DOCSLIB.ORG

Network & Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Network & Security ADMIN SPONSORED BY Network & Security Terrific Tools 10 FOR THE BUSY ADMIN 2020 EDITION Find a free tool to help you • Generate memorable passwords • Discover rootkits on your system • Find bandwidth hogs • And much more! Bonus articles • Getting Insights with eBPF • Hidden CLI Tools www.admin-magazine.com US$ 7.95 Welcome 10 TERRIFIC TOOLS – 2020 ADMIN Network & Security Terrific Tools 10 FOR THE BUSY ADMIN 2020 EDITION ADMIN Special Dear Readers: Editor in Chief – Joe Casad The Linux environment includes specific needs. We’re proud to Managing Editor – Lori White thousands of small but powerful share our latest collection of gems Copy Editors – Amy Pettle, Megan Phelps tools designed to address very for the sys admin toolkit. Layout / Graphic Design – Dena Friesen, Lori White Advertising Table of Contents Brian Osborn, [email protected] phone +49 89 3090 5128 Log2Ram . 4 urlwatch. 10 Publisher – Brian Osborn Write syslog data to a RAM disk. Get news from websites by Customer Service / Subscription 1 6 For USA and Canada: detecting HTML changes. Email: [email protected] Phone: 1-866-247-2802 NetHogs. 5 xkcdpass. .11 (toll-free from the US and Canada) Find the processes that are Generate easy-to-remember www.admin-magazine.com 2 7 hogging bandwidth. passwords. While every care has been taken in the content of the magazine, the publishers cannot be held responsible for the accuracy of the information darkstat . 6 TigerVNC . 13 contained within it or any consequences arising from the use of it. 3 A tiny tool that monitors without 8 Easy and free VNC client. Copyright & Trademarks © 2020 Linux New Media noticeable system load. USA, LLC Cover Illustration © Corina Rosu, 123RF.com No material may be reproduced in any form rkhunter. 7 EncFS. 14 whatsoever in whole or in part without the written 4 Root out rootkits hidden on your 9 This file encryption tool is easy permission of the publishers. It is assumed that all system. to customize. correspondence sent, for example, letters, email, faxes, photographs, articles, drawings, are supplied for publication or license to third parties LFT. 9 Dialog . 16 on a non-exclusive worldwide basis by Linux New Firewalls and wireless routers won’t Create dialog boxes with Media unless otherwise stated in writing. 5 10 All brand or product names are trademarks of their stop this traceroute alternative. checkboxes and progress bars. respective owners. Contact us if we haven’t credited your copyright; we will always correct any oversight. Printed in Nuremberg, Germany by hofmann info- As.a.special.bonus,.we’re.also.including.two.more.articles.. com GmbH on recycled paper from 100% post-con- on.other.great.tools.for.the.admin.toolkit: sumer waste; no chlorine bleach is used in the pro- duction process. Getting.Insights.with.eBPF . 18 Distributed by Seymour Distribution Ltd, United Kingdom Use this in-kernel virtual machine to identify resource bottlenecks. ADMIN is published by Linux New Media USA, LLC, 2721 W 6th St, Ste D, Lawrence, KS 66049, USA. Hidden.CLI.Tools.. 22 Published in Europe by: Sparkhaus Media GmbH, Take a tour of some useful yet unsung command-line utilities, including timelimit, Zieblandstr. 1, 80799 Munich, Germany timeout, pv, bar, pipemeter, dd, cpipe, and progress. WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 3 10 TERRIFIC TOOLS – 2020 Xxx Log2Ram Just for the Record 1 Write syslog data to a RAM disk with Log2Ram. By Charly Kühnast From time to time, I use nmap ‑sP data. Once an hour, the collected rather inject my Log2Ram data 10.0.0.1‑254 to check how many data is written to disk. into a web page, just in case I feel IP devices are online in my home the urge to inspect the files while network. There are now more Need to Talk I’m on the road. A small tool by than 50, half of them Raspberry the name of frontail [2] helps Pis. The need for a central syslog I installed Log2Ram by running me do exactly this. It is based on server is slowly growing. An old the following command line on Node.js, so you need to install the miniature PC with an Intel Atom, the log server: npm installer. You then install fron‑ which I retrofitted with an SSD, is tail and launch it like this: the designated candidate for this git clone https://github.com/azlux/log2ram permanent task. The syslog server npm i frontail ‑g comes courtesy of the standard I then changed to the directory frontail /var/log/syslog rsyslogd. In its configuration file created in the last step and exe- (/etc/rsyslog.conf), the following