Rapid AIX Security Hardening with Trusted Execution (TE) · PDF fileRapid AIX Security...
-
Upload
nguyentuyen -
Category
Documents
-
view
267 -
download
5
Transcript of Rapid AIX Security Hardening with Trusted Execution (TE) · PDF fileRapid AIX Security...
© 2011 Andreas Leibl, RSTC Ltd
IBM Power Systems und Systems Management Symposium 30.05. - 01.06.2011
Rapid AIX Security Hardeningwith Trusted Execution (TE) AIX schnell absichern mit Trusted Execution Andreas Leibl, RSTC Ltd
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Andreas Leibl• RSTC Ltd
• based in Bristol, UK
• and Ulm, Germany
• http://www.rstc-ltd.co.uk/
• Email: [email protected]
• If you have any questions about the talk please send me an email or contact me in
• LinkedIn: http://www.linkedin.com/in/aleibl
• Xing: https://www.xing.com/profile/Andreas_Leibl
2
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Agenda
• AIX Security
• Trusted Execution (TE) & Trusted Computing Base (TCB)
• System Integrity Check
• Runtime Integrity Check
• Trusted Path
• Adding your own files
3
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
AIX & Security
• UNIX type security (accounts & permissions)
• Role Based Access Control (enhanced RBAC)
• enhanced in AIX 7.1 with Domain RBAC
• Trusted Execution (TE)
4
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
RBAC
• Role Based Access Control
• Fine granular control
• Kernel level, applications need not be modified
• No privilege escalation through faulty programs or shell escapes
• Users gain privileges through roles which allow them to execute certain operations
• Superior to sudo
5
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Domain RBAC
• RBAC enhancement in AIX 7.1
• Allows restrictions of privileges to certain objects
• Example: Right to resize filesystems can be limited to certain filesystems
6
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Trusted Execution
• Replaces Trusted Computing Base (TCB)
• Superior capabilities
• TCB still available
7
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Trusted Computing Base (TCB)
• Needs to be enabled at install time
• Limited to static (offline) checks (security sweeps)
• Default database quite limited (heavy use of VOLATILE keyword which effectively disables TCB checks for specified files)
• Weak checksums - low security
8
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
TE vs. TCB
• TE can be enabled at any time
• Uses cryptographically strong hashes
• Hashes can be cryptographically signed
• Runtime (online) checks in addition to static (offline) checks
9
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
TE Protection
• Trojan horses
• Root kits
• Any tampering with critical files
• Can easily be extended to include user files
10
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Trusted Execution Requirements
• AIX 6.1 or 7.1
• CryptoLight for C library (clic.rte.*) from expansion pack
# lslpp -l 'clic.*' Fileset Level State Description ----------------------------------------------------------------------------Path: /usr/lib/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.7.0.0 COMMITTED CryptoLite for C Library
Path: /etc/objrepos clic.rte.kernext 4.7.0.0 COMMITTED CryptoLite for C Kernel#
11
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
TE: Strong Hashes
• One way hash functions generate secure fingerprint of files
• Default hash algorithm: SHA256
• Also available: SHA1 (160 bits), SHA512
• Can sign the hashes in the TE database for added security
• AIX files come with signed hashes from IBM
12
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Trusted Signature Database# Can use grep -p or the proper command to see stanzas in the TE database:# trustchk -q /usr/bin/ls/usr/bin/ls: owner = bin group = bin mode = 555 type = FILE hardlinks = symlinks = size = 26732 cert_tag = 00d3cbd2922627b209 signature = 964bf2d53b4e0b6c3be62e2569ab9da192634a69d5f2d15861098eb7475093f0d45488571da627ea2cd7b528864a1c82e25cbf585733de4e88dc649b5306dfb7427b32c29ac37f259ed5f6598c415f682abda422ee3a9497937f9f1f7191b32ebcd467ad3ca302425c5607e59ffad1fcd69306f1674905c2f0c1d8e143b1752d hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8 minslabel = maxslabel = intlabel = accessauths = aix.fs.object.list innateprivs = PV_DAC_R,PV_DAC_X inheritprivs = authprivs = secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MIC
13
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check
• TE checks all files listed in database
• Changed permissions are corrected
• Changed files are disabled (read, write and execute permissions revoked)
• Run manually or by crond
14
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Planting a Trojan Horse# Let's do something nasty...
