There are basically two established Linux distributions with a serious bent on security, ImmunixOS and NSA’s SELinux. They both have released working, mature code that you can get ahold of and use. There are possibly other projects, but to the best of my knowledge none are shipping code right now.
The NSA’s SELinux is extremely powerful as far as configuring security to a very granular level goes. However, for most people and applications, this level of security is overkill (and there are some significant performance hits as well).
ImmunixOS is aimed at making Linux more robust and improving its survivability in the face of new security flaws. ImmunixOS also has a much gentler learning curve than the NSA’s SELinux, and addresses issues that NSA SELinux does not.
SubDomain
This is one of my favorite parts of ImmunixOS, and the only
part that most end users and administrators will be aware of. To
quote my previous article:
SubDomain is a kernel module that mediates system calls
such as open, and blocks access to others that are
classified as “dangerous” (mknod, etc.). The other
part is a small program that administers it, loading and
removing configurations. SubDomain allows you to configure
which files a process is allowed to access, how it is allowed
to access them (read/write/execute), and allows you to
manipulate what child processes are allowed to do.
This is extremely useful, as any process running will have
write access to (at a bare minimum) /tmp and read access to
hundreds if not thousands of files on the system (/etc/passwd for
example). The advantage of SubDomain is that you get relatively
sophisticated control over what files a program can access, but
the interface to control it is relatively simple and easy to
learn.
StackGuard
This is one of the more widely used components of ImmunixOS,
having been around for several years and freely available.
StackGuard is a set of compiler patches. When you compile
software using a StackGuard-enabled GCC, it will help prevent some
types of stack smashing attacks (a.k.a. buffer overflows). To
quote the StackGuard page:
StackGuard detects and defeats stack smashing attacks by
protecting the return address on the stack from being
altered. StackGuard places a “canary” word
next to the return address when a function is called.
If the canary word has been altered when the function
returns, then a stack smashing attack has been attempted, and
the program responds by emitting an intruder alert into
syslog, and then halts.For it to be effective, the attacker must not be able to “spoof” the canary
word by embedding the value for the canary word in the attack string.
StackGuard offers a range of techniques to prevent canary spoofing:
Random canaries: the canary word value is chosen at random
at the time the program execs. Thus the attacker cannot learn the
canary value prior to the program start by searching the executable image.
The random value is taken from /dev/urandom if available, and
created by hashing the time of day if /dev/urandom is not supported.Null canary: the canary word is “null”, i.e. 0x00000000.
Since most string operations that are exploited by stack smashing attacks
terminate on null, the attacker cannot easily spoof a series of nulls
into the middle of the string. This mechanism was originally proposed
by “der Mouse” in Bugtraq.Terminator canary: not all string operations are terminated by
null, e.g. gets() terminates on new line or end-of-file (represented
as -1). The terminator canary is a combination of Null, CR, LF,
and -1 (0xFF) which should terminate most string operations.
While it won’t stop all of them, StackGuard does make life
significantly more difficult for an attacker. This software is
available by default, and the majority of ImmunixOS software is
compiled using this, resulting in fewer successful attacks.
FormatGuard
FormatGuard is a relatively new entry to ImmunixOS, but like
StackGuard most users will not realize its existence, and many
administrators will probably not notice either.
FormatGuard
addresses a relatively recent (well known for less than a year)
problem in a number of common system calls. Basically, if you took
user input without properly validating or filtering it (always a
bad idea), it was possible for an attacker to insert malicious
characters that could be used to elevate privileges in more than
a few programs (WU-FTPD for example).
As fixing every call to
printf(), syslog() and so on is nearly impossible, the WireX folks decided to
fix the system calls themselves (or at least make them
appreciably safer). Thus was FormatGuard born, It’s basically a
wrapper around these unsafe calls, so that you can use software that
probably hasn’t been properly audited and not worry as much. Like
StackGuard, it makes life quite a bit harder for attackers.
RaceGuard/CryptoMark
Last but not least, we have RaceGuard and CryptoMark. As far as
I know, neither has been released yet. However, RaceGuard is
planned for the next release of ImmunixOS. Crispin Cowan (CTO at
WireX) had this to say:
It’s a kernel enhancement that makes mktemp (and
hand-rolled variations) safe to use. In the StackGuard
tradition, it detects attempts to race the victim suid root
program in progress, and (optionally) either refuses the
killer open() call, or kills the victim process. I’ve
been running it on my laptop for a month, and there’s a few
teething problems, but it basically works. It will be
in Immunix 7.1.
CryptoMark is a sort of tripwire-style program, except that it
operates in real time (remarkably similar to SecureExe in
description). If it is released and works as advertised, it will
not only prevent Trojans from running, but will help prevent users from
running unauthorized programs.
Summary
It’s a pity that only WireX and the NSA have decided to put
real effort into making more secure Linux kernels and
distributions. With the vast majority of vendors taking a very
reactive security stance, most users are left out in the cold
between the time a problem is found and when a vendor ships a fix.
With programs like ImmunixOS, you actually have a chance of
surviving the attack. If it’s a buffer overflow StackGuard might
stop it; or the attacker will not be able to do as much damage if
SubDomain is properly set up.
I doubt large vendors will make the
effort, because when it comes right down to it, the majority of
computer users will complain about security but spend money on
products with more features, even if they are less secure.
Related Links
Immunix
http://immunix.org/
Security-Enhanced Linux
http://www.nsa.gov/selinux/
About the Author
Kurt Seifried (seifried@securityportal.com)
is a security analyst and the author of more security articles than you can
shake a stick at. Please do not send him mean email as it makes his email server
sad. He’s also a glutton for punishment and sushi.