diff options
31 files changed, 1671 insertions, 0 deletions
diff --git a/images/cap_bitfields.png b/images/cap_bitfields.png Binary files differnew file mode 100644 index 0000000..318108e --- /dev/null +++ b/images/cap_bitfields.png diff --git a/images/cap_trans_execve.png b/images/cap_trans_execve.png Binary files differnew file mode 100644 index 0000000..5695d52 --- /dev/null +++ b/images/cap_trans_execve.png diff --git a/images/em_stack_layout1.png b/images/em_stack_layout1.png Binary files differnew file mode 100644 index 0000000..82b0304 --- /dev/null +++ b/images/em_stack_layout1.png diff --git a/images/em_stack_layout2.png b/images/em_stack_layout2.png Binary files differnew file mode 100644 index 0000000..9edf1ef --- /dev/null +++ b/images/em_stack_layout2.png diff --git a/images/file_access_control.png b/images/file_access_control.png Binary files differnew file mode 100644 index 0000000..ca809e5 --- /dev/null +++ b/images/file_access_control.png diff --git a/images/mac_terms.png b/images/mac_terms.png Binary files differnew file mode 100644 index 0000000..1de23a3 --- /dev/null +++ b/images/mac_terms.png diff --git a/images/multiproc_attack.png b/images/multiproc_attack.png Binary files differnew file mode 100644 index 0000000..feb145e --- /dev/null +++ b/images/multiproc_attack.png diff --git a/images/multiproc_norm.png b/images/multiproc_norm.png Binary files differnew file mode 100644 index 0000000..07f3093 --- /dev/null +++ b/images/multiproc_norm.png diff --git a/images/multithread_attack.png b/images/multithread_attack.png Binary files differnew file mode 100644 index 0000000..95c5145 --- /dev/null +++ b/images/multithread_attack.png diff --git a/images/multithread_norm.png b/images/multithread_norm.png Binary files differnew file mode 100644 index 0000000..53ff499 --- /dev/null +++ b/images/multithread_norm.png diff --git a/images/proc_isol.png b/images/proc_isol.png Binary files differnew file mode 100644 index 0000000..1e852e7 --- /dev/null +++ b/images/proc_isol.png diff --git a/images/proc_uidgid.png b/images/proc_uidgid.png Binary files differnew file mode 100644 index 0000000..01147e8 --- /dev/null +++ b/images/proc_uidgid.png diff --git a/images/syscall_flow.png b/images/syscall_flow.png Binary files differnew file mode 100644 index 0000000..2750689 --- /dev/null +++ b/images/syscall_flow.png diff --git a/images/tracecompass.png b/images/tracecompass.png Binary files differnew file mode 100644 index 0000000..56cb8cd --- /dev/null +++ b/images/tracecompass.png diff --git a/kernel-devel/kernel-tracing/pres_kernel-tracing_en.tex b/kernel-devel/kernel-tracing/pres_kernel-tracing_en.tex index 9f19959..859d8c5 100644 --- a/kernel-devel/kernel-tracing/pres_kernel-tracing_en.tex +++ b/kernel-devel/kernel-tracing/pres_kernel-tracing_en.tex @@ -513,6 +513,75 @@ $ kernelshark -i mytrace.dat \end{figure} \end{frame} +\section{Tracecompass} +\begin{frame}[fragile] +\frametitle{Tracecompass} +\begin{itemize} +\item Uses the C ommon T race F ormat +\item perf can convert traces to CTF +\item perf uses libbabeltrace for the convertion +\item A recent version of libbabeltrace is needed +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Build perf for your Target} +\begin{verbatim} +cd kernel_source/tools/perf +make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- +# Now copy the perf executable to the target +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Setup the tools on your host: libbabeltrace} +\begin{verbatim} +git clone https://github.com/efficios/babeltrace.git +cd babeltrace +# This is a known working commit. +# Recent commits seem to be broken for perf-ctf +git checkout 9aac8f729c091ddddb688038f5d417a7b1ce4259 +./bootstrap +./configure +make +sudo make install +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Setup the tools on your host: perf} +\begin{verbatim} +cd kernel_source/tools/perf +make LIBBABELTRACE=1 LIBBABELTRACE_DIR=/usr/local +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Record a trace on the target} +\begin{verbatim} +./perf record -e 'sched:*' -a +# (stop with Ctrl-C) +# Copy perf.data to the host +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{On the host: Convert perf.data to the proper format} +\begin{verbatim} +LD_LIBRARY_PATH=/usr/local/lib ./perf data convert --to-ctf ./ctf-data +# Now the trace data should be available in ctf-data/ +# You can import this directory with Eclipse / Tracecompass +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Tracecompass} +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/tracecompass.png} +\end{figure} +\end{frame} + \section{Useful things} \begin{frame}[fragile] diff --git a/security/advanced/Makefile b/security/advanced/Makefile index f6ab95b..2643c9e 100644 --- a/security/advanced/Makefile +++ b/security/advanced/Makefile @@ -1 +1,7 @@ obj-$(CONFIG_SECURITY_ADV) += pres_advanced_sec.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_capability.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_exploit.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_process_thread.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_multiuser_dac.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_namespace_container.