---------------------------- = ---------------------------- 2006/10/27 1 CELF Japan Technical Jamboree #11 Introducing Secure OS into Embedded System Keijiro Yano TOSHIBA Corp. 2006/10/27 TOSHIBA [translated by ikoma] ---------------------------- = ---------------------------- 2006/10/27 2 CELF Japan Technical Jamboree #11 Contents * What is Secure OS? * What Secure OSes available on Linux? * Which are handy to evaluate? * SE Linux vs. LIDS - Installation Requirement - Security Features - Memory Footprint - Bootup Time * Issues? * To Do ---------------------------- = ---------------------------- 2006/10/27 3 CELF Japan Technical Jamboree #11 What is Secure OS? * OS with stronger access control functions to enhance resistance against intrusion attack. To avoid root compromise: - Introduces MAC (mandatory access control) to control access of all users - Introduces access control per process to control access of all processes with any authority - Controls privilege escalation not to give unnecessary privilege Even if exploited, tries to minimize the damage ---------------------------- = ---------------------------- 2006/10/27 4 CELF Japan Technical Jamboree #11 Secure OSes for Linux * SE Linux - Primarily developed by the US NSA (National Security Agency) - Linux kernel security extension module using LSM (Linux Security Module) - Integrated into Linux 2.6 series as default * LIDS (Linux Intrusion Detection System) - First verion released by XieHuagang and Philippe Biondi on October 15, 1999 - Linux kernel security extension module using LSM (Linux Security Module) - Released as patches for Linux Kernel 2.4 series and 2.6 series respectively ---------------------------- = ---------------------------- 2006/10/27 5 CELF Japan Technical Jamboree #11 Secure OSes for Linux * AppArmorAppArmor - Primarily developed by Novell. First released January 2006 under GPL. - Linux Kernel security extension module using LSM (Linux Security Module) - Currently released in the form of patches * TOMOYO LinuxTOMOYO Linux - Primarily developed by NTT Data. First released on November 2005 under GPL. - Releases as patches to each version of Linux kernel, not using LSM * UmbrellaUmbrella - Security module designed for CE devices such as PDA. GPL licensed. - Linux Kernel security extension module using LSM (Linux Security Module) * LOMACLOMAC ---------------------------- = ---------------------------- 2006/10/27 6 CELF Japan Technical Jamboree #11 SE Linux vs. LIDS * Criteria to select evaluation targets - Should work with Linux kernel 2.6.10 - If patches are necessary, they should be easily applied - Document describing usage etc. should be widely available. =>SE Linux vs. LIDS -> Used SE Linux included in kernel 2.6.10 -> Used LIDS 2.2.1 (release on 8/30/2005); latest release is LIDS 2.2.2 ---------------------------- = ---------------------------- 2006/10/27 7 CELF Japan Technical Jamboree #11 References * Results of Linux Consortium Security WG "Evaluation Items of Secure OSes (Ver.1.0) http://www.linuxcons.gr.jp/pdf/sec04_output.pdf [in Japanese] ---------------------------- = ---------------------------- 2006/10/27 8 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) * Installation Requirement * Security Features * Memory Footprint * Bootup Time ---------------------------- = ---------------------------- 2006/10/27 9 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Installation Requirement - +----------------------+-----------------------+---------------+ | | SE Linux | LIDS | +----------------------+-----------------------+---------------+ |Kernel Version | 2.6 | 2.4 / 2.6 | +----------------------+-----------------------+---------------+ |CPU Architecture | independent | independent | +----------------------+-----------------------+---------------+ |Filesystem Dependency | must support xattr *1 | not dependent | +----------------------+-----------------------+---------------+ |BusyBox extension | required *2 | not required | +----------------------+-----------------------+---------------+ |special library | required *3 | not required | +----------------------+-----------------------+---------------+ *1: To save security setting information, we have added the area to save extended attributes to filesystem. Cramfs we use as a root file system for embedded usages does not support this. *2: BusyBox is a single program providing functions of basic commands of Linux, widely used on embedded systems. SE Linux obtains security information even for a basic command, so the extensin to support this is required. *3: To control extended attributes, special library is required. Usually it is not necessary to link this library to your program. ---------------------------- = ---------------------------- 2006/10/27 10 CELF Japan Technical Jamboree #11 Issues on Filesystems <> * To use SE Linux, cramfs must be extended. > On cramfs, no area allocated to save xattr information. -> Implemented the extension to save xattr information. Note that indication of xattr information to cramfs is necessary after boot up. * On LIDS, care must be taken to treat inode numbers. > LIDS maintains security informatin per inode number. As cramfs gives inode numbers based on the file size, once security setting file is modified, the inode number may change. *** There is a danger that reassigning of inode nubers is desirable, but that it causes to change size of security setting