cuted the install.sh script. At first This starts a small web server on lines ensure that the server can re- the installation failed because the port 9001. Now, when I open the ceive syslog data from other hosts Mailutils package was missing, page in a web browser, I’m wel- via UDP and TCP: and Log2Ram insists on the abil- comed by the syslog (Figure 1). ity to mail to the admin in case of With just a little manual interven- $ModLoad imudp problems. tion, I can enjoy the view and $UDPServerRun 514 Also the size of the RAM disk, an SSD that should survive for a $ModLoad imtcp 40MB by default, was too small couple of years. n $InputTCPServerRun 514 for my setup, but I was able to adapt this setting with a manual On other machines, I add an entry edit of the configuration file. Info of *.* @10.0.0.254 to rsyslog.conf Now I just have one more wish: [1] Log2Ram: so that they all send their log data I don’t want to be restricted to [https://​­github.​­com/​­azlux/​­log2ram] to the server on 10.0.0.254. viewing the logs with tail ‑f on [2] frontail: [https://​­github.​­com/​­mthenw/ However, the incoming syslog the log server console. I would frontail/​­blob/​­master/​­README.​­md] messages generate huge numbers of writes, and I’m worried about the SSD service life. Enter Log2Ram [1] stage left. Lo- g2Ram creates a RAM disk on /var/log, to which the central rsys- logd writes all the incoming Figure 1: frontail opens a viewing window into the log bucket. 4 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM NetHogs 10 TERRIFIC TOOLS – 2020 Everything Must Go Every sys admin has a few favorite tools that they always carry with them, if only because they do not want to be without these often overlooked treasures. The gems 2 dangling from Charly’s key ring include Dstat, NetHogs, and nload. By Charly Kühnast Dstat [1] is a useful tool for get- pears (Figure 2). I use the R and # nload ‑t 1000 ‑o 10000 ting details about the installed S keys to tell Dstat to sort this list hardware (especially RAM) in by incoming and outgoing traffic The ‑t 1000 parameter specifies Linux. My secret weapon for de- respectively. NetHogs also has a the update interval in milliseconds termining which processes are nice graphical add-on called Hog- (default: 500ms). ‑o 10000 tells the grabbing the most resources looks Watch [3] that visualizes the data, tool to cap the graph at 10Mbps, like this: although HogWatch is no longer because nload scales it to the in- actively maintained. terface’s maximum speed. n # dstat ‑cdn ‑D sda ‑N U enp2s0 ‑C total ‑‑top‑cpu U nload Info ‑‑top‑io ‑‑top‑mem ‑f 5 [1] Dstat: If you are looking for an alterna- [https://​­github.​­com/​­dagwieers/​­dstat] Every second, this command tive that draws a meaningful net [2] NetHogs: displays which processes are gen- load curve from the command [https://​­github.​­com/​­raboof/​­nethogs] erating the highest CPU, memory, line, nload [4] will do the job. [3] HogWatch: [https://​­github.​­com/ and I/ O load (Figure 1). This com- The following command draws akshayKMR/​­hogwatch] mand has saved me from working the current net load level with [4] nload: [https://​­github.​­com/ late dozens of times. cursors on the console: rolandriegel/​­nload] Figure 1: Dstat frequently saves Charly from working late. Unfortunately, Dstat does not show you which process is gener- ating the most network traffic at the moment. NetHogs [2] fills this gap. On machines with multiple interfaces, it only needs the name of the desired network interface as a parameter. If not specified, Net- Hogs grabs the first interface that is not called localhost. A list of all processes that send or receive network packets ap- Figure 2: NetHogs adds the traffic information that Dstat lacks. WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 5 10 TERRIFIC TOOLS – 2020 Xxx darkstat Light Touch Thanks to its minimal footprint, the 20-year-old darkstat monitoring tool hardly generates 3 any noticeable load even on low-powered systems. By Charly Kühnast Next to our kitchen, there is a figuration file is voluntary; I could tab (Figure 2). This is where dark- small utility room. I don’t think ignore it and simply start darkstat stat lists the devices in a table; you its floorspace is even two square at the command line. can sort by the column headers. meters. In addition to the usual The only mandatory parameter is This is how I found out, for exam- building services, such as a fuse ‑i <interface>. The darkstat ‑‑help ple, that music streaming is very box, there are two firewalls, a web command lists all the other param- popular today.
