Solaris Security Today and Tomorrow Technical Deep Dive Updated for Solaris 10 05/09, Solaris Next, and Solaris Furure

Dr. Christoph Schuba [email protected] Agenda

•Solaris Security - Goals •Solaris 9 - Security Review >an overview of features from past releases. •Solaris 10 - Security Deep Dive >a dive into new features including: Secure by Default, SMF, Privileges, ZFS, Zones, Trusted Extensions, and more! •Solaris Next - Security Deep Dive •Solaris Future - Project Outlines

•This presentation includes content and examples inclusive of Solaris 10 05/09 •While a lot of security controls and functionality is discussed, there is still much more that is not covered in the interest of brevity. •Functionality introduced prior to Solaris 10 is discussed only in passing or as part of a discussion where that functionality is updated.

•Defending >Provide strong assurance of system integrity. >Defend system from unauthorized access. •Enabling >Secure authentication of all active subjects. >Protect communications between endpoints. •Deploying >Emphasize an integratable stack architecture. >Interoperate with other security architectures. >Ease management and use of security features. >Receive independent assessment of security.

!Access Control Lists !Solaris Fingerprint DB

!Role-based Access Control !Solaris Secure Shell

!IPsec / IKE !Kerberos

!Solaris Auditing !/dev/[u]random

!TCP Wrappers (inetd, rpcbind) !Enhanced PAM Framework

!Flexible Crypt !Smartcard Framework

!Signed Patches !Java Security

!Granular Packaging !SunScreen 3.2

!SSL-enabled LDAP !Solaris Security Toolkit

!WAN Boot !sadmind DES Auth

!IKE Hardware Accel. !LDAP Password Management

Metacluster Size (MB) # Pkgs # Set-UID # Set-GID Reduced Networking 363 154 31 12 SUNWCrnet Core 396 213 38 13 SUNWCreq End User 2500 785 68 20 SUNWCuser Developer 3200 1034 69 20 SUNWCprog Entire 3300 1091 83 21 SUNWCall Entire + OEM 3300 1902 83 21 SUNWCXall

•Some environments remove or simply do not install software packages that are not needed (business or technical reasons) >Less software to install, upgrade, patch, and maintain. >Less software equates to reduced exposure to security vulnerabilities. •Refer to Sun's Rules of Engagement for the Support of Reduced or Minimal Configurations >http://www.opensolaris.org/os/community/security/files/minimization-support-rules-ext.pdf •Solaris Package Companion can be used to understand software package relationships and dependencies >http://www.opensolaris.org/os/project/svr4_packaging/package_companion/

•EXAMPLE 1: What packages depend on StarOffice? $ spc-v0.9.ksh -r ./s10u7.rep -l -F -f /opt/staroffice8/program/soffice SUNWCstaroffice $ spc-v0.9.ksh -r ./s10u7.rep -F -Z -v SUNWCstaroffice [C] SUNWCstaroffice StarOffice 8.0

•EXAMPLE 2: On what does SSH depend? •$ spc-v0.9.ksh -r ./s10u7.rep -D -F -v SUNWCssh [C] SUNWCcs Core Solaris [C] SUNWCfwcmp Freeware Compression Utilities [C] SUNWCopenssl OpenSSL [C] SUNWCssh Secure Shell [P] SUNWcakr Core Solaris Kernel Architecture (Root) [P] SUNWcar Core Architecture, (Root) [P] SUNWgss GSSAPI V2 [P] SUNWgssc GSSAPI CONFIG V2 [P] SUNWkvm Core Architecture, (Kvm)

For more details and information, see the Solaris Package Companion OpenSolaris Project site at: http://opensolaris.org/os/project/svr4_packaging/package_companion/ Copyright © 2009 Sun Microsystems, Inc. 9 Cryptographically Signed ELF Objects

•ELF Objects Cryptographically Signed >binaries, libraries, kernel modules, crypto modules, etc. # file /usr/lib/ssh/sshd /usr/lib/ssh/sshd: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped # elfsign verify -e /usr/lib/ssh/sshd elfsign: verification of /usr/lib/ssh/sshd passed. # elfsign list -f signer -e /usr/bin/ls CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc •Cryptographic modules must be signed with a certificate issued by Sun. >Signature and certificate must be validated before module can be loaded. >Crypto. modules will not load if not signed or have invalid signature.