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_mac.pdf diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex new file mode 100644 index 0000000..7e514df --- /dev/null +++ b/security/advanced/frm_capabilities.tex @@ -0,0 +1,269 @@ +% ---------------------------- +\subsubsection{Basics} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{What is a Linux Capability?} +\begin{itemize} +\item Syscalls + \begin{itemize} + \item Application Programming Interface (API) to the Kernel + \item some Syscalls need special privileges (EPERM) + \end{itemize} +\item User Privileges + \begin{itemize} + \item root (UID == 0): all privileges + \item users (UID > 0): no privileges + \end{itemize} +\item Capability + \begin{itemize} + \item single privilege + \item can be raised or dropped + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{How it works} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Control Flow} + \begin{figure}[h] + \centering + \includegraphics[width=8cm]{images/syscall_flow.png} + \end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Type of Syscalls} +\begin{itemize} +\item unprivileged Syscalls: + \begin{itemize} + \item sys\_gethostname() + \item sys\_read() / sys\_write() + \item sys\_getuid() / sys\_getgid() + \item \dots + \end{itemize} +\item privileged Syscalls: + \begin{itemize} + \item sys\_sethostname() + \item sys\_open() + \item sys\_setuid() / sys\_setgid() + \item \dots + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Capabilities} +\begin{columns}[onlytextwidth] + \begin{column}{0.5\textwidth} + \begin{itemize} + \item CAP\_MKNOD + \item CAP\_KILL + \item CAP\_SETGID + \item CAP\_SETUID + \item CAP\_SETPCAP + \item CAP\_SYS\_BOOT + \item CAP\_SYS\_NICE + \item CAP\_SYS\_TIME + \end{itemize} + \end{column} + \begin{column}{0.5\textwidth} + \begin{itemize} + \item CAP\_SYS\_MODULE + \item CAP\_SYS\_RAWIO + \item CAP\_SYS\_PTRACE + \item CAP\_NET\_BIND\_SERVICE + \item CAP\_NET\_BROADCAST + \item CAP\_NET\_RAW + \item CAP\_SYS\_ADMIN + \item CAP\_NET\_ADMIN + \end{itemize} + \end{column} +\end{columns} +Full list: \\ +Kernel Source: include/uapi/capability.h \\ +Distribution: /usr/include/linux/capability.h +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Process and File} +\begin{itemize} +\item Process/Task + \begin{itemize} + \item Capability bitfields in task context: + \begin{itemize} + \item Permitted + \item Effective + \item Inheritable + \end{itemize} + \end{itemize} +\item File + \begin{itemize} + \item Bitfields in file-attributes (xattr) + \begin{itemize} + \item Permitted + \item Inheritable + \item Auto-load Effective (single bit) + \end{itemize} + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Capability Bitfields} +\begin{figure}[h] +\centering +\includegraphics[width=7cm]{images/cap_bitfields.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Capability transition during execve()} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/cap_trans_execve.png} +\end{figure} +\end{frame} + +% ---------------------------- +\subsubsection{Capabilities in Applications} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Capability Handling in Applications (libcap)} +\begin{columns}[onlytextwidth] + \begin{column}{0.45\textwidth} + \begin{beamerboxesrounded}[shadow=true]{Capability Set Handling} + \begin{tiny} + \begin{verbatim} +#include <sys/capability.h> + +int list_n = 1; +cap_t caps; +cap_value_t list[list_n]; + +caps = cap_get_proc(); + +/* Capability Bitfield Modifications */ + +cap_set_proc(caps); + +/* Continue with modified privileges */ + +cap_free(caps); + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \end{column} + \begin{column}{0.45\textwidth} +Capability Bitfield Modifications + \begin{beamerboxesrounded}[shadow=true]{gain (temp):} + \begin{tiny} + \begin{verbatim} +list[0] = CAP_NET_BIND_SERVICE; +cap_set_flag(caps, CAP_EFFECTIVE, + list_n, list, CAP_SET); +cap_set_proc(caps); + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \begin{beamerboxesrounded}[shadow=true]{drop (temp):} + \begin{tiny} + \begin{verbatim} +list[0] = CAP_NET_BIND_SERVICE; +cap_set_flag(caps,CAP_EFFECTIVE, + list_n, list,CAP_CLEAR); +cap_set_proc(caps); + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \begin{beamerboxesrounded}[shadow=true]{drop (finally):} + \begin{tiny} + \begin{verbatim} +list[0] = CAP_NET_BIND_SERVICE; +cap_set_flag(caps,CAP_PERMITTED, + list_n, list,CAP_CLEAR); +cap_set_proc(caps); + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \end{column} +\end{columns} +\end{frame} + +% % ---------------------------- +\begin{frame}[fragile] +\frametitle{Capability scenario} +Scenario for dropping capabilities in suid-root processes +\begin{enumerate} +\item Run process with effective UID == 0 +\item use libcap to drop not required capabilities + \begin{itemize} + \item effective: drop all + \item permitted: keep only required + \end{itemize} +\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS)) +\item set all UIDs to non-zero +\item raise capability in effecive set before calling a privileged syscall +\item drop capability from effective set after syscall +\end{enumerate} +\end{frame} + +% ---------------------------- +\subsubsection{Tooling \& Documentation} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Tooling for Capabilities} +\begin{itemize} +\item capsh\\ +Modify security properties