Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | kohei-kaigai |
View: | 530 times |
Download: | 3 times |
LAPP/SELinuxA secure web application stack powered by SELinux
KaiGai Kohei <[email protected]>NEC OSS Promotion Center
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 2
Self Introduction
▐ KaiGai Koheihas worked at NEC for 7 years,and contributed to SELinux development, such as
SMP scalability improvement
A series of efforts to port embedded platform
Development of SE-PostgreSQL
Per thread security context setting support
Recently, I have focused on web-system's security.
1. Background
2. SE-PostgreSQL
3. Apache/SELinux Plus
4. LAPP/SELinux
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 4
Security nightmare in Web systems
▐ Attacks to web systems have been rapidly increasing.▐ It is estimated the cause is growth of web-based commerce.
Existing security features are really attractive?
(Reference: JSOC analysis report of the incursion trend, vol.12, LAC)
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 5
LAPP - A typical web application stack
▐ LAPPFull OSS web application stack, also knows as LAMP
• Linux, Apache, PostgreSQL and PHP/Perl
▐ Security concernsEach layer has its own access controls
Lack of consistencyNo individual privileges for users via web-interfaces(Security depends on quality of web-applications in other word)
Lack of comprehensiveness
▐ Keyword ... Analogy
Operating System(Linux)
Database Server(PostgreSQL)
Web Server(Apache)
Web Applications(PHP/Perl)
Filesystem permissionsFilesystem permissions
Database ACLsDatabase ACLs
.htaccesses.htaccesses
Its own access controlsIts own access controls
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 6
An analogy between OS and Database
▐ Same relationship in user processes and information assets▐ Differences in the way to store and access
System call for Filesystem, SQL for Database
▐ Access control is to decide what are allowed or disallowedon relationships between certain users and resources.
No reason why we cannot apply a common security model.It guarantees consistency of access controls.
OS (Linux)
FilesystemPermission Filesystem
Systemcall
SELinux
RDBMS (PostgreSQL)
DatabaseACLs DatabaseSQL
User Process Request Object manager and Resource
InfoAsset
InfoAsset
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 7
An analogy between ssh and web
▐ User is a human; an user agent performs instead of himself.▐ The user agent must have correct privilege set of the human.
Authentication can identify the human and assign privileges.Httpd launches web-apps without individual privileges.OS/DB cannot distinguish who is behind on the user agent.
▐ Need to assign privileges of the human user on the web-apps.
sshd
httpd
Filesystem
Database
User (Human) User Agent
Shell command
HTTP Request
Shell process
WebAppInstance
Daemons
Privilege
ResourceRequests
AuthenticationAuthenticationAuthenticationAuthentication
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 8
What can we find out from the analogies?
▐ SE-PostgreSQLAdvanced access controls for SQL queries based on SELinuxConsistency in access controls
▐ Apache/SELinux PlusAdvanced privilege mechanism for web applications based on SELinuxComprehensiveness in web-application security
LAPP/SELinuxUtilization of SELinux at the LAPP stack
• SELinux + SE-PostgreSQL+ Apache/SELinux Plus
Operating System(SELinux)
Database Server(SE-PostgreSQL)
Web Server(Apache/SELinux Plus)
Web Applications(PHP/Perl)
1. Background
2. SE-PostgreSQL
3. Apache/SELinux Plus
4. LAPP/SELinux
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 10
Architecture of SE-PostgreSQL
▐ SELinux hooks system-call processing▐ SE-PostgreSQL also hooks SQL Query processing
▐ SELinux makes its decision based on its security policy▐ SE-PostgreSQL controls execution of the SQL query
according to the SELinux's access control decision.It means the security policy controls both of accesses on OS and DB.
User Space SE-PostgreSQL
SQL QueryProcessing
Database ACL SE-PgSQLsubsystem
Database
FilesystemRoutinesFilesystem
SELinux
SecurityServer
Kernel Space
SQL
SystemCall
User Process
Can I allow the given accesses?Can I allow the given accesses?
SecurityPolicy
denieddenied
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 11
Decision-making in SELinux
▐ SELinux looks like a functionSELinux returns a binary state for the given arguments.Kernel internally gives them to SELinux and follows its decision.Userspace application also can utilize this mechanism,as long as it can provide the pair of security contexts.