#include #include typedef void (*fptr)(void);

#ifdef __sparc char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e " "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0 " "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08 "; #endif int main(int argc, char **argv) { fptr f; char code[100]; memcpy(code, shellcode, sizeof(shellcode)); printf("Attempting to start a shell...\n"); f = (fptr)code; f(); return (0); }

$ cc -o myshell shell.c $ cc -o myshell-nx -M /usr/lib/ld/map.noexst shell.c $ ./myshell Attempting to start a shell... $ exit $ ./myshell-nx Attempting to start a shell... Segmentation Fault(coredump) Sep 16 15:06:06 kilroy genunix: [ID 533030 kern.notice] NOTICE: shell-noexstk[23132] attempt to execute code on stack by uid 101

Stacks can be globally configured to be non-executable using the noexec_user_stack tunable in /etc/system.

$ telnet victimhost myshell Trying 10.8.22.39... Connected to victimhost. Escape character is '^]'. finger; Login Name TTY Idle When Where gbrunett Glenn Brunette pts/5 Wed 13:48 void \377\277\375\364: ^M: not found [...] Connection to victimhost closed. $ telnet victimhost myshell-nx Trying 10.8.22.39... Connected to victimhost. Escape character is '^]'. Connection to victimhost closed by foreign host.

For more information on Solaris non-executable stack functionality, see: http://blogs.sun.com/gbrunett/tags/noexstk

•Provide a uniform mechanism to disable/manage services. E.g., svcadm [disable|enable] telnet •Support alternative service profiles E.g., “Secure by Default” profile (since Solaris 10 11/06) •Leverage authorizations to manage/configure services. •Define context to permit services to be started as a specific user and group and with specific privileges. •Support automatic service dependency resolution. E.g., svcadm enable -r nfs/client •Facilitate delegated service restarts.

$ profiles Service Operator Basic Solaris User All $ svcs network/inetd STATE STIME FMRI online 1:28:15 svc:/network/inetd:default $ svcadm disable network/inetd $ svcs -x -v network/inetd svc:/network/inetd:default (inetd) State: disabled since Thu Jul 13 17:05:36 2008 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: man -M /usr/share/man -s 1M inetd See: /var/svc/log/network-inetd:default.log Impact: 5 dependent services are not running:

# svcprop -v -p defaults inetd defaults/bind_addr astring "" defaults/bind_fail_interval integer -1 defaults/bind_fail_max integer -1 defaults/con_rate_offline integer -1 [...] defaults/stability astring Evolving defaults/tcp_trace boolean false defaults/tcp_wrappers boolean false # svcprop -p config/local_only rpc/bind false # svcs -x sendmail svc:/network/smtp:sendmail (sendmail SMTP mail transfer agent) State: maintenance since Wed Dec 01 01:31:35 2007 Reason: Start method failed repeatedly, last exited with status 208. See: http://sun.com/msg/SMF-8000-KS See: sendmail(1M) Impact: 0 services are not running.

•Integrated with Solaris Roles (Rights Profiles) >Service Management >Service Operator •Integrated with Solaris Authorizations >Global: solaris.smf.modify >Global: solaris.smf.manage >Global: solaris.smf.value >Per Service: action_authorization •Services may have property-group specific authorizations >value_authorization – change existing property values >modify_authorization – add, modify, or delete properties

# svcprop -p httpd -p general apache2 general/enabled boolean false general/action_authorization astring sunw.apache.oper general/entity_stability astring Evolving httpd/ssl boolean false httpd/stability astring Evolving httpd/value_authorization astring sunw.apache.admin

Example taken from the Sun BluePrint: Restricting Service Administration in the Solaris 10 Operating System, http://www.sun.com/blueprints/0605/819-2887.pdf Copyright © 2009 Sun Microsystems, Inc. 18 SMF Execution Context

•exec methods can be forced to run as a given user: >{start, stop, etc.}/user •exec methods can be forced to run as a given group: >{start, stop, etc.}/group •exec methods can be forced to use specific privileges: >{start, stop, etc.}/privileges >{start, stop, etc.}/limit_privileges •Other exec context can also be defined: >default project and resource pool, supplemental groups, etc.

