Security

This page has information about Security technologies for Embedded Linux.

Technology/Project pages

 * Security Hardware Resources: Security Hardware Resources
 * Bootloader Security Resources: Bootloader Security Resources

Documents

 * CELF 1.0 Security Specification: Security Spec_R2

Key Requirements and the Related Technologies
Where the technologies are defined as follows:
 * 1) Umbrella
 * 2) Linux Security Module (LSM) framework
 * 3) PAX patch – (currently x86 only)
 * 4) LOMAC
 * 5) LIDS
 * 6) Netfilter
 * 7) digsig/bsign/elfsig
 * 8) Trusted Computing Group (TCG)
 * 9) TPE (included with LIDS)
 * 10) PRAMFS
 * 11) ACL file system extensions
 * 12) Posix capabilities associated with files

Of the listed technologies the CELF Security Working Group is studying or supporting the following:
 * Umbrella
 * PAX - only monitor for now
 * LIDS
 * Signed Binaries
 * Dig Sig (part of DSI project at http://disec.sourceforge.net/)
 * Bsign (a Debian project at http://packages.debian.org/unstable/admin/bsign.html)
 * ELFSig (need a reference for this)
 * Linux API for TCG - pending CELF NPO status and liaison discussions
 * TPE - as a part of LIDS
 * ACL file system extensions - for those that CELF needs (PRAMFS, JFFS2). Also follow LKLM discussions and maybe do implementations
 * POSIX capabilities associated with files

Security Frameworks

 * The Linux Security Modules (LSM) project provides a lightweight, general-purpose framework for access control. Contemporary computing environments are increasingly hostile. Adding enhanced access control models to the kernel improves host security and can help a server survive malicious attacks. Security research has provided many types of enhanced access controls effective for different environments. The LSM framework allows access control models to be implemented as loadable kernel modules.


 * Medusa DS9 Security Project is a project to enhance the security of Linux kernel, which implements the ZP Security Framework. The main goal of a project is to implement a framework for implementation of any security model (unlike other secure Linux kernel projects).
 * Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets. It contains the whole logic and implements the concrete security policy. That means that Medusa can implement any model of data protection; it depends only on configuration file, which is in fact a program in the internal programming language, somewhat similar to C.


 * Rule Set Based Access Control (RSBAC) is a flexible, powerful and fast open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). All development is independent of governments and big companies, and no existing access control code has been reused.


 * The standard package includes a range of access control models like MAC, RC, ACL (see below). Furthermore, the runtime registration facility (REG) makes it easy to implement your own access control model as a kernel module and get it registered at runtime.


 * The RSBAC framework is based on the Generalized Framework for Access Control (GFAC) by Abrams and La Padula. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.


 * Decisions are based on the type of access (request type), the access target and on the values of attributes attached to the subject calling and to the target to be accessed. Additional independent attributes can be used by individual modules, e.g. the privacy module (PM). All attributes are stored in fully protected directories, one on each mounted device. Thus changes to attributes require special system calls provided.


 * TrustedBSD MAC Framework - Mandatory access controls extend discretionary access controls by allowing administrators to enforce additional security for all subjects (e.g. processes or sockets) and objects (e.g. sockets, file system objects, sysctl nodes) in the system. Development of those new access control models is facilitated by the development of a flexible kernel access control extension framework, the TrustedBSD MAC Framework. This permits new access control models to be introduced as kernel modules.


 * Trusted Computing Group (TCG) - TCG defines a security architecture based on the hardware-based root of trust. This is a cost effective solution to establish Trusted Computing on various platforms. For some introductory information see Seiji Munetoh and Nicholas Szeto's presentation, TCGOverviewPDF, on the Tech Conference2005Docs page. The Trusted Platform Module (TPM) is a security chip bound to the platform and a key component of this architecture. TCG has a Mobile Phone WG which has released a use cases document that is applicable to many generic CE devices in addition to the mobile phone -- MPWG User Cases

Security Components

 * SELinux -- Security Enhanced Linux - This provides an implementation of the Flask Flux Advanced Security Kernel for Linux. SELinux started as a kernel patch which was presented by the NSA to kernel developers during the 2001 kernel summit. Feeback from this presentation started the LSM project, and the SELinux project helped define large parts of the LSM interface


 * Apparmor - Apparmor is an application security tool designed to provide an easy-to-use security framework for your applications.