of a task (including capabilities) +\item getcap/setcap\\ +Modify file capability settings +\item libpam-cap\\ +Preset users inheritable capabilities during login +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Further Information about Capabilities} +\begin{itemize} +\item cat /proc/<pid>/status +\item Man-Pages (man 7 capabilities, ff.) +\item The Linux Programming Interface (Michael Kerisk),\\ + ISBN 978-1-59327-220-3 +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Summary} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Summary} +\begin{itemize} +\item A Capability allows to use a privileged syscall +\item Task-Capabilities: + \begin{itemize} + \item 3 bitfields + \item permitted, effective, inheritable + \end{itemize} +\item File Capabilities: + \begin{itemize} + \item File extended attributes + \item 2 bitfields, 1 flag + \item permmitted, inheritable, effecitve (flag) + \end{itemize} +\item Capability transition for fork() and execve() +\item Conclusion\\ + \begin{itemize} + \item root/non-root: all or nothing\\ + \item Capabilities: fine grain privileges + \end{itemize} +\end{itemize} +\end{frame} diff --git a/security/advanced/frm_exploit_mitigation.tex b/security/advanced/frm_exploit_mitigation.tex new file mode 100644 index 0000000..559b60e --- /dev/null +++ b/security/advanced/frm_exploit_mitigation.tex @@ -0,0 +1,228 @@ +% ---------------------------- +\subsubsection{Exploits} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Exploit Types} +\begin{itemize} +\item Application Level Exploits + \begin{itemize} + \item SQL Injection + \item Cross-side scripting + \item Backdoors + \item Protocol Implementation + \item \dots + \end{itemize} +\item Low-Level Exploits + \begin{itemize} + \item Stack + \item Heap + \item Syscall + \item Race conditions + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack: Code Example I} +\begin{beamerboxesrounded}[shadow=true]{Bad copy to stack local buffer} +\begin{tiny} +\begin{verbatim} +#include <string.h> + +void foo (char *p) { + char buf[16]; + strcpy(buf, p); +} + +int main (int argc, char **argv) { + foo(argv[1]); +} +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack: Code Example II} +\begin{beamerboxesrounded}[shadow=true]{Manipulation of return address} +\begin{tiny} +\begin{verbatim} +#include <stdio.h> +#include <string.h> + +void function(int a, int b, int c) +{ + char buffer1[8]; + char buffer2[16]; + char *ret; + + ret = (char *)(buffer1 + 0x18); + (*ret) += 0x7; +} + +void main(void) +{ + int x; + + x = 0; + function(1,2,3); + x = 1; + printf("%d\n",x); +} + +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack: Layout I} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/em_stack_layout1.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack} +\begin{itemize} +\item Overwrite return address +\item change stack-local variables +\item inject malicious code + \begin{itemize} + \item shell code + \item backdoors + \item thread hijacking + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Mitigation} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Address Space Layout} +\begin{itemize} +\item Fixed layout of segment start addresses +\item Easy to exploit +\item Address Space Layout Randomization + \begin{itemize} + \item basic implementation (Linux v2.6.12) + \item full implementation (Linux v3.19) + \end{itemize} +\item Configuration: /proc/sys/kernel/randomize\_va\_space + \begin{itemize} + \item 0: Disabled + \item 1: randomize stack, data, dynamic libraries + \item 2: randomize stack, data, dynamic libraries, heap + \end{itemize} +\item Process maps: /proc/<pid>/maps +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Process Memory Map} +\begin{beamerboxesrounded}[shadow=true]{/proc/<pid>/maps} +\begin{tiny} +\begin{verbatim} +$ cat /proc/self/maps +00400000-0040c000 r-xp 00000000 fe:00 23360017 /bin/cat +0060b000-0060c000 r--p 0000b000 fe:00 23360017 /bin/cat +0060c000-0060d000 rw-p 0000c000 fe:00 23360017 /bin/cat +0060d000-0062e000 rw-p 00000000 00:00 0 [heap] +7ffff7a31000-7ffff7bd3000 r-xp 00000000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so +7ffff7bd3000-7ffff7dd2000 ---p 001a2000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so +7ffff7dd2000-7ffff7dd6000 r--p 001a1000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so +7ffff7dd6000-7ffff7dd8000 rw-p 001a5000 fe:00 2359536 /lib/x86_64-linux-gnu/libc-2.19.so +7ffff7dd8000-7ffff7ddc000 rw-p 00000000 00:00 0 +7ffff7ddc000-7ffff7dfc000 r-xp 00000000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so +7ffff7e09000-7ffff7fce000 r--p 00000000 fe:00 3932237 /usr/lib/locale/locale-archive +7ffff7fce000-7ffff7fd1000 rw-p 00000000 00:00 0 +7ffff7fd4000-7ffff7ff8000 rw-p 00000000 00:00 0 +7ffff7ff8000-7ffff7ffa000 r-xp 00000000 00:00 0 [vdso] +7ffff7ffa000-7ffff7ffc000 r--p 00000000 00:00 0 [vvar] +7ffff7ffc000-7ffff7ffd000 r--p 00020000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so +7ffff7ffd000-7ffff7ffe000 rw-p 00021000 fe:00 2359533 /lib/x86_64-linux-gnu/ld-2.19.so +7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 +7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack Protect} +\begin{itemize} +\item Canaries + \begin{itemize} + \item Compiler Support (gcc) + \begin{itemize} + \item -fno-stack-protector + \item -fstack-protector + \item -fstack-protector-all + \item -fstack-protector-strong (since gcc v4.9) + \end{itemize} + \end{itemize} + \begin{itemize} + \item Kernel Configuration + \begin{itemize} + \item CONFIG\_CC\_STACKPROTECTOR\_NONE + \item CONFIG\_CC\_STACKPROTECTOR\_REGULAR \\ + (coverage: 2.81 \%, code size: +0.33 \% ) + \item CONFIG\_CC\_STACKPROTECTOR\_STRONG \\ + (coverage: 20.5 \%, code size: +2.4 \% ) + \end{itemize} + \end{itemize} +\item Stack order randomization +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Stack Canaries: Stack layout} +\begin{figure}[h] +\centering +\includegraphics[width=6cm]{images/em_stack_layout2.