# svcprop -v -p start apache2 start/exec astring /lib/svc/method/http-apache2\ start start/timeout_seconds count 60 start/type astring method start/user astring webservd start/group astring webservd start/privileges astring basic,!proc_session,!proc_info, !file_link_any,net_privaddr start/limit_privileges astring :default start/use_profile boolean false start/supp_groups astring :default start/working_directory astring :default start/project astring :default start/resource_pool astring :default

Example taken from the Sun BluePrint: Limiting Service Privileges in the Solaris 10 Operating System, http://www.sun.com/blueprints/0505/819-2680.pdf Copyright © 2009 Sun Microsystems, Inc. 20 SMF Example #5

•Only Secure Shell is reachable by default. >root use of Secure Shell is not permitted by default. •Existing services are configured in SMF to either be: >Disabled by default >Listening for local (e.g., loopback) connections only •Configuration can be selected using CLI or JumpStart: >netservices: open (traditional) or limited (SBD) >service_profile: open or limited_net •Default installation method in Nevada/OpenSolaris: >Solaris upgrades are not changed or impacted. >Solaris 10 initial (fresh) installations can select SBD mode.

# netservices netservices: usage: netservices [ open | limited ] # netservices limited restarting syslogd restarting sendmail dtlogin needs to be restarted. Restart now? [Y] y restarting dtlogin # netstat -af inet -P tcp | grep LISTEN [...] *.sunrpc *.* 0 0 49152 0 LISTEN *.ssh *.* 0 0 49152 0 LISTEN localhost.smtp *.* 0 0 49152 0 LISTEN localhost.submission *.* 0 0 49152 0 LISTEN

Service FMRI Property Values

rpcbind svc:/network/rpc/bind config/local_only true, false

syslog svc:/system/system-log config/log_from_remote true, false

sendmail svc:/network/smtp:sendmail config/local_only true, false

smcwebserver svc:/system/webconsole:console options/tcp_listen true, false

wbem svc:/application/management/wbem options/tcp_listen true, false

X11 svc:/application/x11/x11-server options/tcp_listen true, false

CDE svc:/application/graphical-login/cde-login dtlogin/args [null], -udpPort 0

ToolTalk svc:/network/rpc/cde-ttdbserver:tcp proto tcp, ticotsord

calendar svc:/network/rpc/cde-calendar-manager proto tcp, ticlts

BSD printing svc:/application/print/rfc1179:default bind_addr [null], localhost

•Pluggable Crypt >SHA-256, SHA-512, Sun MD5 (+ rounds), BSD MD5, Blowfish •Password Complexity Checks >Login Name != Password, White Space Permitted >Minimum Characters by Class !Alphabetic, Non-Alphabetic, Uppercase, Lowercase, Digits, Special >Maximum Consecutive Repeating Characters >Local Banned Password List (Dictionary) •Password Aging and History •Account Lockout

# grep "^CRYPT_DEFAULT=" /etc/security/policy.conf CRYPT_DEFAULT=md5 # grep "^md5" /etc/security/crypt.conf md5 crypt_sunmd5.so.1 rounds=8000 # grep "^root" /etc/shadow root:$md5,rounds=8000$kS9FT1JC$$mnUrRO618lLah5iazwJ9m1: 13776::::::

$ john ./mypasswd No password hashes loaded $ Crack ./mypasswd $ Reporter | grep -w root E:1190747899:StoreDataHook: invalid ciphertext: root $md5,rounds=8000$kS9FT1JC$$mnUsRO618lLah5iazwJ9m1

$ passwd gbrunett Enter existing login password: New Password: passwd: The password must contain at least 1 numeric or special character(s). Please try again New Password: passwd: The password must contain at least 1 uppercase alpha character(s). Please try again New Password: passwd: Too many consecutively repeating characters. Maximum allowed is 3. Permission denied $ passwd gbrunett Enter existing login password: New Password: passwd: Password in history list.

•Limit system access based on users and netgroups. >“allow” and “deny” lists are maintained in separate local files. >Configurable matching policy based upon specific requirements. • Example: Only non-role administrators can login to the system:

login account requisite pam_roles.so.1 login account requisite pam_list.so.1 allow=/etc/local/admins login account required pam_unix_account.so.1 • Example: Ban specific users from the system (all methods):

other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_list.so.1 deny=/etc/local/banned nohost

• Solaris Users versus Roles >Roles can only be accessed by users already logged in. >Users cannot assume a role unless authorized.

$ id -a uid=80(webservd) gid=80(webservd) $ roles No roles $ su - root Password: Roles can only be assumed by authorized users su: Sorry

• Attempt to remotely access webservd role. $ ssh -l webservd websvc Password: Password: Password: Permission denied (gssapi-keyex, gssapi-with-mic,publickey,keyboard-interactive).

