[email protected] Samsung Electronics Polandkernsec.org › files › lss2015 ›...
Transcript of [email protected] Samsung Electronics Polandkernsec.org › files › lss2015 ›...
![Page 2: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/2.jpg)
Needs for security Idea Security Framework Isolation Setup Run
Non trivial cases Auditing Containers Summary Q&A
2 / 38
![Page 3: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/3.jpg)
3 / 38
![Page 4: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/4.jpg)
Imagine, you’ve found a super cool game
Download
Install
Run ...
4 / 38
![Page 5: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/5.jpg)
Yes, there is some.
System resources are not available to common users
But ...
5 / 38
![Page 6: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/6.jpg)
6 / 38
![Page 7: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/7.jpg)
EM
AIL
•Read,
send
emails
•Manage
account
CA
MER
A
•Take
photo
•Record INT
ER
NET
•Access
some IP
•Use
protocol
7 / 38
![Page 8: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/8.jpg)
Resources
Applications
Access Control
8 / 38
![Page 9: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/9.jpg)
Step 1. Isolation
9 / 38
![Page 10: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/10.jpg)
Cynara
DAC Smack
10 / 38
![Page 11: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/11.jpg)
Smack label used as application ID: Easy to get
Unspoofable
Separates application From each other
From system
Smack
Application X Application Y
System
11 / 38
![Page 12: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/12.jpg)
Floor
•RO system
directories
•Kernel
helpers
System
•/run,
/dev,
/var/log
•System
services
User
•Home
directories
•Launcher
and user
services
https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel
Domains are sets of labels with common prefix.
12 / 38
![Page 13: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/13.jpg)
Same application running in context of different users is separated with classic Linux users and groups mechanism.
13 / 38
![Page 14: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/14.jpg)
Application
User
Privilege
Resource
Service
Application
Cynara
System domain
User domain
14 / 38
![Page 15: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/15.jpg)
Step 2. Setup
15 / 38
![Page 16: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/16.jpg)
Privileged service
Sets launched applications’ security context
The only service allowed to setup security policy Application installation
User adding / removing
Loading predefined manufacturer policy
Runtime policy reconfiguration
Smack DAC Cynara
16 / 38
![Page 17: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/17.jpg)
Application
Manifest file
User
User profile
privileges
Built-in
Producer settings
Privacy manager
User defined
constraints
Security Manager 17 / 38
![Page 18: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/18.jpg)
Installer
Unpack files
to filesystem
Global
For user
Security
Manager
Populate
Cynara
Create labels
for appid
Label files
manifest
18 / 38
![Page 19: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/19.jpg)
Step 3. Run
19 / 38
![Page 20: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/20.jpg)
•Forks a new process
•Sets security context
for the new process
•exec() or jump to start
symbol – the app is finally
launched (WRT or native)
https://wiki.tizen.org/wiki/Multi-user_AMD
Launcher – privileged user service (CAP_MAC_ADMIN) runs with current user UID
SecurityManager – library Security context is: a Smack label a set of effective UNIX groups
Application runs with label so it can be uniquely recognized and easily checked against Cynara policy
20 / 38
![Page 21: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/21.jpg)
App ID
User
Privilege
Cynara
App ID is a Smack label
One of privileges in TIZEN 3.0, e.g. http://tizen.org/privilege/location
https://wiki.tizen.org/wiki/Security:Tizen_3.0_Core_Privileges
Uid
Service maintaining restricted resource checks in Cynara, if access should be
granted
GPS MAPS
Application ran with a proper Smack label by some user needs GPS location
21 / 38
![Page 22: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/22.jpg)
22 / 38
![Page 23: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/23.jpg)
Some resources cannot be wrapped with services (mainly because of performance)
Solution = DAC groups
Application needs /dev/camera
/dev/camera
DAC checks (Linux kernel itself), if process of application belongs to propper group The groups are applied on every launch of application by Launcher and Cynara check is involved
23 / 38
![Page 24: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/24.jpg)
Handled with Nether
Configures iptables rules: Mangle table rules for passing
packets to user space and marking (with integer code)
Filter table rules for auditing, accepting or rejecting
Filtered packets:
TCP (1st packet in every connection)
UDP
ICMP
Nether service
Netfilter Iptables
Nether backend (Cynara)
24 / 38
![Page 25: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/25.jpg)
25 / 38
![Page 26: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/26.jpg)
Narcissistic, Incredible, Completely Exceptional Logger of Access Denials
Audisp plugin fed with audit event
Aggregates and filters security related events
Supported subsystems: DAC denial on given group
Smack denials
Cynara denials
Netfilter denials (supported by Nether)
26 / 38
![Page 27: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/27.jpg)
Vasum
27 / 38
![Page 28: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/28.jpg)
Environment separation mechanism based on Linux Containers (LXC)
28 / 38
![Page 29: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/29.jpg)
