The 2015 Linux Security Summit

The 2015 Linux Security Summit was just last week and I've done my best to try and capture some of the highlights in the post below. Once again, a big thanks to the presenters, James Morris and the program committee, and all the attendees who made this another excellent summit.

I've linked to the all the presentations that were available at the time of writing, but it is possible that additional information has been made available by the time you read this. I encourage you to check the 2015 Linux Security Summit page for the latest slides and papers.

2015 Linux Security Summit

Securing your IT Infrastructure by Securing your Team, Konstantin Ryabitsev

Konstantin started his keynote by comparing the automotive industry in the 1950s and 1960s to the automotive industry of today. He argued that the cars in the 1950s and 1960s were fun and generally safe to drive, but not necessarily safe to crash. Engineering crash safety into cars was expensive and customers simply weren't asking for it; it was easier and cheaper to blame the drivers and promote driver education programs. Today's approach to automotive safety has changed, with most of the focus on mitigating driver errors, and the vehicle fatalities have dropped significantly.

Konstantin believes that computing today is much like to automotive industry in the 1950s and 1960s; as an industry we still like to blame the users for security breaches and promote user education programs. He argues that we need to learn from today's automotive industry and work to create mechanisms that help mitigate user errors and maintain the security of the system without relying on user education programs. Konstantin then outlined a number of computing best practices, or "airbags", for securing systems and teams.

Finally, Konstantin wrapped up his talk with an amusing video on computer security which can be found on YouTube at the link below. If you have five minutes to spare, it is well worth your time.

An Identity Attested Linux Security Supervisor Architecture, Greg Wettstein

This presentation described a method of performing automated integrity checks on systems designed for remote deployment using the existing IMA infrastructure and a mutual remote attestation protocol using IPsec and possum, a replacement for the IKE daemon racoon.

SELinux in Android Lollipop and Android M, Stephen Smalley

SEAndroid has been ongoing for a few years now, but Android 5.0/Lollipop is the first official release to ship with SELinux access control enforcement for all processes. To help reinforce this, SELinux is mandated by the Android 5.0 Compatibility Definition Document (CDD) and is tested as part of the Compatibility Test Suite (CTS). Starting with Lollipop, the SELinux enforcement extends from system daemons all the way through third party applications, only the kernel and init system are loosely confined, but even then there is no truly unconfined SELinux domain like "unconfined_t" on standard SELinux systems.

The upcoming Android 6.0/Marshmallow will bring additional SELinux enhancements including ioctl() controls, multi-user separation using the SELinux MLS capabilities, improved Chrome sandboxing, more restrictive Binder access controls, continued SELinux policy hardening, and improved CTS testing of the SELinux policy and configuration.

Rethinking Audit, Paul Moore

The Linux Audit Framework was created to fulfill the auditing requirements of high security users and has been present in the kernel for quite some time. Unfortunately, the kernel's audit subsystem has not aged well, partly due to some poor design decisions and partly due to some poor implementation choices. This talk described some of the problems as well as a staged solution which could help resolve some of these issues.

The presentation fostered a good discussion with those in attendance. This included the discovery of the importance of audit to embedded Android systems as well as their use of audit without any of the traditional audit userspace tools.

Assembling Secure OS Images, Elena Reshetova

This talk presented a prototype framework for the security analysis of small or embedded image build systems. At present the prototype is only integrated into Yocto, but a OpenEmbedded layer is expected soon. The analysis framework, through a variety of plugins, scans both the build configuration and runtime system configuration for potential vulnerabilities. Individual packages are also scanned for known vulnerabilities via published CVEs and less vulnerable alternatives are proposed, when available.

Linux and Mobile Device Encryption, Paul Lawrence and Mike Halcrow

This talk seemed an extension of last year's EXT4 encryption presentation, with a description of the ongoing work to convert Android from using dm-crypt based device encryption to EXT4 based filesystem encryption. The current Android dm-crypt solution is used to encrypt the entire userdata partition and imposes a few drawbacks that the developers are hoping to solve in a move to EXT4 based encryption. EXT4 is already showing promise by resolving many, if not all, of the dm-crypt limitations in addition to providing a more secure user wipe mechanism and over-the-air (OTA) updates without any the workarounds needed for dm-crypt.

