ImmunixOS 7 - Secure Linux

Finally, a Linux security product that will actually block attacks.

There are basically two established Linux distributions with a serious bent on security, ImmunixOS and NSA's SELinux. They both have released working, mature code that you can get ahold of and use. There are possibly other projects, but to the best of my knowledge none are shipping code right now.

The NSA's SELinux is extremely powerful as far as configuring security to a very granular level goes. However, for most people and applications, this level of security is overkill (and there are some significant performance hits as well).

ImmunixOS is aimed at making Linux more robust and improving its survivability in the face of new security flaws. ImmunixOS also has a much gentler learning curve than the NSA's SELinux, and addresses issues that NSA SELinux does not.


SubDomain

This is one of my favorite parts of ImmunixOS, and the only part that most end users and administrators will be aware of. To quote my previous article:

SubDomain is a kernel module that mediates system calls such as open, and blocks access to others that are classified as "dangerous" (mknod, etc.). The other part is a small program that administers it, loading and removing configurations. SubDomain allows you to configure which files a process is allowed to access, how it is allowed to access them (read/write/execute), and allows you to manipulate what child processes are allowed to do.

This is extremely useful, as any process running will have write access to (at a bare minimum) /tmp and read access to hundreds if not thousands of files on the system (/etc/passwd for example). The advantage of SubDomain is that you get relatively sophisticated control over what files a program can access, but the interface to control it is relatively simple and easy to learn.


StackGuard

This is one of the more widely used components of ImmunixOS, having been around for several years and freely available. StackGuard is a set of compiler patches. When you compile software using a StackGuard-enabled GCC, it will help prevent some types of stack smashing attacks (a.k.a. buffer overflows). To quote the StackGuard page:

StackGuard detects and defeats stack smashing attacks by protecting the return address on the stack from being altered.  StackGuard places a "canary" word next to the return address when a function is called.  If the canary word has been altered when the function returns, then a stack smashing attack has been attempted, and the program responds by emitting an intruder alert into syslog, and then halts.

For it to be effective, the attacker must not be able to "spoof" the canary word by embedding the value for the canary word in the attack string.  StackGuard offers a range of techniques to prevent canary spoofing:

  • Random canaries:  the canary word value is chosen at random at the time the program execs.  Thus the attacker cannot learn the canary value prior to the program start by searching the executable image.  The random value is taken from /dev/urandom if available, and created by hashing the time of day if /dev/urandom is not supported.

  • Null canary: the canary word is "null", i.e. 0x00000000. Since most string operations that are exploited by stack smashing attacks terminate on null, the attacker cannot easily spoof a series of nulls into the middle of the string.  This mechanism was originally proposed by "der Mouse" in Bugtraq.

  • Terminator canary: not all string operations are terminated by null, e.g. gets() terminates on new line or end-of-file (represented as -1).  The terminator canary is a combination of Null, CR, LF, and -1 (0xFF) which should terminate most string operations.

While it won't stop all of them, StackGuard does make life significantly more difficult for an attacker. This software is available by default, and the majority of ImmunixOS software is compiled using this, resulting in fewer successful attacks.


FormatGuard

FormatGuard is a relatively new entry to ImmunixOS, but like StackGuard most users will not realize its existence, and many administrators will probably not notice either.

FormatGuard addresses a relatively recent (well known for less than a year) problem in a number of common system calls. Basically, if you took user input without properly validating or filtering it (always a bad idea), it was possible for an attacker to insert malicious characters that could be used to elevate privileges in more than a few programs (WU-FTPD for example).

As fixing every call to printf(), syslog() and so on is nearly impossible, the WireX folks decided to fix the system calls themselves (or at least make them appreciably safer). Thus was FormatGuard born, It's basically a wrapper around these unsafe calls, so that you can use software that probably hasn't been properly audited and not worry as much. Like StackGuard, it makes life quite a bit harder for attackers.


RaceGuard/CryptoMark

Last but not least, we have RaceGuard and CryptoMark. As far as I know, neither has been released yet. However, RaceGuard is planned for the next release of ImmunixOS. Crispin Cowan (CTO at WireX) had this to say:

It's a kernel enhancement that makes mktemp (and hand-rolled variations) safe to use.  In the StackGuard tradition, it detects attempts to race the victim suid root program in progress, and (optionally) either refuses the killer open() call, or kills the victim process.  I've been running it on my laptop for a month, and there's a few teething problems, but it basically works.  It will be in Immunix 7.1.

CryptoMark is a sort of tripwire-style program, except that it operates in real time (remarkably similar to SecureExe in description). If it is released and works as advertised, it will not only prevent Trojans from running, but will help prevent users from running unauthorized programs.



Summary

It's a pity that only WireX and the NSA have decided to put real effort into making more secure Linux kernels and distributions. With the vast majority of vendors taking a very reactive security stance, most users are left out in the cold between the time a problem is found and when a vendor ships a fix.

With programs like ImmunixOS, you actually have a chance of surviving the attack. If it's a buffer overflow StackGuard might stop it; or the attacker will not be able to do as much damage if SubDomain is properly set up.

I doubt large vendors will make the effort, because when it comes right down to it, the majority of computer users will complain about security but spend money on products with more features, even if they are less secure.


Related Links

Immunix
http://immunix.org/

Security-Enhanced Linux
http://www.nsa.gov/selinux/



About the Author

Kurt Seifried (seifried@securityportal.com) is a security analyst and the author of more security articles than you can shake a stick at. Please do not send him mean email as it makes his email server sad. He's also a glutton for punishment and sushi.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.