SYSLOG Reports: Sep 21 14:20:26 websvc sshd[2516]: [ID 800047 auth.notice] Failed keyboard-interactive for webservd from 192.168.1.110 port 57848 ssh2 Solaris Audit Reports: header,79,2,login - ssh,,localhost,2007-09-21 14:20:27.187 -04:00 subject,-1,-1,-1,-1,-1,2516,628487479,15928 71168 192.168.1.110 return,failure,Authentication failed zone,websvc

$ profiles -l Object Access Management: /usr/bin/chgrp privs=file_chown /usr/bin/chmod privs=file_owner [...] [...] $ ls -ld mnt drwxr-xr-x 2 gbrunett gbrunett 512 Nov 7 12:54 mnt $ chown bin:bin mnt chown: mnt: Not owner $ pfexec chown bin:bin mnt $ ls -ld mnt drwxr-xr-x 2 bin bin 512 Nov 7 12:54 mnt

# svcprop -p httpd -p general apache2 general/enabled boolean false general/action_authorization astring sunw.apache.oper general/entity_stability astring Evolving httpd/ssl boolean false httpd/stability astring Evolving # auths weboper sunw.apache.oper # profiles -l weboper Apache Operator: /usr/sbin/svcadm /usr/bin/svcs

$ svcs -o state,ctid,fmri apache2 STATE CTID FMRI online 91050 svc:/network/http:apache2 $ svcadm restart apache2 $ svcs -o state,ctid,fmri apache2 STATE CTID FMRI online 91064 svc:/network/http:apache2 $ ls ls: not found $ echo * local.cshrc local.login local.profile

!Solaris kernel checks for privileges and not just UID == 0! >Division of root authority into over 60 discrete privileges. >Privileges can be granted to processes based on need. >Privileges can be disabled or dropped when not needed. >Child processes can have different (fewer) privileges than the parent. •Completely backward compatible and extensible. >No changes required to use existing code. •Privilege bracketing helps to mitigate effects of future flaws. >e.g., proc_fork and proc_exec >e.g., proc_info

•E - Effective •I - Inheritable set >Privileges in effect >Privileges of executed programs •P - Permitted set •L - Limit set >Upper bound of E >Upper bound for the process and all its descendants

Effective

Permitted Inheritable

Limit

•Limit (L) is unchanged •L is used to bound privileges in Inheritable (I) >I' = I ! L •Child's Permitted (P') & Effective (E') are: >P' = E' = I' •Typical process >P = E = I = {basic} >L = {all privileges} >Since P = E = I, children run with same privileges

•“basic” privileges >file_link_any, proc_exec, proc_fork, proc_info, proc_session •“all” privileges >includes “basic” + over 60 administrative privileges >dtrace_kernel, file_dac_write, net_privaddr, proc_priocntl, sys_net_config, etc. •“zone” privileges >the set of privileges available to a Solaris zone. •Trusted Extensions privileges >privileges specific for use when TX is enabled.

•root owns all configuration/system files >UID 0 is therefore still very powerful •Privilege escalation prevention >Require ALL privs to modify objects owned by root when euid " 0 >Fine tuning in certain policy routines >Not all privileges, only nosuid mounts •Prefer services be non-UID 0 + privileges >Additive approach is safer than UID 0 – privileges

•ppriv(1)

# ppriv -e -D -s -proc_fork,-proc_exec /bin/sh -c finger sh[387]: missing privilege "proc_fork" (euid = 0, syscall = 143) needed at cfork+0x18 /bin/sh: permission denied •User Rights Management (RBAC)

# grep “Network Management” /etc/security/exec_attr Network Management:solaris:cmd:::/sbin/ifconfig:privs=sys_net_config Network Management:solaris:cmd:::/sbin/route:privs=sys_net_config •Service Management Framework (SMF)

# svcprop -p start rpc/bind | grep privileges start/privileges astring basic,file_chown,file_chown_self,file_owner,net_privaddr, proc_setid,sys_nfs,net_bindmlp stop/limit_privileges astring :default •Privilege Aware Commands / Services • e.g., ping, rmformat, quota, rpcbind, nfsd, mountd

