PresentAbsenceofLinuxFilesystemSecurityPhilipDerbeko
January,2018
AboutMe([email protected])
PresentAbsence
Acharacterwhodoesnotappearformuchof,ifnotalltheplot,butwhosepresenceisneverthelessfelt.Moreaccurately,theabsenceofthecharacterismostsignificant.
RecapofFSSecurity
RecapofFSSecurity
RecapofFSSecurity
RecapofFSSecurity
RecapofFSSecurity
RecapofFSSecurity
RecapofFSSecurity
1. Read/Write/Execute2. Inheritance3. Only“Allow”permissions
RecapofFSSecurity
RecapofFSSecurity
Privacyvs.Security
The“Root”oftheproblem
Permanentlinktothiscomic:https://xkcd.com/149/
CapabilitiesAnyone?
CapabilitiesAnyone?
LSMtotherescue???
Issues:- Notmandatory- Singleactivemodule- Kernelcompilation- LimitedHooks
3SecurityGaps
1.Contextofoperations2.WeirdOperations3.DestructiveOperations
Contextofoperations
Doyoureallyknowwhatisgoingon?
Doyoureallyknowwhatisgoingon?
ContextofOperations
WeirdOperations
WeirdOperations
WeirdOperations
WeirdOperations
DestructiveOperations
DestructiveOperations
DestructiveOperations
KillDisk –encryptionloop
DestructiveOperations
Encoder–encryptionloop
DestructiveOperations
DestructiveOperations– ShieldFS assumptions/findings
1. #offolderlistingoperations2. #ofreadfiles3. #ofwrittenfiles4. #ofrenamedormovedfiles5. #ofaccessedfiles6. Averageentropyoffile-writeoperations
Solution?
WeirdOperations