# mv /usr/bin/ls /usr/bin/.ls# vi /usr/bin/ls...
# cat /usr/bin/ls#!/usr/bin/sh
echo "Doing something dirty here (which you can't see)..."/usr/bin/.ls $*
# chmod 555 /usr/bin/ls# ls /homeDoing something dirty here (which you can't see)...guest lost+found root #
Replacing the ls command with a malicious
version that installs a backdoor and then
emulates ls behaviour
15
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check in Action - Check only
# trustchk -n ALLtrustchk: Verification of attributes failed: /usr/lpp/diagnostics/bin/ecc_mcode_get: modetrustchk: Verification of attributes failed: /usr/sbin/sshd: sizetrustchk: Verification of attributes failed: /usr/sbin/ifconfig.ib: grouptrustchk: Verification of attributes failed: /usr/bin/ls: owner group size hashvalue signature#
16
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check
• Sometimes produces false alerts
• Means: TSD wasn’t updated correctly (includes permissions,SUID)
• or files were removed
• or properties not specified (like size in case of sshd)
• The -n flag only means trustchk only reports problems -> no corrective action
17
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Checking the Hash
# want to check the hash value?# openssl dgst -sha256 /usr/bin/lsSHA256(/usr/bin/ls)= 4e6da7a726bb27428f2e8321a2aea231f587e88aacc03ac766c0cf1a02530378### openssl dgst -sha256 /usr/bin/.lsSHA256(/usr/bin/.ls)= 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8# ## trustchk -q /usr/bin/ls | grep hash hash_value = 49d01450fe520cc2c7ed85153a90ef5f2b841aaf38f40e466f734b92ad4356c8#
Modifed “ls”
Original “ls”
TSD entry
18
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check - Interactive
# Use trustchk -t to correct problems interactively
# trustchk -t /usr/bin/lstrustchk: Verification of attributes failed: ownerChange the file owner for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: groupChange the file group for /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: sizeDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: hashDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of attributes failed: signatureDisable access to the file: /usr/bin/ls? [(y)es,(n)o,(i)gnore all errors]: ntrustchk: Verification of stanza failed:#
19
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check - Autocorrection
# trustchk -y /usr/bin/lstrustchk: Verification of attributes failed: ownertrustchk: Verification of attributes failed: grouptrustchk: Verification of attributes failed: modetrustchk: Verification of attributes failed: sizetrustchk: Verification of attributes failed: hashtrustchk: Verification of attributes failed: signaturetrustchk: Verification of stanza failed:# # /usr/bin/.ls -l /usr/bin/ls---------T 1 bin bin 93 May 28 16:07 /usr/bin/ls#
trustchk -y = auto (think fsck -y)
File disabled
20
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
System Integrity Check - Autocorrection
• Wrong permissions get reset
• Wrong owner and group get reset
• Files that changed size or hash value are disabled
21
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Runtime Integrity Check
• Binaries, shared libraries, kernel extensions and shell scripts are checked before execution
• Kernel refuses to load/execute them if verification fails
• Check is repeated every time -> no window of opportunity for attackers
22
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Runtime Integrity Check Policies
• trustchk -p name=values sets policies
• TE=[ON|OFF] : turns runtime checks on/off
• CHKEXEC=[ON|OFF] : executable checking
• STOP_ON_CHKFAIL= [ON|OFF] : stop executables failing the test
• STOP_UNTRUSTD= [ON|OFF] : stop executables not listed in /etc/security/tsd/tsd.dat
• And more...