$ ppriv $$ $ ppriv -l basic 28983: bash file_link_any flags = proc_exec E: basic proc_fork I: basic proc_info P: basic proc_session L: all $ ppriv -De cat /etc/shadow cat[3988]: missing privilege "file_dac_read" (euid = 101, syscall = 225) needed at ufs_iaccess+0xc9 cat: cannot open /etc/shadow $ ppriv -s -proc_fork,-proc_exec -De /bin/vi [attempt to run a command/escape to a shell] vi[4180]: missing privilege "proc_fork" (euid = 101, syscall = 143) needed at cfork+0x3b

# ppriv -S `pgrep rpcbind` 933: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none # ppriv -S `pgrep statd` 5139: /usr/lib/nfs/statd flags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none

#ifdef PRIV_ALLSETS if ((priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) { syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m"); return (-1); } #else seteuid(0); #endif /* open the sequence file */ if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT)) fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644); syslog(LOG_DEBUG, "sequence file fd: %d", fd); #ifdef PRIV_ALLSETS /* drop file access privilege */ priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL); #else seteuid(getuid()); #endif

#ifdef PRIV_ALLSETS if ((priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) { syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m"); return (-1);Turn Required Privileges On } #else seteuid(0); #endif /* open the sequence file */ if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT)) fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644); syslog(LOG_DEBUG, "sequence file fd: %d", fd); #ifdef PRIV_ALLSETS /* drop file access privilege */ priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL); #else seteuid(getuid()); #endif

#ifdef PRIV_ALLSETS if ((priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) { syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m"); return (-1);Turn Required Privileges On } #else seteuid(0); #endif /* open the sequence file */ if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT)) fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644); syslog(LOG_DPEBeUrGf,o r"mse tqhueen Pcer ivfilleeg efd: O %pd"e,r aftdio);n(s) #ifdef PRIV_ALLSETS /* drop file access privilege */ priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL); #else seteuid(getuid()); #endif

#ifdef PRIV_ALLSETS if ((priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL)) < 0) { syslog(LOG_ERR, "lpd_port:next_job_id:priv_set fails: : %m"); return (-1);Turn Required Privileges On } #else seteuid(0); #endif /* open the sequence file */ if (((fd = open(JOB_ID_FILE, O_RDWR)) < 0) && (errno == ENOENT)) fd = open(JOB_ID_FILE, O_CREAT|O_EXCL|O_RDWR, 0644); syslog(LOG_DPEBeUrGf,o r"mse tqhueen Pcer ivfilleeg efd: O %pd"e,r aftdio);n(s) #ifdef PRIV_ALLSETS /* drop file access privilege */ priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_WRITE, NULL); #else seteuid(getuid()); #endif Turn Required Privileges Off

web_svc zone: # svcadm disable apache2 global zone: # privdebug -v -f -n httpd web_svc zone: # svcadm enable apache2 global zone: [output of privdebug command] STAT TIMESTAMP PPID PID PRIV CMD USED 273414882013890 4642 4647 net_privaddr httpd USED 273415726182812 4642 4647 proc_fork httpd USED 273416683669622 1 4648 proc_fork httpd USED 273416689205882 1 4648 proc_fork httpd USED 273416694002223 1 4648 proc_fork httpd USED 273416698814788 1 4648 proc_fork httpd USED 273416703377226 1 4648 proc_fork httpd

!Zones are virtualized application environments. >No direct access to hardware. !Zones have security boundaries around them. •Zones have their own: >root directory, naming service configuration, process containment, resource controls, devices, etc. •Zones communicate via network only (default). >shared vs. exclusive IP •Zones operate with fewer privileges (default). >some privileges can be added or removed

!Restricted Operations for Enhanced Security !Individual Solaris OS hardening and RBAC configurations. !Prohibited from directly accessing the kernel or raw memory. * !Prohibited from manipulating network interfaces and kernel modules. !Enforcement with Integrity !Configurable privileges, sparse root zones, IP Instances, IP Filter, etc. !Resource Control and Management !CPU, Memory, Disk, Networking, Devices, etc. !Observability with Integrity >BART, Solaris Auditing, etc.

• *: Applies to shared IP configurations only.

•Permitted System Calls: >chmod(2), chroot(2), chown(2), and setuid(2), etc. •Prohibited System Calls: >memcntl(2), mknod(2), stime(2), and pset_create(2), etc. •Limited System Calls: >kill(2), etc.

•/dev Permitted System Calls: >chmod(2), chown(2), and chgrp(1) •/dev Prohibited System Calls: >rename(2), unlink(2), symlink(2), link(2), creat(2), and mknod(2) •Forced nodevices mount option >Prevents import of malicious device files from NFS and other foreign sources. •Security audit performed on all drivers included in default zone configuration.

