Linux Security 2017 status and AppArmor info.

Kazuki Omo( 面　和毅 ): ka-omo@sios.com

Secure OSS Sig. : http://www.secureoss.jp

2

Who am I ?

- Security Researcher/Engineer (17 years)

- SELinux/MAC Evangelist (12 years)

- Antivirus Engineer (3 years)

- SIEM Engineer (3 years)

- Linux Engineer (17 years)

3

Agenda

- Current Linux Security Trend

- Update for AppArmor

Current Linux Security Status

5

Current Linux Security Status

No one is talking about these Anymore!!

In Japan OSS env...

- How to enforce user to enable SELinux/AppArmor.- Why SELinux is better than AppArmor.- Why you need to enable SELinux/AppArmor….

6

Current Typical Linux Security Projects.

- Kernel hardening

- Working with ChipSet

- MAC, Capability, SecComp.

- Userland (Container)

Chipset

8

ARM

Protect against illicit modification of pointers

9

ARM

10

AMD

Encrypt for truly separate each VMs.

11

AMD

Performance degrade is negligible.

12

AMD

Separate HostOS and GuestOS

13

TPM2 Support

Trusted Boot / Integrity Mgmt / Log for analyze

14

Current Typical Linux Security Projects.

- Kernel hardening

- Working with ChipSet

- MAC, Capability, SecComp.

- Userland (Container)

Kernel (Hardening)

16

Kernel Hardening

17

Kernel Self Protection

18

Kernel Self Protection

19

Kernel Self Protection

Discussion for Stack Clash

jump

Stack

Stack guard

20

Current Typical Linux Security Projects.

- Kernel hardening

- Working with ChipSet

- MAC, Capability, SecComp.

- Userland (Container)

Android (Environment)

22

ARM

Use Secure boot for integrity check.

23

Google

Android: default(hash for integrity check.)

24

SELinux in Android Oreo

25

SE-Android

SELinux is “already working” on Android.

Mitigating

26

SE-Android

Now they are focusing how to easy to maintain.

27

SE-Android

Now they are focusing how to easy to maintain.

28

Current Typical Linux Security Projects.

- Kernel hardening

- Working with ChipSet

- MAC, Capability, SecComp.

- Userland (Container)

MAC, Attack Surface Reducing, etc.

30

Access Control

Pre:

Docker(CentOS) → SELinux Enabled

Docker(AppArmor) → AppArmor Enabled

Disable SELinux?

Disable AppArmor?

31

Container A

Host OS

Access Control (Stackable LSM)

Container B Container C

How to Mix them. → Stackable

Container/Cloud: Host Env is given by Host-Admin.

32

Attack Surface Reducing

seccomp

System call filtering

AppArmor Updates

34

AppArmor Updates

Stacking LSM / containers

35

AppArmor Updates

Policy Namespaces & Stacking

Conclusion

37

Conclusion

- Linux Security is still growthing.

- Not so much information in Japan.

- We will keep to watching/spreading/contributing.

38

Any Questinos?

39

Thank You!!!