Load more

Recommended publications
  • A Study of Cryptographic File Systems in Userspace
    Turkish Journal of Computer and Mathematics Education Vol.12 No.10 (2021), 4507-4513 Research Article A study of cryptographic file systems in userspace a b c d e f Sahil Naphade , Ajinkya Kulkarni Yash Kulkarni , Yash Patil , Kaushik Lathiya , Sachin Pande a Department of Information Technology PICT, Pune, India [email protected] b Department of Information Technology PICT, Pune, India [email protected] c Department of Information Technology PICT, Pune, India [email protected] d Department of Information Technology PICT, Pune, India [email protected] e Veritas Technologies Pune, India, [email protected] f Department of Information Technology PICT, Pune, India [email protected] Article History: Received: 10 January 2021; Revised: 12 February 2021; Accepted: 27 March 2021; Published online: 28 April 2021 Abstract: With the advancements in technology and digitization, the data storage needs are expanding; along with the data breaches which can expose sensitive data to the world. Thus, the security of the stored data is extremely important. Conventionally, there are two methods of storage of the data, the first being hiding the data and the second being encryption of the data. However, finding out hidden data is simple, and thus, is very unreliable. The second method, which is encryption, allows for accessing the data by only the person who encrypted the data using his passkey, thus allowing for higher security. Typically, a file system is implemented in the kernel of the operating systems. However, with an increase in the complexity of the traditional file systems like ext3 and ext4, the ones that are based in the userspace of the OS are now allowing for additional features on top of them, such as encryption-decryption and compression.
    [Show full text]
  • Lightweight Virtualization with Gobolinux' Runner
    Lightweight virtualization with GoboLinux’ Runner Lucas C. Villa Real [email protected] About GoboLinux ● Alternative distribution born in 2002 ● Explores novel ideas in the Linux distribution ecosystem ● Introduces a rather diferent directory hierarchy How diferent? lucasvr@fedora ~] ls / bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var lucasvr@fedora ~] ls /usr bin games include lib lib64 libexec local sbin share src tmp lucasvr@fedora ~] ls /usr/local bin etc games include lib lib64 libexec sbin share src lucasvr@gobolinux ~] ls / Data Mount Programs System Users GoboLinux File System Hierarchy /Programs Self-contained programs: no need for a package manager ~] ls /Programs AbsTk DifUtils GnuTLS Kerberos LibXML2 ACL Dit GoboHide Kmod LibXSLT Acpid DosFSTools GParted Lame Linux AGNClient E2FSProgs Gperf LCMS Linux-Firmware ALSA-Lib EFIBootMgr GPM Less Linux-PAM ALSA-Utils ELFUtils Grep LibDRM Lsof APR EncFS Grof LibEvdev Lua APR-Util ExFAT GRUB LibExif LuaRocks … /Programs Multiple versions of a given program can coexist ~] ls /Programs/GTK+ 2.24.22 2.24.30 3.10.6 3.21.4 Current Settings ~] ls /Programs/GTK+/2.24.22 bin doc include lib Resources share ~] ls /Programs/GTK+/2.24.22/bin gtk-builder-convert gtk-demo gtk-query-immodules2.0 gtk-update-icon-cache ~] ls /Programs/GTK+/2.24.30/bin gtk-builder-convert gtk-demo gtk-query-immodules2.0 gtk-update-icon-cache /Programs Easy to tell which fles belongs to which packages lucasvr@fedora ~] ls -l /bin/bash -rwxr-xr-x. 1 root root 1072008