Beyond Android, the core EXT4 encryption functionality was merged in Linux 4.1 with F2FS adopting similar functionality, via code reuse, in Linux 4.2. This code reuse has prompted the developers to start examining the potential of a common encryption layer in VFS.

Core Infrastructure Initiative, Emily Ratliff

The Core Infrastructure Initiative (CII) was founded by the Linux Foundation as a response to the OpenSSL Heartbleed bug. The goal of the CII project is to help support and strengthen the security of core OpenSource infrastructure. The CII works to do this through different mechanisms: census and grants, a badge program, and tooling.

The census and grant program is an effort to identify projects that are both significant to the core infrastructure and at great risk for security vulnerabilities. The grant program works alongside the census to try and support these at risk projects in an attempt to improve the security of the project. The tooling project is similar in that its goal is to help create and foster the use of tools, such as static analysis and automated testing, which are designed to reduce the likelihood of security vulnerabilities in projects. Finally, the badge program is designed to document a set of security best practices to help guide projects and provide a set of badges so that projects can easily demonstrate their commitment to secure development practices.

Security Framework for Constraining Application Privileges, Lukasz Wojciechowski

This presentation described Tizen's approach to security, which is based around four different components: the standard Discretionary Access Controls (DAC), the Smack LSM, Cynara, and a set of privileged services which provide userspace access control to system resources. Smack provides a unique application ID, via the Smack security label, as well as basic separation between applications and the host system. Cynara serves as the system wide security policy store and interfaces with a series of privileged services which provide most of the resource access controls for the system. One of these privileged services is the security manager service, which is responsible for reading an application's manifest and configuring the system, e.g. Smack and DAC filesystem rights, based on the application's requested access and the Cynara security policy. Beyond the security manager service, there are other services which control access to the network, manage containers, and provide system wide logging and auditing.

IMA/EVM: Real Applications for Embedded Networking Systems, Petko Manolov and Mark Baushke

This talk discussed some of the changes needed to deploy IMA/EVM on large scale enterprise routers/switches. While we've had more than a few talks over the years at LSS that focus on embedded devices, many of those devices are either mobile handsets or small IoT-like devices; none are engineered with an expected service life of 10 to 20 years like the network devices described in this presentation. In order to maintain these systems over time, and allow for both customer and third party customization, some changes had to be made: the creation of a certificate hierarchy, a revocation keyring to support certificate blacklisting, and the ability to support a dynamic IMA policy.

The certificate hierarchy was achieved by the creation of a Machine Owner Keyring (MOK) as well as some minor IMA modifications which would allow keys to be imported if they were signed by a certificate in the MOK. This effectively allows the system to be customized by the machine owner. The certificate blacklisting and dynamic IMA functionality were necessary as it isn't practical to reboot these systems in order to remove a certificate or reload the IMA policy.

IOCTL Command Whitelisting in SELinux, Jeffrey Vander Stoep

The ioctl() syscall is well known to be one of the riskier syscalls when it comes to system security. There are many reasons for this, and while we have methods of mitigating the risk for some aspects of ioctl(), there are still plenty of ioctl() based interfaces that present concern. A survey done by Google found that approximately 15% of the crashes on an Android system occurred in the ioctl() syscall. In response to this, as well as concerns over user privacy, the authors developed extensions to the SELinux access controls to provide the capability to restrict individual ioctl() commands, allowing policy authors to selectively enable specific ioctls, or ioctl ranges, for a given SELinux domain.

The patches described in this presentation have been accepted and should appear in the Linux 4.3 Kernel.

IMA/EVM on Android Device, Dmitry Kasatkin

This talk described the work necessary to enable IMA/EVM on modern Android systems. Unfortunately, at the time of the presentation, development was still ongoing and the goal had not been achieved. Once successful, the process will be documented on the IMA project site.