23
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Runtime Integrity Check - Modified File# trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON # lsksh: ls: 0403-006 Execute permission denied.#
# cp /usr/bin/ls /usr/bin/.badls# cp /usr/bin/.ls /usr/bin/ls# chown bin:bin /usr/bin/ls# ls.Xauthority ....
Changed command does not execute
Check is re-run every time the command is executed
24
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Runtime Integrity Check - Unlisted File
# trustchk -p TE=ON CHKEXEC=ON STOP_UNTRUSTD=ON# /usr/bin/.lsksh: /usr/bin/.ls: 0403-006 Execute permission denied.# ls -l /usr/bin/.ls-r-xr-xr-x 1 bin bin 26732 May 28 17:39 /usr/bin/.ls#
Command .ls (the original ls) not executed (no check failure,
file permissions ok)
STOP_UNTRUSTD prevents execution of commands
not listed in the TSD
25
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Path Protection
• Trusted path
• Limits where programs/scripts can be started from
• Much more effective that restricted shell and a fixed $PATH variable
26
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Trusted Path in Action
# cp /usr/bin/ls /usr/local/bin/ls# /usr/local/bin/ls.Xauthority ...
# trustchk -p TEP=ON # /usr/local/bin/lsksh: /usr/local/bin/ls: 0403-006 Execute permission denied.# # trustchk -p tepTEP=ONTEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin:/usr/lib:/usr/lib/security#
/usr/local/bin/ not in trusted path
27
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Adding Your Own Files
• TE protection for your own files: EASY!
• Step 1: Create certificates and keys with openssl (only once)
• Step 2: Add to the TE database.
• That's it. TE takes care of the rest.
28
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Creating Certificates# cd /te# openssl genrsa -out mycorpprivkey.perm 2048Generating RSA private key, 2048 bit long modulus.....+++................................................................................................+++e is 65537 (0x10001)#
# openssl req -new -x509 -key mycorpprivkey.perm -outform DER -mycorpcert.der -days 3650You are about to be asked to enter information that will be incorporated.... (some questions asked here) ....## openssl pkcs8 -inform PEM -in mycorpprivkey.perm -topk8 -nocrypt -outform DER -out mycorpprivkey.der# lsmycorpcert.der mycorpprivkey.der mycorpprivkey.perm#
29
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Add to TE Database
# trustchk -s /te/mycorpprivkey.der -v mycorpcert.der -a /usr/local/bin/mycmd # trustchk -q /usr/local/bin/mycmd /usr/local/bin/mycmd: type = FILE owner = root group = system mode = 755 size = 47 hash_value = 48d45e86a5a8ff4c6a94dfe3723677fc0e1a6c0967f06233eaa84ff232fbceb2 cert_tag = 008b2dd04da79dc0b5 signature = a3ecc6b2c07260417a0be162....
30
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Test: Finding Illegal Modifications
# trustchk -n /usr/local/bin/mycmd # echo $?0# echo "CHANGED" >> /usr/local/bin/mycmd # trustchk -n /usr/local/bin/mycmd trustchk: Verification of attributes failed: /usr/local/bin/mycmd: size hashvalue signature# echo $? 114#
31
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Maintenance
• Installing updates naturally changes the files
• Hashes in the TE database need updating
• AIX updates come with new signatures
• Need to update hashes for own files
32
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Want to give it a go?
• IBM business partners can get AIX test systems for free from the Virtual Loaner Program
• http://www.ibm.com/systems/vlp
• Not a business partner? Sign up at www.ibm.com/partnerworld (all you need is a VAT ID)
33
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Questions?
34
IBM Power Systems und Storage Symposium, 30.05.-01.06.2011 in Ulm © 2011 Andreas Leibl, RSTC Ltd
Thank you!
If you think of a question later feel free to send me an email.
35