▐ Security contextA SELinux specific identifier of processes and any other objectsThe kernel manages security context of the kernel objects.Applications must manage security context of the userspace objects.
decisiondecision
security contextof user agent
security contextof user agent
security contextof target objectsecurity context
of target object
required actionsrequired actions
Allowed or DeniedAllowed or Denied
Input OutputSELinux
SecurityPolicy
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 12
"security_context" system column
postgres=# SELECT security_context, * FROM drink;security_context | id | name | price
-----------------------------------------+----+-------+-------system_u:object_r:sepgsql_table_t:s0 | 3 | juice | 130system_u:object_r:sepgsql_table_t:s0 | 4 | cofee | 180system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | 380system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea | 140
(6 rows)
postgres=# SELECT security_context, * FROM drink;security_context | id | name | price
-----------------------------------------+----+-------+-------system_u:object_r:sepgsql_table_t:s0 | 3 | juice | 130system_u:object_r:sepgsql_table_t:s0 | 4 | cofee | 180system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | 380system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea | 140
(6 rows)
postgres=# SELECT security_context, attname, attnum FROM pg_attributeWHERE attrelid = 'drink'::regclass AND attnum > 0;
security_context | attname | attnum-----------------------------------------+---------+--------system_u:object_r:sepgsql_table_t:s0 | id | 1system_u:object_r:sepgsql_table_t:s0 | name | 2system_u:object_r:sepgsql_ro_table_t:s0 | price | 3
(3 rows)
postgres=# SELECT security_context, attname, attnum FROM pg_attributeWHERE attrelid = 'drink'::regclass AND attnum > 0;
security_context | attname | attnum-----------------------------------------+---------+--------system_u:object_r:sepgsql_table_t:s0 | id | 1system_u:object_r:sepgsql_table_t:s0 | name | 2system_u:object_r:sepgsql_ro_table_t:s0 | price | 3
(3 rows)
System catalog
security context of the regular relation
security context of the system relation
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 13
Privileges of the client
▐ SE-PostgreSQL applies the security context of peer process.It does NOT depend on database authentication.SELinux provides an API to obtain the security context of peer process.
• See the getpeercon(3)▐ Labeled IPsec
It enables to deliver the security context of remote processesAn enhancement of IPsec, available at kernel-2.6.18 or later
[ymj@saba ~]$ id -Zuid=1002(ymj) gid=100(users) groups=100(users) ¥
context=staff_u:staff_r:staff_t:s0-s0:c0.c15
[ymj@saba ~]$ psql -q postgres -U dbguestpostgres=> SELECT sepgsql_getcon(), current_user;
sepgsql_getcon | current_user--------------------------------------+--------------staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest(1 row)
[ymj@saba ~]$ id -Zuid=1002(ymj) gid=100(users) groups=100(users) ¥
context=staff_u:staff_r:staff_t:s0-s0:c0.c15
[ymj@saba ~]$ psql -q postgres -U dbguestpostgres=> SELECT sepgsql_getcon(), current_user;
sepgsql_getcon | current_user--------------------------------------+--------------staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest(1 row)
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 14
Usage of SE-PostgreSQL (1/2)
▐ when SELECT?
The Classified tuples are invisible for Unclassified clients.▐ when UPDATE/DELETE?
It also prevents to update Read-Only (sepgsql_ro_table_t) tuples.But, Classified client can update Read-Writable and Classified tuples.
▐ when INSERT a tuple?
A default security context is assigned on the new tuple.
postgres=# SELECT security_context, * from drink;security_context | id | name | price
---------------------------------------------------+----+--------+-------system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | 100system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke | 120system_u:object_r:sepgsql_table_t:Unclassified | 3 | juice | 130system_u:object_r:sepgsql_table_t:Unclassified | 4 | coffee | 180system_u:object_r:sepgsql_table_t:Classified | 5 | beer | 240system_u:object_r:sepgsql_table_t:Classified | 6 | sake | 320staff_u:object_r:sepgsql_table_t:Unclassified | 7 | soda | 150
postgres=# SELECT security_context, * from drink;security_context | id | name | price
---------------------------------------------------+----+--------+-------system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | 100system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke | 120system_u:object_r:sepgsql_table_t:Unclassified | 3 | juice | 130system_u:object_r:sepgsql_table_t:Unclassified | 4 | coffee | 180system_u:object_r:sepgsql_table_t:Classified | 5 | beer | 240system_u:object_r:sepgsql_table_t:Classified | 6 | sake | 320staff_u:object_r:sepgsql_table_t:Unclassified | 7 | soda | 150
Row level access control
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 15
Usage of SE-PostgreSQL (2/2)
postgres=# CREATE TABLE customer (cid integer primary key,cname varchar(32),ccredit varchar(32)
SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0');
CREATE TABLE
postgres=# CREATE TABLE customer (cid integer primary key,cname varchar(32),ccredit varchar(32)
SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0');
CREATE TABLE
Table/Column level access control
postgres=> SELECT * FROM customer;LOG: SELinux: denied { select } ¥
scontext=staff_u:staff_r:staff_t:Unclassified ¥tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥tclass=db_column name=customer.ccredit
ERROR: SELinux: security policy violationpostgres=> SELECT cid, cname FROM customer;cid | cname
-----+-------10 | jack13 | adam14 | liza
(3 rows)
postgres=> SELECT * FROM customer;LOG: SELinux: denied { select } ¥
scontext=staff_u:staff_r:staff_t:Unclassified ¥tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥tclass=db_column name=customer.ccredit
ERROR: SELinux: security policy violationpostgres=> SELECT cid, cname FROM customer;cid | cname
-----+-------10 | jack13 | adam14 | liza
(3 rows)
It allows to assign an individual securitycontext on a certain table/column.It allows to assign an individual securitycontext on a certain table/column.