Security framework integrated with Provisioning mechanism
29 / 38
![Page 30: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/30.jpg)
Capabilities: CAP_MAC_ADMIN CAP_MAC_OVERRIDE should work inside the container
Different containers shouldn't share Smack policies
30 / 38
![Page 31: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/31.jpg)
Smack label mapping (implemented inside the Smack LSM)
The map is tied to the User namespace
The map is filled from the init ns
Processes interact with Smack normally
Only operations on labels that have been explicitly mapped are allowed
All requests to access an object with an unmapped label will be denied
31 / 38
![Page 32: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/32.jpg)
32 / 38
![Page 33: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/33.jpg)
Isolation of applications with: DAC + Smack
Resources available through services API
Privilege control enforced in services with check in Cynara
Security policy controlled by Security Manager integrated into crucial processes: Installation
Launching
Privacy and user management
33 / 38
![Page 34: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/34.jpg)
Application
Cynara
Smack
Security Manager Service
Installer
Gumd
User domain
System domain
Kernel
Launcher Privacy
Manager
Resource
34 / 38
![Page 35: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/35.jpg)
Resources accessed directly protected by DAC groups assigned during launch
Internet privilege filtered by Nether
All security logs gathered by nice-lad
Vasum allows easy creation of separate environments
35 / 38
![Page 36: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/36.jpg)
All modules available on both github.com and tizen.org https://github.com/Samsung/security-manager
https://github.com/Samsung/nether
https://github.com/Samsung/nice-lad
https://github.com/Samsung/vasum
https://github.com/Samsung/cynara
36 / 38
![Page 37: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/37.jpg)
37 / 38
![Page 38: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/38.jpg)
38 / 38
![Page 39: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/39.jpg)
http://wulkana.republika.pl/polska.gif
https://upload.wikimedia.org/wikipedia/commons/f/f8/Pong.png
https://upload.wikimedia.org/wikipedia/commons/thumb/8/87/Ic_quick_contacts_dialer_48px.svg/48px-Ic_quick_contacts_dialer_48px.svg.png
https://upload.wikimedia.org/wikipedia/commons/thumb/2/2c/Web-browser-openclipart.svg/1024px-Web-browser-openclipart.svg.png
https://pixabay.com/static/uploads/photo/2012/04/16/11/48/email-35636_640.png
http://intergalacticrobot.blogspot.com/2009_06_01_archive.html
https://upload.wikimedia.org/wikipedia/commons/thumb/b/b1/Email_Shiny_Icon.svg/256px-Email_Shiny_Icon.svg.png
https://upload.wikimedia.org/wikipedia/commons/thumb/d/d8/Instagram_Shiny_Icon.svg/500px-Instagram_Shiny_Icon.svg.png
https://pixabay.com/static/uploads/photo/2012/04/26/14/14/internet-42583_640.png
https://upload.wikimedia.org/wikipedia/commons/thumb/8/8f/Toilets_unisex.svg/2000px-Toilets_unisex.svg.png
https://pixabay.com/static/uploads/photo/2014/04/02/11/14/police-305626_640.png
https://wiki.tizen.org/w/images/5/52/Lad_overview.png
https://wiki.tizen.org/w/images/d/d2/VasumDiagram_v1.png
https://wiki.tizen.org/w/images/b/b5/Vasum_logo.png
https://wiki.tizen.org/w/images/2/21/VasumCynaraPolicyCheck.png
https://wiki.tizen.org/w/images/e/e6/VasumInstallation_v1.png
39 / 38
![Page 40: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/40.jpg)
https://lwn.net/Articles/645403/
https://lkml.org/lkml/2015/5/21/299
Łukasz Pawelczyk
Jan Olszak
40 / 38
![Page 41: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/41.jpg)
Process Application state Security mechanisms
DAC Smack Cynara
Instalation Installer unpacks files and manifest
Files are installed in proper dirs and rights are set
SM creates label for pkgid and labels files
SM populates Cynara’s database
Launching Launcher spawns new process
SM sets effective groups to provide access to special files (eg. devices)
SM sets apropriate label for new process
SM queries Cynara to check what groups should be applied
Runtime (1) App requires access to some system service
Smack label uniquely identifies application
Service acquires label of app and checks in Cynara, if access should be granted
Runtime (2) App requires direct access to a file or a raw device
Standard check of ownership
Standard check of access rules
41 / 38
![Page 42: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/42.jpg)
<policy context="default">
<check send_destination="com.example.service" send_interface="com.example.service.interface" send_member="SetAlarm" privilege="http://tizen.org/privilege/alarm.set" />
<check send_destination="com.example.service" send_interface="com.example.service.interface" send_member="GetAlarm" privilege="http://tizen.org/privilege/alarm.get" />
</policy>
42 / 38
![Page 43: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/43.jpg)
Uses NFQUEUE Netfilter mechanism
Table: mangle Nether, queue-0, queue-bypass -> mark (ACCEPT,
DENY, ACCEPT + LOG)
Table: filter Nether-deny -> audit -> REJECT
Nether-accept+log ->audit -> ACCEPT
43 / 38
![Page 44: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/44.jpg)
44 / 38
![Page 45: l.wojciechow@partner.samsung.com Samsung Electronics Polandkernsec.org › files › lss2015 › AppPrivs.pdf · marking (with integer code) Filter table rules for auditing, accepting](https://reader036.fdocuments.in/reader036/viewer/2022070819/5f1a1cfd2054e11b654b1173/html5/thumbnails/45.jpg)
Time* PolKit Cynara
Init + connect 12.37 ms 0.08 ms
Request + response 3.35 ms 0.15 ms
Policy check 14.45 ms 0.12 ms
Complete check 17.80 ms 0.27 ms
* measured on hardware equivalent of Samsung Galaxy S3
45 / 38