    [Show full text]
  • Operating System Support for Run-Time Security with a Trusted Execution Environment
    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Last Revision: May 30, 2015 ITU DS-nummer: D-2015-107 ISSN: 1602-3536 ISBN: 978-87-7949-302-5 1 Contents Preface8 1 Introduction 10 1.1 Context....................................... 10 1.2 Problem....................................... 12 1.3 Approach...................................... 14 1.4 Contribution.................................... 15 1.5 Thesis Structure.................................. 16 I State of the Art 18 2 Trusted Execution Environments 20 2.1 Smart Cards.................................... 21 2.1.1 Secure Element............................... 23 2.2 Trusted Platform Module (TPM)......................... 23 2.3 Intel Security Extensions.............................. 26 2.3.1 Intel TXT.................................. 26 2.3.2 Intel SGX.................................. 27 2.4 ARM TrustZone.................................. 29 2.5 Other Techniques.................................. 32 2.5.1 Hardware Replication........................... 32 2.5.2 Hardware Virtualization.......................... 33 2.5.3 Only Software............................... 33 2.6 Discussion...................................... 33 3 Run-Time Security 36 3.1 Access and Usage Control............................. 36 3.2 Data Protection................................... 39 3.3 Reference
    [Show full text]
  • A Novel Cryptographic Framework for Cloud File Systems and Cryfs, a Provably-Secure Construction
    A Novel Cryptographic Framework for Cloud File Systems and CryFS, a Provably-Secure Construction Sebastian Messmer1, Jochen Rill2, Dirk Achenbach2, and J¨ornM¨uller-Quade3 1 [email protected] 2 FZI Forschungszentrum Informatik frill,[email protected] 3 Karlsruhe Institute of Technology (KIT) [email protected] Abstract. Using the cloud to store data offers many advantages for businesses and individuals alike. The cloud storage provider, however, has to be trusted not to inspect or even modify the data they are entrusted with. Encrypting the data offers a remedy, but current solutions have various drawbacks. Providers which offer encrypted storage themselves cannot necessarily be trusted, since they have no open implementation. Existing encrypted file systems are not designed for usage in the cloud and do not hide metadata like file sizes or directory structure, do not provide integrity, or are prohibitively inefficient. Most have no formal proof of security. Our contribution is twofold. We first introduce a comprehensive formal model for the security and integrity of cloud file systems. Second, we present CryFS, a novel encrypted file system specifically designed for usage in the cloud. Our file system protects confidentiality and integrity (including metadata), even in presence of an actively malicious cloud provider. We give a proof of security for these properties. Our implemen- tation is easy and transparent to use and offers performance comparable to other state-of-the-art file systems. 1 Introduction In recent years, cloud computing has transformed from a trend to a serious competition for traditional on-premise solutions. Elastic cost models and the availability of virtually infinite resources present an alternative to offers of a preset volume.