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Hardware-based} +\begin{itemize} +\item NX (no execute flag for pages) + \begin{itemize} + \item No Execute Flag for pages (PTE) + \item Architectures: x86, PPC, S390, ARM (some) + \end{itemize} +\item MPX (Boundary Protection) + \begin{itemize} + \item Architecture: x86 + \item high performance impact + \item test only + \end{itemize} +\end{itemize} +\end{frame} + +% % ---------------------------- +\begin{frame}[fragile] +\frametitle{grsecurity} +\begin{itemize} +\item Security enhancement +\item Kernel patches (PAX) +\item Role-based access control +\item Thread isolation +\item Container isolation +\item BPF JIT enhancements +\item Return Address Protection (GCC) +\end{itemize} + +\end{frame} diff --git a/security/advanced/frm_mac.tex b/security/advanced/frm_mac.tex new file mode 100644 index 0000000..31a3915 --- /dev/null +++ b/security/advanced/frm_mac.tex @@ -0,0 +1,206 @@ +% ---------------------------- +\subsubsection{Linux Security Modules} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Security Modules} +\begin{itemize} +\item Problem: Malware, Exploits +\item Solution: Mandatory Access Control + \begin{itemize} + \item Categories: Subjects and Objects + \item systemwide, static rule set + \item Context sensitive Resource Access + \end{itemize} +\item Implementation + \begin{itemize} + \item SE-Linux + \item AppArmor + \item SMACK + \item Tomoyo + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Terms} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Domain} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/mac_terms.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Domain} +\begin{itemize} +\item Domain transition for each starting Process +\item Default: Inherit previous Domain +\item Note: Domains are unique +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Example:} +\begin{small} +\begin{verbatim} +<kernel> /sbin/init /etc/rc.d/rcS /usr/local/bin/myappl +<kernel> /sbin/init /etc/rc.d/rcS /usr/bin/opensshd \ + /bin/bin/bash /usr/local/bin/myappl +\end{verbatim} +\end{small} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Domain Transition Management} +\begin{itemize} +\item Control Domain Transition Behavior +\item Syntax: \\ +\begin{verbatim} +<directive> <domain> from <domain> +\end{verbatim} +\item Directives: +\begin{itemize} +\item initialize\_domain / no\_initialize\_domain +\item keep\_domain / no\_keep\_domain +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Profile} +\begin{itemize} +\item Profiles define Domain restriction behavior +\item Profile Relation to Domain: n..m +\item Up to 255 Profiles +\item Profile Modes: + \begin{itemize} + \item disabled + \item learning + \item permissive + \item enforcing + \end{itemize} +\item Logging +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Policy} +\begin{itemize} +\item Policies describe Domain restrictions +\item Policy for each Domain +\item Directives: +\begin{itemize} +\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots) +\item misc env +\item network inet (stream, dgram, raw) +\item network unix (stream, dgram, seqpacket) +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Examples} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Example I} +\begin{beamerboxesrounded}[shadow=true]{profile.conf:} +\begin{tiny} +\begin{verbatim} +PROFILE_VERSION=20110903 +0-COMMENT=-----Disabled Mode----- +0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } +0-CONFIG={ mode=disabled grant_log=no reject_log=yes } +1-COMMENT=-----Learning Mode----- +1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } +1-CONFIG={ mode=learning grant_log=no reject_log=yes } +2-COMMENT=-----Permissive Mode----- +2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } +2-CONFIG={ mode=permissive grant_log=no reject_log=yes } +3-COMMENT=-----Enforcing Mode----- +3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } +3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } +4-COMMENT=-----Permissive Mode File-only ----- +4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } +4-CONFIG::file={ mode=permissive grant_log=no reject_log=yes } +4-CONFIG::file::execute={ mode=disabled grant_log=no reject_log=no } +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Example II} +\begin{beamerboxesrounded}[shadow=true]{exception\_policy.conf:} +\begin{tiny} +\begin{verbatim} +initialize_domain /sbin/ldconfig from any +keep_domain any from /sbin/ldconfig + +path_group ANY_PATHNAME / +path_group ANY_PATHNAME /\* +path_group ANY_PATHNAME /\{\*\}/ +path_group ANY_PATHNAME /\{\*\}/\* +path_group ANY_PATHNAME \*:/ +path_group ANY_PATHNAME \*:/\* +path_group ANY_PATHNAME \*:/\{\*\}/ +path_group ANY_PATHNAME \*:/\{\*\}/\* +path_group ANY_PATHNAME \*:[\$] +path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$] +path_group ANY_DIRECTORY / +path_group ANY_DIRECTORY /\{\*\}/ +path_group ANY_DIRECTORY \*:/ +path_group ANY_DIRECTORY \*:/\{\*\}/ + +acl_group 1 file read/getattr @ANY_DIRECTORY +acl_group 1 file read/getattr @ANY_PATHNAME +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Example III} +\begin{beamerboxesrounded}[shadow=true]{profile.conf:} +\begin{tiny} +\begin{verbatim} +<kernel> +use_profile 4 +use_group 1 + +<kernel> /sbin/ldconfig +use_profile 4 +use_group 1 +file create /etc/ld.so.cache~ 0600 +file write /etc/ld.so.cache~ +file chmod /etc/ld.so.cache~ 0644 +file rename /etc/ld.so.cache~ /etc/ld.so.cache +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Tools} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Tools} +\begin{itemize} +\item tomoyo-editpolicy +\item tomoyo-selectpolicy +\item tomoyo-patternize +\item tomoyo-diffpolicy +\item tomoyo-sortpolicy +\item tomoyo-loadpolicy +\end{itemize} +\end{frame} + diff --git a/security/advanced/frm_multiuser_dac.tex b/security/advanced/frm_multiuser_dac.tex new file mode 100644 index 0000000..8085466 --- /dev/null +++ b/security/advanced/frm_multiuser_dac.tex @@ -0,0 +1,363 @@ +% ---------------------------- +\subsubsection{Users and Groups} + +\begin{frame}[fragile] +\frametitle{Users} +\begin{itemize} +\item Multiple Users per System +\item Login spawn shell with user privileges +\item Process(es) inherit user privileges +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Tools:} +\begin{tiny} +\begin{verbatim} +# Add new user (interactive) +adduser <new_user> +# Remove existing user +deluser <user_name> + +# Change password +passwd [<user_name>] + +# Switch user ID +su <user_name> +# Run command as superuser (root) +sudo <command> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Groups} +\begin{itemize} +\item Group contain 0..n users (static) +\item Default group for each user +\item 0..n supplementary groups for each user +\item User can change group dynamically (password required) +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Tools:} +\begin{tiny} +\begin{verbatim} +# Add new group +addgroup <new_group> +# Remove existing group +delgroup <group_name> + +# Add user to group +usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>] + +# Show current user and group ID +id +# Switch group ID +newgrp <group_name> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Local Authentication Databases} +\begin{itemize} +\item User Database: /etc/passwd +\item Group Database: /etc/group +\item Password Database: /etc/shadow +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Pluggable Authentication Modules (PAM)} +\begin{frame}[fragile] +\frametitle{Pluggable Authentication Modules (PAM)} +\begin{itemize} +\item Pluggable shared libraries +\item System-wide Authentication +\item Plugins available for: +\begin{itemize} +\item UserID and Password (local) +\item LDAP +\item Kerberos (e.g. NIS, Windows Domain Controller) +\item Hardware-based Authentication (e.g. SmartCard) +\end{itemize} +\item Extendable with own PAM modules +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{File Access Control} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{File Access Control} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/file_access_control.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Basic File Permissions} +\begin{itemize} +\item for each File or Directory +\item checked by Virtual Filesystem Layer +\item Access Mode: \\ + read, write, execute (entry) +\item Access Role: \\ + user, group, other +\item Special: \\ + set UID, set GID, sticky +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Basic File Permissions: Example} +\begin{beamerboxesrounded}[shadow=true]{Example} +\begin{tiny} +\begin{verbatim} +$ ls -l /dev/ttyS? +crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0 +crw-rw---- 1 root dialout 4, 65 Nov 5 08:14 /dev/ttyS1 +crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2 +crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3 + +# Change ownership +chown service /dev/ttyS1 +chgrp test /dev/ttyS1 + +# Change permissions +chmod u=rw g=r o= /dev/ttyS1 + +$ ls -l /dev/ttyS? +crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0 +crw-r----- 1 service test 4, 65 Nov 5 08:14 /dev/ttyS1 +crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2 +crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3 +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Access Control Lists} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Access Control List (ACL)} +\begin{itemize} +\item More Users and Groups +\item Round up Groups +\item Tools: \\ + setfacl, getfacl +\item Requires: \\ + mount \dots -o acl +\item Pitfalls: \\ + Not all tools like tar support ACLs +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{ACL: Example} +\begin{itemize} +\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are +members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}. +\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob +and Henry? +\item A: Not mandatory. +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} +\begin{tiny} +\begin{verbatim} +mkdir /data/shared/project_x +chown pm_admin:pm_admin /data/shared/project_x +setfacl -m user:sue:rwx /data/shared/project_x +setfacl -m user:bob:rwx /data/shared/project_x +setfacl -m user:henry:rwx /data/shared/project_x +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{ACL: Example (2)} +\begin{beamerboxesrounded}[shadow=true]{Result:} +\begin{tiny} +\begin{verbatim} +getfacl /data/shared/project_x +# file: data/shared/project_x/ +# owner: pm_admin +# group: pm_admin +user::rwx +user:sue:rwx +user:bob:rwx +user:henry:rwx +group::r-x +mask::rwx +other::r-x +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Extended File Attributes} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Extended File Attributes} +\begin{itemize} +\item More File Attributes + \begin{itemize} + \item a - append only + \item i - immutable + \item s - Override with zeros on delete + \end{itemize} +\item Tools: \\ + lsattr, chattr +\item Requires: \\ + root or mount \dots -o user\_xattr +\item Pitfalls: \\ + Not all tools like tar support xattr +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{xattr: Example} +\begin{itemize} +\item Q: You want to check what user Franz is typing on commandline? +\item A: Look at /home/franz/.bash\_history +\item But Franz is clever and deletes /home/franz/.bash\_history +\item Q: How can you prevent that? +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Solution:} +\begin{tiny} +\begin{verbatim} +sudo chattr +a /home/franz/.bash_history +lsattr /home/franz/.bash_history +-----a-------e-- /home/franz/.bash_history +rm /home/franz/.bash_history +rm: cannot remove `/home/franz/.bash_history': Operation not permitted +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Multi-user Programming} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{UserIDs and GroupIDs of a Process} +\begin{itemize} +\item Real + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real or effective + \end{itemize} +\item Effective + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real, effective, saved + \end{itemize} +\item Saved + \begin{itemize} + \item normal: \\ + set to real UID/GID + \item s-Bit: \\ + set to file UID/GID + \item privileged: \\ + set to any value + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{UID/GID: change} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/proc_uidgid.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{UID/GID: Programming I} +\begin{beamerboxesrounded}[shadow=true]{temporary change of Effective:} +\begin{tiny} +\begin{verbatim} +printf("\nChange effective UID/GID back...\n"); +if(setegid(real_gid)) + /* error handling */; +if(seteuid(real_uid)) + /* error handling */; +print_resugid(); +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\begin{beamerboxesrounded}[shadow=true]{and back again:} +\begin{tiny} +\begin{verbatim} +printf("...and forth\n"); +if(seteuid(saved_uid)) + /* error handling */; +if(setegid(saved_gid)) + /* error handling */; +print_resugid(); +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\begin{beamerboxesrounded}[shadow=true]{Drop finally:} +\begin{tiny} +\begin{verbatim} +printf("\nChange finally to stored UID/GID“); +printf(" (there is no way back)\n"); +if(setregid(saved_gid, saved_gid)) + /* error handling */; +if(setreuid(saved_uid, saved_uid)) + /* error handling */; +print_resugid(); +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{UID/GID: Programming II} +\begin{beamerboxesrounded}[shadow=true]{Result:} +\begin{tiny} +\begin{verbatim} +$ ls -l +-rwsr-sr-x 1 dengler dengler 8480 Aug 19 17:22 ugid_to_stored + +$ ./ugid_to_stored +Backup all UID/GID +UIDs/GIDs after start +eUID 1000 (rUID 1002, sUID 1000) +eGID 1000 (rGID 1002, sGID 1000) + +Change effective UID/GID back... +eUID 1002 (rUID 1002, sUID 1000) +eGID 1002 (rGID 1002, sGID 1000) +...and forth +eUID 1000 (rUID 1002, sUID 1000) +eGID 1000 (rGID 1002, sGID 1000) + +Change finally to stored UID/GID (there is no way back) +eUID 1000 (rUID 1000, sUID 1000) +eGID 1000 (rGID 1000, sGID 1000) +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex new file mode 100644 index 0000000..4e53733 --- /dev/null +++ b/security/advanced/frm_namespace_container.tex @@ -0,0 +1,132 @@ +% ---------------------------- +\subsubsection{Namespaces} + +\begin{frame}[fragile] +\frametitle{Namespaces} +\begin{itemize} +\item Mount: \\ + Provide different filesystem +\item IPC: \\ + Provide isolated inter process communication entities +\item Network: \\ + Provide isolated networking environment +\item User: \\ + Provide different User/UID mapping +\item UTS: \\ + Provide different hostname +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Container} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Containers} +\begin{itemize} +\item Application Isolation +\item Lightweight Virtualisation +\item Based on cgroups and namespaces +\item Easy namespace configuration and management +\item Projects: + \begin{itemize} + \item Docker + \item Linux-VServer + \item OpenVZ + \item Linux Container (LXC) + \item \dots + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{LXC Handling} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Containers (LXC)} +\begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} +\begin{tiny} +\begin{verbatim} +# Start: Better for single commands +lxc-execute -n cont_name [-f config] /bin/bash +# Start: Better for container systems +lxc-start -n cont_name [-f config] + +# Stop container +lxc-stop -n foo +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Control container:} +\begin{tiny} +\begin{verbatim} +# Pause/resume container (controlling group of processes) +lxc-freeze -n cont_name +lxc-unfreeze -n cont_name + +# Monitor container states +lxc-monitor -n cont_name + +# Attach to container console +lxc-console -n cont_name +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Container (LXC): Configuration I} +\begin{beamerboxesrounded}[shadow=true]{Networking example:} +\begin{tiny} +\begin{verbatim} +lxc.utsname = myhostname +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth0 +lxc.network.hwaddr = 4a:49:43:49:79:bf +lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Container (LXC): Configuration II} +\begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} +\begin{tiny} +\begin{verbatim} +lxc.cgroup.cpuset.cpus = 0,1 +lxc.cgroup.devices.deny = a +lxc.cgroup.devices.allow = c 1:3 rw +lxc.cgroup.devices.allow = b 8:0 rw +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Summary} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Container: Summary} +\begin{itemize} +\item lightweight virtualization +\item isolation of applications +\item hide system resources/configuration +\item Problems: + \begin{itemize} + \item shared kernel + \item robustness against attacks + \end{itemize} +\item Solution: + \begin{itemize} + \item combination of namespaces with Mandatory Access Control (MAC) + \end{itemize} +\end{itemize} +\end{frame} diff --git a/security/advanced/frm_process_thread.tex b/security/advanced/frm_process_thread.tex new file mode 100644 index 0000000..b58a452 --- /dev/null +++ b/security/advanced/frm_process_thread.tex @@ -0,0 +1,113 @@ +% ---------------------------- +\subsubsection{Process Isolation} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Why isolating tasks?} +\begin{figure}[h] +\centering +\includegraphics[width=5cm]{images/multithread_norm.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Multithreaded Application under attack} +\begin{figure}[h] +\centering +\includegraphics[width=5cm]{images/multithread_attack.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Multi-process vs. Multi-thread} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/multiproc_norm.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Multi-process under attack} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/multiproc_attack.png} +\end{figure} +\end{frame} + +% ---------------------------- +\subsubsection{Memory Management} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Memory Manangement} +\begin{itemize} +\item create process context +\item overload VMA +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/proc_isol.png} +\end{figure} +\end{frame} + +% ---------------------------- +\subsubsection{Multiprocess Programming} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Multiprocess Programming} +\begin{columns}[onlytextwidth] + \begin{column}{0.45\textwidth} + \begin{beamerboxesrounded}[shadow=true]{Program:} + \begin{tiny} + \begin{verbatim} +[...] +pid = fork(); +switch (pid) { +case -1: + /* error handling */ +case 0: + /* child processing */ + execve(argv[0], &argv[0], envp); + break; +default: + /* parent processing */ + [...] + pid = wait(&status); +} +[...] + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \end{column} + \begin{column}{0.45\textwidth} + \begin{beamerboxesrounded}[shadow=true]{Arguments:} + \begin{tiny} + \begin{verbatim} +char *argv[] = { + "/bin/myappl", + "--config", + "/etc/myconfig", + NULL, +}; + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \begin{beamerboxesrounded}[shadow=true]{Environment:} + \begin{tiny} + \begin{verbatim} +char *envp[] = { + "HOME=/myhome", + "PATH=/bin:/usr/bin", + "TZ=UTC0", + NULL, +}; + \end{verbatim} + \end{tiny} + \end{beamerboxesrounded} + \end{column} +\end{columns} +\end{frame} diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex index 1a8c0b6..ccbf05e 100644 --- a/security/advanced/pres_advanced_sec.tex +++ b/security/advanced/pres_advanced_sec.tex @@ -247,6 +247,9 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{frame} % ---------------------------- +\input{security/advanced/frm_capabilities.tex} + +% ---------------------------- \subsubsection{Process} \begin{frame}[fragile] diff --git a/security/advanced/pres_capability.tex b/security/advanced/pres_capability.tex new file mode 100644 index 0000000..cb4cf0e --- /dev/null +++ b/security/advanced/pres_capability.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Capabilities} + +\title{Linux Capabilities} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_capabilities.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/advanced/pres_exploit.tex b/security/advanced/pres_exploit.tex new file mode 100644 index 0000000..5597c21 --- /dev/null +++ b/security/advanced/pres_exploit.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Exploits and Mitigation} + +\title{Exploits and Mitigation} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_exploit_mitigation.