SE-PostgreSQL prevent unprivilegedclient to access to the column labeledas "Secret".
SE-PostgreSQL prevent unprivilegedclient to access to the column labeledas "Secret".
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 16
Performance - SE-PostgreSQL
▐ 2~4% of trade-off in performanceuserspace AVC minimizes the number of kernel invocations
▐ EnvironmentsCPU Xeon (2.33GHz) Dual, Mem: 2GB (shared_buffer=512m)measured by pgbench -c 2 -t 200000
comparison of pgbench results
0
50
100
150
200
250
300
350
400
450
20 40 60 80 100 120 140 160 180 200
database size (scaling factor)
transaction per second
PostgreSQL v8.4.1 SE-PostgreSQL v8.4.1
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 17
UserProcess
UserProcess
System image: system-wide consistency in access control
▐ SELinux controls ANY inter-processes communication channels.No read-up, No write-down
▐ SE-PostgreSQL allows to deploy RDBMS in this scheme.No differences in FS and DB from the viewpoint of access control
Filesystem Networks IPC Objects Database
Inter-process communication
channels
Inter-process communication
channels
InformationAssets
InformationAssets
Unclassified
Classified
Login
Login
SELinux
SecurityPolicy
Consistentaccess controls
Consistentaccess controls
1. Background
2. SE-PostgreSQL
3. Apache/SELinux Plus
4. LAPP/SELinux
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 19
Web system overview
▐ Steps to handle user's request1. User sends HTTP request.2. Apache/httpd may (not) apply HTTP authentication.3. It launches a web-app instance which performs as an user agent.
But its privilege set is identical to the web-server process.4. Apache/httpd replies HTTP response.
▐ Our headache and prescriptionOS/DB cannot apply valid access controls on user agents.Need to assign correct privileges prior to launch web-apps.Apache/SELinux Plus module does it.
Apache/httpdWeb-app instance
User (human)
Filesystem
Database
HTTP Request
HTTP Response
AuthenticationAuthentication
No individualprivileges setNo individualprivileges set
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 20
Apache/httpd
Apache/SELinux Plus (1/2)
1. HTTP request from users2. HTTP authentication may be applied3. Required contents handler is invoked with server process's privileges
It works off the burden of access controls to web applications.
HTTP Authentication
Acceptconnection
Parse HTTP Request
Send HTTP Response
.html
.php
.cgi
HTTPRequest
HTTPResponse
InvokeContents Handler
OS/DB cannot distinguish user's privileges.
OS/DB cannot distinguish user's privileges.
Apache without SELinux support
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 21
Apache/httpd
Apache/SELinux Plus (2/2)
HTTP Authentication
Acceptconnection
Parse HTTP Request
Send HTTP Response
InvokeContents Handler
Create worker thread
Join worker thread
Change Security context
Exit worker thread
.html
.php
.cgi
Apache/SELinux Plus
HTTPRequest
HTTPResponse
Set user's privileges firstSet user's privileges first
Apache/SELinux Plus
1. HTTP request from users2. HTTP authentication may be applied3. Creation of one-time worker thread4. The worker assigns user's privileges on itself, then invokes the handler
Web-apps can perform with the least privilege set
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 22
Performance - Apache/SELinux Plus
▐ The cost to assign privileges is relatively large in lightweight request.▐ Less differences in our major target (Web+DB applications)
Database-queries need higher cost than creation of worker threads.