    [Show full text]
  • Encfs Goes Multi-User: Adding Access Control to an Encrypted File System
    c 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. http://ieeexplore.ieee.org/document/7860544/ EncFS goes Multi-User: Adding Access Control to an Encrypted File System Dominik Leibenger Jonas Fortmann Christoph Sorge CISPA, Saarland University University of Paderborn CISPA, Saarland University [email protected] [email protected] [email protected] Abstract—Among the different existing cryptographic file entities, which especially preserves the opportunity of creating systems, EncFS has a unique feature that makes it attractive for efficient, server-side snapshots if supported by the provider.1 backup setups involving untrusted (cloud) storage. It is a file- based overlay file system in normal operation (i.e., it maintains In contrast to other file-based encryption tools, EncFS a directory hierarchy by storing encrypted representations of has a unique feature: It allows to reverse its functionality files and folders in a specific source folder), but its reverse mode as to generate a deterministic, encrypted view of an existing allows to reverse this process: Users can mount deterministic, (unencrypted) folder on a local file system on the fly. The encrypted views of their local, unencrypted files on the fly, encrypted view can be synchronized to external, untrusted allowing synchronization to untrusted storage using standard cloud storage using standard tools like rsync [6] without hav- tools like rsync without having to store encrypted representations ing to store a local copy and without requiring changes to the on the local hard drive.
    [Show full text]
  • Lamassu: Storage-Efficient Host-Side Encryption
    Lamassu: Storage-Efficient Host-Side Encryption Peter Shah and Won So NetApp Inc. Abstract moves downstream through the stack. This strategy can Many storage customers are adopting encryption solu- take many forms, such as built-in application encryption, tions to protect critical data. Most existing encryption OS-based file system encryption or VM-level encryp- solutions sit in, or near, the application that is the source tion [3, 19, 22]. We term any encryption that runs on of critical data, upstream of the primary storage system. the same physical hardware as the primary application Placing encryption near the source ensures that data re- data-source encryption. mains encrypted throughout the storage stack, making it In general, existing data-source encryption solutions easier to use untrusted storage, such as public clouds. interfere with content-driven data management features Unfortunately, such a strategy also prevents down- provided by storage systems — in particular, deduplica- stream storage systems from applying content-based fea- tion. If a storage controller does not have access to the tures, such as deduplication, to the data. In this paper, we keys used to secure data, it cannot compare the contents present Lamassu, an encryption solution that uses block- of encrypted data to determine which sections, if any, are oriented, host-based, convergent encryption to secure duplicates. data, while preserving storage-based data deduplication. In this paper, we present an alternative encryption Unlike past convergent encryption systems, which typi- strategy that provides the benefits of upstream encryp- cally store encryption metadata in a dedicated store, our tion while preserving storage-based data deduplication system transparently inserts its metadata into each file’s on downstream storage.
    [Show full text]
  • Encrypted File System Based on Distributed Key-Value Stores and FUSE
    International Journal of Network Security & Its Applications (IJNSA) Vol.11, No.2, March 2019 KVEFS: Encrypted File System based on Distributed Key-Value Stores and FUSE Giau Ho Kim, Son Hai Le, Trung Manh Nguyen, Vu Thi Ly, Thanh Nguyen Kim, Nguyen Van Cuong, Thanh Nguyen Trung, and Ta Minh Thanh Le Quy Don Technical University No 236 Hoang Quoc Viet Street , Hanoi, Vietnam [email protected] Abstract. File System is an important component of a secure operating system. The need to build data protection systems is extremely important in open source operating systems, high mobility hardware systems, and miniaturization of storage devices that make systems available. It is clear that the value of the data is much larger than the value of the storage device. Computers access protection mechanism does not work if the thief retrieves the hard drive from the computer and reads data from it on another computer. Encrypted File System (EFS) is a secure level of operating system kernel. EFS uses cryptography to encrypt or decrypt files and folders when they are being saved or retrieved from a hard disk. EFS is often integrated transparently in operating system There are many encrypted filesystems commonly used in Linux operating systems. However, they have some limitations, which are the inability to hide the structure of the file system. This is a shortcoming targeted by the attacker, who will try to decrypt a file to find the key and then decrypt the entire file system. In this paper, we propose a new architecture of EFS called KVEFS which is based on cryptographic algorithms, FUSE library and key-value store.