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/advanced/pres_mac.tex b/security/advanced/pres_mac.tex new file mode 100644 index 0000000..e50ec66 --- /dev/null +++ b/security/advanced/pres_mac.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Mandatory Access Control} + +\title{Linux Mandatory Access Control} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_mac.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/advanced/pres_multiuser_dac.tex b/security/advanced/pres_multiuser_dac.tex new file mode 100644 index 0000000..c45b009 --- /dev/null +++ b/security/advanced/pres_multiuser_dac.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Multi User} + +\title{Linux Multi User} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_multiuser_dac.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/advanced/pres_namespace_container.tex b/security/advanced/pres_namespace_container.tex new file mode 100644 index 0000000..7572b0c --- /dev/null +++ b/security/advanced/pres_namespace_container.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Namespaces} + +\title{Linux Namespaces} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_namespace_container.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/advanced/pres_process_thread.tex b/security/advanced/pres_process_thread.tex new file mode 100644 index 0000000..a58f449 --- /dev/null +++ b/security/advanced/pres_process_thread.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Process Isolation} + +\title{Linux Process Isolation} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_process_thread.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} diff --git a/security/crypto/Makefile b/security/crypto/Makefile index a1a28af..eee67f3 100644 --- a/security/crypto/Makefile +++ b/security/crypto/Makefile @@ -1,2 +1,3 @@ obj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_en.pdf obj-$(CONFIG_SECURITY_PKI) += pres_pki_en.pdf +obj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_filesystems.pdf diff --git a/security/crypto/pres_crypto_filesystems.tex b/security/crypto/pres_crypto_filesystems.tex new file mode 100644 index 0000000..f43c181 --- /dev/null +++ b/security/crypto/pres_crypto_filesystems.tex @@ -0,0 +1,161 @@ +\input{configpres} + +% ---------------------------- +\subsection{Crypto Filesystems} + +\title{Crypto Filesystems} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsubsection{Filesystem Overview} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Filesystem Overview} +\begin{itemize} +\item General Purpose + \begin{itemize} + \item Ext4 + \item F2FS + \item ZFS + \end{itemize} +\item FUSE based + \begin{itemize} + \item encFS + \item lessFS (Blowfish only) + \end{itemize} +\item Kernel based + \begin{itemize} + \item eCryptFS + \end{itemize} +\item Block device Encryption + \begin{itemize} + \item Linux Unified Key Setup (LUKS) + \item dm-crypt + \item can be used as base-layer other filesystems + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{F2FS} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{F2FS} +\begin{itemize} +\item optimized for controller-based Flash-Devices +\item log structure based +\item atomic operations +\item Encryption + \begin{itemize} + \item as in EXT4 + \item transparent + \item file-system based + \item AES128/256, XTS/CBC/CTR + \item support encrypted keys + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{EncFS} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{EncFS} +\begin{itemize} +\item Userspace Filesystem (FUSE) +\item OS independent +\item Container: encrypted data and encrypted datakey +\item Mountpoint: transparent overlay +\item Encryption + \begin{itemize} + \item transparent + \item file-system based + \item AES128/256, CFB + \item separate keys for access and data encryption + \end{itemize} +\item Disadvantages + \begin{itemize} + \item lots of known attacks + \item weak default configuration + \item paranoid configuration still allows some known attacks + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{eCryptFS} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{eCryptFS} +\begin{itemize} +\item widely used for encrypting home directories (e.g. Ubuntu) +\item part of Linux Kernel +\item Encryption + \begin{itemize} + \item filesystem based + \item use Kernel keyring + \item use Kernel encryption layer + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{LUKS/dm-crypt} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{LUKS/dm-crypt} +\begin{itemize} +\item transparent block device encryption +\item filesystem independent +\item empty block handling +\item highest security level + \begin{itemize} + \item full disk encryption + \item use Kernel keyring + \item use Kernel encryption layer + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Summary} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Summary} +\begin{itemize} +\item Encrypt private files in public Cloud + \begin{itemize} + \item EncFS + \end{itemize} +\item Encrypt data on USB-Stick/SD-Card/eMMC + \begin{itemize} + \item F2FS + \end{itemize} +\item Encrypt data in Homedirectory + \begin{itemize} + \item eCryptFS + \end{itemize} +\item Encrypt data on enterprise-level + \begin{itemize} + \item LUKS/dm-crypt on block-devices + \item Ext4 (full disk) + \item ZFS (full disk) + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection*{} +\input{tailpres} |