file, and ... Our evaluation system requires cramfs! *** ---------------------------- = ---------------------------- 2006/10/27 11 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Security Features - +--------------------+--------------------+--------------------+ | | SE Linux | LIDS | +--------------------+--------------------+--------------------+ | granularity of | can set total 210 | can set 4 types of | | access control | access vectors for | access control for | | | 52 object classes | files/directories; | | | | 31 for processes | +--------------------+--------------------+--------------------+ | access control for | yes | yes | | files/directories | | | +--------------------+--------------------+--------------------+ | access control for | yes | no | | links | | | +--------------------+--------------------+--------------------+ | access control for | yes | partially | | special files | | | +--------------------+--------------------+--------------------+ | access control for | yes | partially | | pipes | | | +--------------------+--------------------+--------------------+ | access control for | yes | partially | | interprocess | | | | communications | | | +--------------------+--------------------+--------------------+ | access control for | yes | partially | | kernel log | | | +--------------------+--------------------+--------------------+ | load/unload control| yes | yes | | for kernel modules | | | +--------------------+--------------------+--------------------+ | access control | yes | partially | | per process | | | +--------------------+--------------------+--------------------+ | access control | yes | no | | per user | | | +--------------------+--------------------+--------------------+ ---------------------------- = ---------------------------- 2006/10/27 12 CELF Japan Technical Jamboree #11 Issues of LIDS for Embedded Systems - Security Features - * Access control for links is not supported This is because LIDS obtains an inode number by normalized file name and saves security setting per inode number. Each command supported by BusyBox is provided as symbolik link. -> Unable to set security for individual commands * Access control for special files are partially impossible cramfs assigns a same inode nuber for special files -> Unable to set security individually for special files * Insufficient support of access control for interprocess communications Only levels configurable with capability used in Linux standard and protection from signals are supported. ---------------------------- = ---------------------------- 2006/10/27 13 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Bootup Time Inclrese - +------------+---------------+---------------+ | | Boot Time 1 | Boot Time 2 | +------------+---------------+---------------+ |SE Linux | 6.153 msec | 914.642 msec | |LIDS | 29.555 msec | 129.261 msec | +------------+---------------+---------------+ * Boot Time 1 Difference between time for Linux kernel without secure OS to boot up and time for Linux kernel with secure OS to boot up * Boot Time 2 Time necessary to read in security setting information and to set them *** For these mesurement, we built almost equivalent security setting files for two secure OSes, and measured. ---------------------------- = ---------------------------- 2006/10/27 14 CELF Japan Technical Jamboree #11 Issues on Bootup Time * On Boot Time 1 (Kernel Bootup Time) - Measured time for LIDS includes time to read security setting file (BOOT state).To read the security setting file, it reads the file in fixed length, repeating to "extend buffer and reread, if buffer size is insufficient", which is inefficient. - SE Linux just initializes (registers to LSM) here; later in the duration of Boot Time 2 (in /sbin/init) reads security setting and sets them. ---------------------------- = ---------------------------- 2006/10/27 15 CELF Japan Technical Jamboree #11 Issues on Bootup Time * On Boot Time 2 (Time to set security) - Heavily dependent on securty setting Security setting of LIDS : Means accessible in principle, unless stated otherwise Security setting of SE Linux : Means inaccessible in principle, unless sated otherwise => In this measurement, we set security so that all of basic commands on shell are usable, so the policy setting of SE Linux becomes largher than LIDS. ---------------------------- = ---------------------------- 2006/10/27 16 CELF Japan Technical Jamboree #11 Issues on Bootup Time * On Boot Time 2 (Time to set security) - SE Linux > Time to write xattr onto cramfs included, which has large impact on boot time. In pratical use, this should be included in file system image. -> Imporovement would require heavy modification, including change of mkcramfs, inode extention, etc. - LIDS > Time to transit to POSTBOOT state included, reading security setting file again. On both of SE Linux and LIDS, security check starts for system calls executed in /sbin/init and this overhead affects bootup time. ---------------------------- = ---------------------------- 2006/10/27 17 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Memory Footprint - * Increase of kernel size +---------------+----------+----------+------------+------------+ | | text | data | bss | Total | +---------------+----------+----------+------------+------------+ | SE Linux | +101,907 | +8,212 | +4,096 | +114,215 | | LIDS | +38,960 | +12,312 | +1,785,856 | +1,837,128 | +---------------+----------+----------+------------+------------+ unit:bytes * Increase of memory usage just after bootup +---------------+------------------+-------------+ | | available memory | free memory | +---------------+------------------+-------------+ | SE Linux | -264 KB | -1,576 KB | | LIDS | -2,780 KB | -3,220 KB | +---------------+------------------+-------------+ Putting file system image on memory with security setting file on it, we built almost equivalnet security settnig and measured. ---------------------------- = ---------------------------- 2006/10/27 18 CELF Japan Technical Jamboree #11 Issues of LIDS for Embedded Systems - Memory Footprint - * Increase of bss in kernel size is very large. This is because LIDS holds security setting information on large array declared as global variable. This seems too large for embedded systems, so tried imporovement as follows: - Added size information when ACL file created - When kernel read ACL file, it refers size information, allocates memory as necssary, and saves ACL information there. With above modification: bss increase becomes 0 bootup time reduces in 20msec ---------------------------- = ---------------------------- 2006/10/27 19 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Bootup Time after LIDS modifed - +---------------+---------------+---------------+ | | Boot Time 1 | Boot Time 2 | +---------------+---------------+---------------+ | SE Linux | 6.153 msec | 914.642 msec | | LIDS | 29.555 msec | 129.261 msec | | LIDS modified | 5.983 msec | 131.292 msec | +---------------+---------------+---------------+ * Boot Time 1 Difference between time for Linux kernel without secure OS to boot up and time for Linux kernel with secure OS to boot up * Boot Time 2 Time necessary to read in security setting information and to set them *** For these mesurement, we built almost equivalent security setting files for two secure OSes, and measured. ---------------------------- = ---------------------------- 2006/10/27 20 CELF Japan Technical Jamboree #11 Functional Comparison for Embedded Usage(SE Linux vs. LIDS) - Memory Footprint after LIDS modifed - * Increase of kernel size +---------------+----------+----------+------------+------------+ | | text | data | bss | Total | +---------------+----------+----------+------------+------------+ | SE Linux | +101,907 | +8,212 | +4,096 | +114,215 | | LIDS | +38,960 | +12,312 | +1,785,856 | +1,837,128 | | LIDS modified | +42,620 | +24,600 | 0 | +67,220 | +---------------+----------+----------+------------+------------+ unit:bytes * Increase of memory usage just after bootup +---------------+------------------+-------------+ | | available memory | free memory | +---------------+------------------+-------------+ | SE Linux | -264 KB | -1,576 KB | | LIDS | -2,780 KB | -3,220 KB | | LIDS modified | -1,048 KB | -1,240 KB | +---------------+------------------+-------------+ ---------------------------- = ---------------------------- 2006/10/27 21 CELF Japan Technical Jamboree #11 Summary * For embedded systems, a lot of products with netowork connectivity are now being developed and interest in security is growing. * We installed two famous secure operating systems for Linux, SE Linux and LIDS, on embedded evaluation system, and studied and compared their requirement, security setting features on a target machine. * We also measured change of bootup time and memory usage on the evaluation system. ---------------------------- = ---------------------------- 2006/10/27 22 CELF Japan Technical Jamboree #11 Summary * Comparing SE Linux and LIDS: - For installation... > LIDS is superior. For SE Linux, modification to existing development environment is required. - For functions ... > SE Linux is superior. SE Linux has very rich features, sufficient in functions. On the other hand it is difficult to configure as intended. > Although LIDS is easy to configure, functions may be insufficient. - For memory usage ... > SE Linux is superior. LIDS uses 3MB just for installation. - For performance ... > LIDS is superior. In SE Linux, overhead of system calls tend to be large. ---------------------------- = ---------------------------- 2006/10/27 23 CELF Japan Technical Jamboree #11 To Do * Would like to evaluate AppArmor - Failed to patch onto kernel 2.6.10 and gave up this time - Unlike LIDS or SE Linux, it seems possible to specify to enable secure OS features, to enable learning features, to disable secure OS features, per program. - It seems that you can write, per path name of program file, access control specifying Linux capabilities to hold, and path name list of files to which you want to set access control - Grammer of security setting file is rather simple - Some criticizes that it is undesirable to control per path name ---------------------------- = ---------------------------- 2006/10/27 24 CELF Japan Technical Jamboree #11 To Do * Need to work on together with system designers, application developers. OS-centric approach may cause to produce meaningless features. * Wondering how to validate - Intrusion evaluation tools are insufficient to verify. - How can functional tests of security features be done? ---------------------------- = ---------------------------- 2006/10/27 25 CELF Japan Technical Jamboree #11 END ---------------------------- = ---------------------------- ---------------------------- = ----------------------------