    [Show full text]
  • Refuse: Userspace FUSE Reimplementation Using Puffs
    ReFUSE: Userspace FUSE Reimplementation Using puffs Antti Kantee Alistair Crooks Helsinki University of Technology The NetBSD Foundation [email protected].fi [email protected] Abstract for using Gmail as a file system storage backend and FUSEPod [5] which facilitaties iPod access and man- In an increasingly diverse and splintered world, agement. interoperability rules. The ability to leverage code Userspace file systems operate by attaching an in- written for another platform means more time and re- kernel file system to the kernel’s virtual file system sources for doing new and exciting research instead layer, vfs [17]. This component transforms incoming of reinventing the wheel. Interoperability requires requests into a form suitable for delivery to userspace, standards, and as the saying goes, the best part of sends the request to userspace, waits for a response, standards is that everyone can have their own. How- interprets the result and feeds it back to caller in the ever, in the userspace file system world, the Linux- kernel. The kernel file system calling conventions originated FUSE is the clear yardstick. dictate how to interface with the virtual file system In this paper we present ReFUSE, a userspace layer, but other than that the userspace file systems implementation of the FUSE interface on top of the framework is free to decide how to operate and what NetBSD native puffs (Pass-to-Userspace Framework kind of interface to provide to userspace. File System) userspace file systems framework. We While extending the operating system to userspace argue that an additional layer of indirection is the is not a new idea [12, 21], the FUSE [2] userspace right solution here, as it allows for a more natural file systems interface is the first to become a veri- export of the kernel file system interface instead of table standard.
    [Show full text]
  • SUSE Enterprise Storage 7 Security Hardening Guide Security Hardening Guide SUSE Enterprise Storage 7 by Tomáš Bažant, Alexandra Settle, and Liam Proven
    SUSE Enterprise Storage 7 Security Hardening Guide Security Hardening Guide SUSE Enterprise Storage 7 by Tomáš Bažant, Alexandra Settle, and Liam Proven Publication Date: 09/21/2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2020– 2021 SUSE LLC and contributors. All rights reserved. Except where otherwise noted, this document is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0): https://creativecommons.org/licenses/by-sa/4.0/legalcode . For SUSE trademarks, see http://www.suse.com/company/legal/ . All third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About this guide v 1 Available documentation v 2 Giving feedback vi 3 Documentation conventions vii 4 Product life cycle and support viii SUSE support definitions ix • Support statement for SUSE Enterprise Storage ix • Technology previews x 5 Ceph contributors x 6 Commands and command prompts used in this guide xi Salt-related commands xi • Ceph related commands xi • General Linux commands xiii • Additional information xiii I INTRODUCTION 1 1 Understanding the threat 2 2 About this guide 3 II HARDENING MEASSURES 5 3 General 6 3.1 Basic security hygiene 6 3.2 General system hardening 6 3.3 Monitoring 7 iii Security Hardening Guide 4 Network 8 5 Prevent Denial Of Service (DoS) 10 6 Authentication 12 6.1 Enabling strong authentication 12 6.2 Ensuring secure storage of keys 13 6.3 Account setup 13 7 Confidentiality 15 7.1 Data at rest 15 7.2 Data in flight 15 Glossary 18 iv Security Hardening Guide About this guide This guide focuses on how to ensure that your Ceph cluster is secure.
