time.
  • The Enforcer is a Linux Security Module designed to improve integrity of a computer running Linux by ensuring no tampering of the filesystem. It can interact with TCPA hardware to provide higher levels of assurance for software and sensitive data.
  • Janus is a security tool for sandboxing untrusted applications within a restricted execution environment. This can be used to limit the harm that can be caused by any successful compromise of the application. We have successfully used Janus to jail Apache, bind, and other programs within a limited sandbox without disturbing application behavior, and we continue to seek experience with using this approach in production environments.
  • Domain and Type Enforcement (DTE) is a mandatory access control system which assigns types to files and domains to processes. Access from domains to other domains and from domains to types is enforced according to the DTE policy. The first implementation of this project closely followed the description by TIS in the papers titled A Domain and Type Enforcement Prototype and Confining Root Programs with Domain and Type Enforcement.
  • ACL support for Linux kernel - This linux kernel patch / user code combination allows supporting full access control lists (ACLs) for the Linux kernel.
It offers among many other features:
    • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
    • Change root (chroot) hardening
    • /tmp race prevention
    • Extensive auditing
    • Prevention of entire classes of exploits related to address space bugs (from the PaX project)
    • Additional randomness in the TCP/IP stack
    • A restriction that allows a user to only view his/her processes
    • Every security alert or audit contains the IP address of the person that caused the event

Security features

Other Resources

Security Activities

Mailing lists


Security Articles