 * The Linux Intrusion Defence System (LIDS) is a kernel patch and admin tools which enhances the kernel's security by implementing Mandatory Access Control (MAC). When it is in effect, chosen file access, all system network administration operations, any capability use, raw device, memory, and I/O access can be made impossible even for root. You can define which programs can access specific files. It uses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features to the kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. LIDS has two version trees, 1.2 and 2.2. LIDS 2.2 supports kernel 2.6. LIDS 1.2 supports kernel 2.4 and it provides new functions, Trusted Path Execution(TPE) and Trusted Domain Enforcement(TDE). These are useful to create a sandbox. LIDS is released under GPL.


 * TOMOYO Linux is a technology to improve Linux's security originally developed by NTT DATA CORPORATION, Japan. TOMOYO Linux was released on November, 11, 2005 as an open source software under the GPL. TOMOYO Linux is a mechanism called Secure OS, which can perform fine grained access control by breaking access permissions into parts like SELinux.


 * Umbrella for handhelds implements a combination of process based mandatory access control (MAC) and authentication of files for Linux on top of the Linux Security Modules framework. The MAC scheme is enforced by a set of restrictions for each process.
 * Restrictions of resources
 * Restrictions of access to network interfaces
 * Restrictions on process creation and signaling
 * Signed files


 * LOMAC is a dynamically-loadable security module for Free UNIX kernels that uses Low Water-Mark Mandatory Access Control (MAC) to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised network server daemons. LOMAC is designed for compatibility and ease of use - to be a form of MAC typical users can live with.


 * LOMAC is an attempt to produce a form of MAC integrity protection that typical users can live with. LOMAC implements a simple form of MAC integrity protection based on Biba's Low Water-Mark model in a Loadable Kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan horses, malicious remote users, and compromised network servers without any modifications to the kernel, applications, or their existing configurations. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers, or other software present on the system. LOMAC may be used to harden currently-deployed systems simply by loading the LKM into the kernel shortly after boot time.


 * The Enforcer is a Linux Security Module designed to improve integrity of a computer running Linux by ensuring no tampering of the filesystem. It can interact with TCPA hardware to provide higher levels of assurance for software and sensitive data.


 * Janus is a security tool for sandboxing untrusted applications within a restricted execution environment. This can be used to limit the harm that can be caused by any successful compromise of the application. We have successfully used Janus to jail Apache, bind, and other programs within a limited sandbox without disturbing application behavior, and we continue to seek experience with using this approach in production environments.


 * Domain and Type Enforcement (DTE) is a mandatory access control system which assigns types to files and domains to processes. Access from domains to other domains and from domains to types is enforced according to the DTE policy. The first implementation of this project closely followed the description by TIS in the papers titled A Domain and Type Enforcement Prototype and Confining Root Programs with Domain and Type Enforcement.


 * The Realtime Linux Security Module (LSM) is a loadable extension for Linux 2.6 kernels. It selectively grants realtime permissions to specific user groups or applications.


 * ACL support for Linux kernel - This linux kernel patch / user code combination allows supporting full access control lists (ACLs) for the Linux kernel.


 * http://www.hu.grsecurity.net/ grsecurity (mirrors, original site was here) - is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.


 * It offers among many other features:


 * An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
 * Change root (chroot) hardening
 * /tmp race prevention
 * Extensive auditing
 * Prevention of entire classes of exploits related to address space bugs (from the PaX project)
 * Additional randomness in the TCP/IP stack
 * A restriction that allows a user to only view his/her processes
 * Every security alert or audit contains the IP address of the person that caused the event

Security features

 * NX patch - recent patch for kernel to prohibit execution of code on stack segment LKML discussion about NX patch

Other Resources

 * Trusted Boot
 * Security Hardware Resources -- http://tree.celinuxforum.org/Celf Pub Wiki/Security Hardware Resources
 * Bootloader Security Resources -- http://tree.celinuxforum.org/Celf Pub Wiki/Bootloader Security Resources

Security Activities

 * Trusted Computing Group
 * Linux Security Modules

Mailing lists

 * Linux Security Modules

Conferences

 * Usenix Security Symposium July 31 - August 4, 2006
 * proceedings
 * Ottawa Linux Symposium (OLS) July 19 - 22, 2006 http://www.linuxsymposium.org/2006
 * OLS Proceedings

Security Articles

 * The Linux Journal Aug 2003
 * ARM's Trust Zone for Security
 * TPM-based Linux Run-time Attestation

Papers

 * Experimenting with TCPA/TCG Hardware
 * A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
 * Sample and Opensource code
 * A sample GPL TCPA Linux driver for Red Hat 8
 * Linux TPM Device Driver
 * TCG Software Stack (TSS) for Linux
 * A NetBSD driver and some useful links can be found at Rick Wash's Trusted Computingpage.