    [Show full text]
  • SADUS: Secure Data Deletion in User Space for Mobile Devices
    computers & security 77 (2018) 612–626 Available online at www.sciencedirect.com j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e SADUS: Secure data deletion in user space for mobile devices ∗ Li Yang a, , Teng Wei a, Fengwei Zhang b, Jianfeng Ma a a Xidian University, Xi’an 710071, China b Wayne State University, Detroit, MI 48202, USA a r t i c l e i n f o a b s t r a c t Article history: Conventional data deletion is implemented for reclaiming storage as a rapid operation. How- Received 9 February 2018 ever, the content of the deleted file still persists on the storage medium. Secure data deletion Revised 27 April 2018 is a task of deleting data irrecoverably from the physical medium. Mobile devices use flash Accepted 22 May 2018 memory as the internal storage. However, flash memory does not support the in-place up- Available online 26 May 2018 date which is in direct opposition to efforts to securely delete sensitive data from storage. Previously practical secure deletion tools and techniques are rapidly becoming obsolete, and Keywords: are rendered ineffective. Therefore, research on secure data deletion approaches for mobile Secure deletion devices has become a practical and urgent issue. User space In this paper, we study the logic structure and operation characteristics of flash memory, and Encrypted filesystem survey related work on secure data deletion.
    [Show full text]
  • The Selinux Notebook - the Foundations
    The SELinux Notebook - The Foundations The SELinux Notebook The Foundations Page 1 The SELinux Notebook - The Foundations 0. Notebook Information 0.1 Copyright Information Copyright © 2009 Richard Haines. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNUFree Documentation License”. The scripts and source code in this Notebook are covered by the GNU General Public License. The scripts and code are free source: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. These are distributed in the hope that they will be useful in researching SELinux, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with scripts and source code. If not, see <http://www.gnu.org/licenses/>. 0.2 Revision History Version Date Description of Change Changed By 1.0 20th Nov ‘09 First release. Richard Haines 0.3 Acknowledgements Logo designed by Máirín Duffy 0.4 Abbreviations Term Definition apol Policy analysis tool AV Access Vector AVC Access Vector Cache BLP Bell-La Padula CC Common Criteria CMW Compartmented Mode Workstation DAC Discretionary Access Control Page 2 The SELinux Notebook - The Foundations Term Definition F-10 Fedora 10 FLASK Flux Advanced Security Kernel - A security-enhanced version of the Fluke kernel and OS developed by the Utah Flux team and the US Department of Defence.
    [Show full text]
  • Security Features for UBIFS
    Security features for UBIFS Richard Weinberger sigma star gmbh . Richard Weinberger sigma star gmbh Security features for UBIFS /me ? Richard Weinberger ? Co-founder of sigma star gmbh ? Linux kernel developer and maintainer ? Strong focus on Linux kernel, lowlevel components, virtualization, security . Richard Weinberger sigma star gmbh Security features for UBIFS Disk Encryption on Linux ? Multiple existing solutions ? Kernel: dm-crypt, cryptoloop, eCryptFS, fscrypt ? Userspace: encFS, VeraCrypt, . Richard Weinberger sigma star gmbh Security features for UBIFS dm-crypt, cryptoloop ? Work on top of block devices ? Encrypt individual blocks ? Single key for every block ? Full file contents and metadata encryption ? Not suitable for MTD ? But stacking is possible: MTD, UBIFS, container file, dm-crypt/cryptoloop, block filesystem . Richard Weinberger sigma star gmbh Security features for UBIFS eCryptFS ? Stacked on top of your regular filesystem ? Works on filesystem-level (i.e. \sees" files) ? Individual key per file ? File contents and filename encryption ? Stacking filesystems can be problematic ? Also overhead in performance and memory ? Usable on MTD/UBIFS . Richard Weinberger sigma star gmbh Security features for UBIFS encFS, VeraCrypt, . ? Userspace filesystems ? Work on top of block devices ? Usually not what you want on (deeply) embedded systems . Richard Weinberger sigma star gmbh Security features for UBIFS fscrypt ? A better eCryptFS ? Fairly new, added for ext4 ? Encryption baked directly into filesystem (no stacking overhead) ? Intended to encrypt individual directories (e.g. home directory) ? Google use case: Android, ChromeOS . Richard Weinberger sigma star gmbh Security features for UBIFS Why no dm-crypt-like Solution for MTD? ? No individual key per inode ? On NAND, empty pages need special handling ? Stacking ? On a second thought it didn't feel right .
    [Show full text]