Merge remote-tracking branch 'remotes/origin/devel/dengler/sec_ext201604'

1 files changed, 269 insertions, 0 deletions

diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex
new file mode 100644
index 0000000..7e514df
--- /dev/null
+++ b/security/advanced/frm_capabilities.tex
@@ -0,0 +1,269 @@
+% ----------------------------
+\subsubsection{Basics}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{What is a Linux Capability?}
+\begin{itemize}
+\item Syscalls
+ \begin{itemize}
+ \item Application Programming Interface (API) to the Kernel
+ \item some Syscalls need special privileges (EPERM)
+ \end{itemize}
+\item User Privileges
+ \begin{itemize}
+ \item root (UID == 0): all privileges
+ \item users (UID > 0): no privileges
+ \end{itemize}
+\item Capability
+ \begin{itemize}
+ \item single privilege
+ \item can be raised or dropped
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{How it works}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Control Flow}
+ \begin{figure}[h]
+ \centering
+ \includegraphics[width=8cm]{images/syscall_flow.png}
+ \end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Type of Syscalls}
+\begin{itemize}
+\item unprivileged Syscalls:
+ \begin{itemize}
+ \item sys\_gethostname()
+ \item sys\_read() / sys\_write()
+ \item sys\_getuid() / sys\_getgid()
+ \item \dots
+ \end{itemize}
+\item privileged Syscalls:
+ \begin{itemize}
+ \item sys\_sethostname()
+ \item sys\_open()
+ \item sys\_setuid() / sys\_setgid()
+ \item \dots
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capabilities}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.5\textwidth}
+  \begin{itemize}
+  \item CAP\_MKNOD
+  \item CAP\_KILL
+  \item CAP\_SETGID
+  \item CAP\_SETUID
+  \item CAP\_SETPCAP
+  \item CAP\_SYS\_BOOT
+  \item CAP\_SYS\_NICE
+  \item CAP\_SYS\_TIME
+  \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+  \begin{itemize}
+  \item CAP\_SYS\_MODULE
+  \item CAP\_SYS\_RAWIO
+  \item CAP\_SYS\_PTRACE
+  \item CAP\_NET\_BIND\_SERVICE
+  \item CAP\_NET\_BROADCAST
+  \item CAP\_NET\_RAW
+  \item CAP\_SYS\_ADMIN
+  \item CAP\_NET\_ADMIN
+  \end{itemize}
+ \end{column}
+\end{columns}
+Full list: \\
+Kernel Source: include/uapi/capability.h \\
+Distribution: /usr/include/linux/capability.h
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Process and File}
+\begin{itemize}
+\item Process/Task
+ \begin{itemize}
+ \item Capability bitfields in task context:
+  \begin{itemize}
+  \item Permitted
+  \item Effective
+  \item Inheritable
+  \end{itemize}
+ \end{itemize}
+\item File
+ \begin{itemize}
+ \item Bitfields in file-attributes (xattr)
+  \begin{itemize}
+  \item Permitted
+  \item Inheritable
+  \item Auto-load Effective (single bit)
+  \end{itemize}
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability Bitfields}
+\begin{figure}[h]
+\centering
+\includegraphics[width=7cm]{images/cap_bitfields.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability transition during execve()}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/cap_trans_execve.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Capabilities in Applications}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability Handling in Applications (libcap)}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.45\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Capability Set Handling}
+ \begin{tiny}
+ \begin{verbatim}
+#include <sys/capability.h>
+
+int list_n = 1;
+cap_t caps;
+cap_value_t list[list_n];
+
+caps = cap_get_proc();
+
+/* Capability Bitfield Modifications */
+
+cap_set_proc(caps);
+
+/* Continue with modified privileges */
+
+cap_free(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+ \begin{column}{0.45\textwidth}
+Capability Bitfield Modifications
+ \begin{beamerboxesrounded}[shadow=true]{gain (temp):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps, CAP_EFFECTIVE,
+             list_n, list, CAP_SET);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \begin{beamerboxesrounded}[shadow=true]{drop (temp):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps,CAP_EFFECTIVE,
+             list_n, list,CAP_CLEAR);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \begin{beamerboxesrounded}[shadow=true]{drop (finally):}
+ \begin{tiny}
+ \begin{verbatim}
+list[0] = CAP_NET_BIND_SERVICE;
+cap_set_flag(caps,CAP_PERMITTED,
+             list_n, list,CAP_CLEAR);
+cap_set_proc(caps);
+ \end{verbatim}
+ \end{tiny}
+ \end{beamerboxesrounded}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% % ----------------------------
+\begin{frame}[fragile]
+\frametitle{Capability scenario}
+Scenario for dropping capabilities in suid-root processes
+\begin{enumerate}
+\item Run process with effective UID == 0
+\item use libcap to drop not required capabilities
+ \begin{itemize}
+ \item effective: drop all
+ \item permitted: keep only required
+ \end{itemize}
+\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS))
+\item set all UIDs to non-zero
+\item raise capability in effecive set before calling a privileged syscall
+\item drop capability from effective set after syscall
+\end{enumerate}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Tooling \& Documentation}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tooling for Capabilities}
+\begin{itemize}
+\item capsh\\
+Modify security properties of a task (including capabilities)
+\item getcap/setcap\\
+Modify file capability settings
+\item libpam-cap\\
+Preset users inheritable capabilities during login
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Further Information about Capabilities}
+\begin{itemize}
+\item cat /proc/<pid>/status
+\item Man-Pages (man 7 capabilities, ff.)
+\item The Linux Programming Interface (Michael Kerisk),\\
+      ISBN 978-1-59327-220-3
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Summary}
+\begin{itemize}
+\item A Capability allows to use a privileged syscall
+\item Task-Capabilities:
+ \begin{itemize}
+ \item 3 bitfields
+ \item permitted, effective, inheritable
+ \end{itemize}
+\item File Capabilities:
+ \begin{itemize}
+ \item File extended attributes
+ \item 2 bitfields, 1 flag
+ \item permmitted, inheritable, effecitve (flag)
+ \end{itemize}
+\item Capability transition for fork() and execve()
+\item Conclusion\\
+ \begin{itemize}
+ \item root/non-root: all or nothing\\
+ \item Capabilities: fine grain privileges
+ \end{itemize}
+\end{itemize}
+\end{frame}