Subsystem Update: Smack, Casey Schaufler

Casey, the Smack maintainer, presented on the current state of Smack and the progress that had been made over the past year. Notable additions include IPv6 support, support for binary mount data (necessary for NFS), interfaces to read the security labels of keys in the kernel keyring, and the addition of secmark support. In the upcoming year Casey expects to further refine the IPv6 support, reduce Smack's memory footprint, and add basic support for namespaces.

Subsystem Update: AppArmor, John Johansen

John, the AppArmor maintainer, discussed the ongoing AppArmor work after first explaining that containers and mobile computing are currently driving development. John discussed several AppArmor improvements including socket labeling, D-Bus support, new APIs for policy management, systemd integration, and a number of policy compiler improvements. The talk also covered upcoming work, including cleaning up the out-of-tree patches for inclusion into the upstream Linux Kernel.

Subsystem Update: Integrity, Mimi Zohar

Mimi, the IMA maintainer, started the IMA presentation by mentioning that she first started working on the IMA subsystem in 2005; and while IMA wasn't accepted upstream until 2009, 2015 does mark an anniversary for the IMA subsystem. This years security summit was full of IMA and integrity related talks, and Mimi discussed some of that work in the IMA update, including userspace additions done to support appraisal and the inclusion of file signatures in the various package managers, e.g. RPM. Unfortunately, until the various distributions start including file signatures in their packages it will be difficult for IMA to gain widespread adoption. It will be interesting to see if containerized application delivery and efforts like Project Atomic will make this any easier.

Subsystem Update: SELinux, Paul Moore

Paul, the SELinux maintainer and author of this post, provided a quick summary of the SELinux advancements over the past year. The largest by far was the inclusion of the Common Intermediate Language (CIL) in February and the news that Fedora will include CIL starting with Fedora 23 this fall. Other advances included numerous performance improvements, the ioctl() access controls, access controls for the Binder IPC mechanism, improved labeling for netlink and a number of pseudo filesystems, as well as numerous improvements to the SELinux testsuite.

Subsystem Update: Capabilities, Serge Hallyn

It is unusual for the capabilities maintainer, Serge, to give a subsystem update at the security summit since the capabilities subsystem so rarely changes, but he did have something new to talk about this year: the ambient capabilities work currently being developed by Andy Lutomirski.

Subsystem Update: Seccomp, Kees Cook

Kees, the seccomp maintainer, provided an update on the seccomp subsystem. Notable improvements include support for the 64-bit ARM and Power architectures as well as the inclusion of the seccomp tests into the kernel selftest directory. Current and future seccomp development is focused on argument inspection, supporting checkpoint/restore, and leveraging the kernel's eBPF improvements.

Linux Security Module Stacking Next Steps, Casey Schaufler

Over the past year, the Linux Security Module framework saw one of its largest changes since its inclusion into the upstream Linux kernel: basic security module stacking. This initial stacking effort is relatively basic, only minor modules, such as Yama, can be stacked with major modules, such as SELinux. However, the basic infrastructure is now in place and Casey outlined some ideas on how to move forward towards "extreme stacking". Extreme stacking is the name Casey is using to describe stacking multiple, major LSMs, e.g. stacking both SELinux and Smack. While a few members of the audience were skeptical of Casey's approach (full disclosure: I am one of the skeptics) it is clear that "extreme stacking" is something we are likely to be discussing next year as well.

Remote Live Forensics for Incident Response, Sean Gillespie

This talk dealt with running live forensics on remote systems using the GRR tool. GRR was originally developed by Google as a platform used to monitor and inspect large numbers of systems. It focuses on knowledge base collection, artifact collection, file acquisition, and live remote memory analysis. In practice the tool is used by analysts for proactive detection of threats, the collection of forensic evidence, and the ability to rapidly scope a threat across a fleet of systems.

At the end of the talk there was a demo and Q&A session.