0
100
200
300
400
500
600
700
.html file .php script .php with DBconn .cgi program
# o
f req
uest
s pe
r se
cond
Apache (normal) Apache/SELinux Plus
$ ab -c 8 -t 60 -A <user:password> <URL>CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12TEST1) Regular HTML fileTEST2) PHP ScriptTEST3) PHP Script with DB connectionTEST4) CGI Program
$ ab -c 8 -t 60 -A <user:password> <URL>CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12TEST1) Regular HTML fileTEST2) PHP ScriptTEST3) PHP Script with DB connectionTEST4) CGI Program
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 23
System image (1/2) : Per web-user privileges
• HTTP Authentication• Launch one-time worker thread• Set its own security context
corresponding to the username.
• HTTP Authentication• Launch one-time worker thread• Set its own security context
corresponding to the username.
Filesystem
Database
Valid access controlsusing OS/DB based onper-user privileges.
Valid access controlsusing OS/DB based onper-user privileges.
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 24
System image (2/2) : Per virtual host separation
http://red.example.com/http://blue.example.com/http://green.example.com/
Filesystem
green
Filesystem
red
Filesystem
blue
Database
Database
DatabaseContents handler of
the "green" virtual hostContents handler of
the "green" virtual host
▐ SELinux performs as a logical-wall separating system resources.
▐ MCS policy will be suitable.
A logical-wall:
SELinux prevent to access an user agent to the objects within other categories.
A logical-wall:
SELinux prevent to access an user agent to the objects within other categories.
1. Background
2. SE-PostgreSQL
3. Apache/SELinux Plus
4. LAPP/SELinux
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 26
SELinux has expanded its coverage
▐ Prehistory, we have no MAC security.▐ God said "let there be SELinux".
SELinux applies MAC policy on the operating system.
▐ Today, it expanded its sphere of life.SE-PostgreSQL, Apache/SELinux Plus, XACE/SELinux, sVirt, ...
▐ Future, it will cover whole of the web application stack.
Prehistory
Operating System(Linux)
Today
Operating System(SELinux)
Database Server(SE-PostgreSQL)
Web Server(Apache/SELinux Plus)
Web Applications(PHP/Perl)
Future
Operating System(SELinux)
Database Server(SE-PostgreSQL)
Web Server(Apache/SELinux Plus)
Web Applications(PHP/Perl)
Past
Operating System(SELinux)
Database Server(PostgreSQL)
Web Server(Apache)
Web Applications(PHP/Perl)
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 27
UserProcess
UserProcess
Conceptual diagram of LAPP/SELinux
▐ SE-PostgreSQL provides system-wide consistency in access controls.▐ Apache/SELinux plus enables web-apps to perform correct privileges.
The LAPP/SELinux enables us to set up web systemswith consistent and comprehensive access controls.
Filesystem Networks IPC Objects Database
Inter-process communication
channels
Inter-process communication
channels
InformationAssets
InformationAssets
Unclassified
Classified
HTTP Req
HTTP Req
SELinux
SecurityPolicy
Consistentaccess controls
Consistentaccess controls
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 28
LAPP/SELinux applicability: threats by malicious insider
▐ Database Administrator (DBA)In normally, he is allowed anything on databases.Need to prevent accesses unnecessary information, including backups.Consistent access controls using SELinux, prevent information leaks.
customer
DBA
HTTP ReqHTTP Req
Web server
SE-PostgreSQL
SQLDatabase
backuputils
AuditLog
Dump the table
Read the file
Execute command
Databasebackup
DDL statement
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 29
Our principle
▐ Worth of information assetIt depends on the contents, not the way to store themNeed to apply consistent access control on the same relationship
▐ Purpose of access controlsIt decides what are allowed and disallowed on the relationshipof a certain human-user and information assetAgain, it is a relationship between a human and information
▐ Principle in LAPP/SELinuxCommon security identifierCommon access control decisionUtilization of the platform features in maximum
Price of Notebook : $8.00Price of Privacy: priceless
Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-Page 30
Project status & history
▐ StatusNow, kernel supports all the needed features of LAPP/SELinuxNow, Fedora includes sepostgresql and mod_selinux packageSE-PostgreSQL is now discussed in the pgsql community
▐ History'06/09 launched to develop SE-PostgreSQL'07/03 SELinux Symposium & Developer Summit 2007 (Baltimare, USA)'07/08 Fedora merged SE-PostgreSQL package (F8 or later)'07/11 IPA gave an award due to the development of SE-PostgreSQL'08/03 The PostgreSQL conference 2008 (Ottawa, CA)'08/05 SE-PostgreSQL was proposed to pgsql-8.4.x development.'08/12 Bounds domain feature got merged (2.6.28 or later)'09/04 Fedora merged Apache/SELinux Plus (F11 or later)'09/07 SE-PostgreSQL was proposed to pgsql-8.5.x development.'09/10 Japan Linux Symposium 2009
Any Questions?
Thank you!