•Mandatory privileges >Privileges required by a non-global zone. >proc_fork, proc_exec, proc_mount, ... •Restricted privileges >Privileges prohibited from use in a non-global zone. >dtrace_kernel, sys_config, sys_net_config, ... •Optional privileges >Privileges that can be added to a non-global zone. >dtrace_user, proc_lock_memory, sys_time, ... •Other default privileges can be taken away!

# modload autofs Insufficient privileges to load a module # modunload -i 101 Insufficient privileges to unload a module # snoop snoop: No network interface devices found # mdb -k mdb: failed to open /dev/ksyms: No such file or directory # dtrace -l ID PROVIDER MODULE FUNCTION NAME # ppriv -D -e route add net default 10.1.2.3 route[4676]: missing privilege "sys_net_config" (euid = 0, syscall = 4) needed at ip_rts_request+0x138 add net default: gateway 10.1.2.3: insufficient privileges

# mount -p / - / zfs - no rw,devices,setuid,exec,atime /dev - /dev lofs - no zonedevfs /lib - /lib lofs - no ro,nodevices,nosub /platform - /platform lofs - no ro,nodevices,nosub /sbin - /sbin lofs - no ro,nodevices,nosub /usr - /usr lofs - no ro,nodevices,nosub [...] # mv /usr/bin/login /usr/bin/login.foo mv: cannot rename /usr/bin/login to /usr/bin/login.foo: Read-only file system

# zonecfg -z myzone info limitpriv limitpriv: default,sys_time # zlogin myzone ppriv -l zone | grep sys_time sys_time # zlogin myzone svcs -v ntp STATE NSTATE STIME CTID FMRI online - 10:17:58 214 svc:/network/ntp:default # zlogin myzone ntpq -c peers remote refid st t when poll reach [...] ======[...] *blackhole 129.146.228.54 3 u 48 64 77 [...] # ssh blackhole date ; date ; zlogin myzone date Thu Jun 15 10:25:25 EDT 2006 Thu Jun 15 10:25:25 EDT 2006 Thu Jun 15 10:25:25 EDT 2006

App Identity File Web Mail Calendar Web SunRay App Server Database Server Server Server Server Server Database Server Server Database Server App

Server

Multiple OSs Single OS Trend to flexibility Trend to isolation

Dynamic System Logical Domains Solaris Containers Solaris Resource Domains Xen (Zones + SRM) Manager Solaris Trusted (SRM) VMware Extensions Microsoft Solaris Containers for Virtual Server Linux Applications

•Everything is “copy on write” >Never overwrites live data >On disk state is always valid >No need to fsck(1M) •Everything is transactional >Related changes succeed or fail as a whole >No need for journaling •Everything is validated with a 256-bit checksum >No silent data corruption >No panics due to corrupted meta-data >“Bad data” can be healed using mirrored copies

•NFSv4 / NTFS-style Access Control Lists >Granular access can be allowed/denied (w/inheritance) •Authentication with Cryptographic Checksums >Selectable 256-bit checksum algorithms, including SHA-256 >Uber-checksum provides check for the entire ZFS pool •File system Snapshots >Read-only version of a file system at a specific point in time. •File system Quotas and Reservations >Set maximum (quota) or minimum (reservation) usage limits. >Can set quota limit on current content or all referenced content, e.g., snapshots (quota vs. refquota)

$ touch testfile $ chmod 600 testfile $ chmod A+user:gmb:read_data:allow testfile $ ls -l testfile -rw------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile $ ls -v testfile -rw------+ 1 gbrunett gbrunett 0 Nov 7 14:22 testfile 0:user:gmb:read_data:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/ write_attributes/write_acl/write_owner:allow 3:group@:read_data/write_data/append_data/execute:deny 4:group@::allow 5:everyone@:read_data/write_data/append_data/write_xattr/ execute/write_attributes/write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/ synchronize:allow

$ touch test-xattr $ runat test-xattr cp /etc/motd . $ runat test-xattr ls motd $ touch test-no-xattr $ chmod A+user:gbrunett:write_xattr:deny test-no-xattr $ runat test-no-xattr cp /etc/motd . runat: cannot open attribute directory for test-no-xattr: Permission denied

$ profiles [...] ZFS File System Management [...] Basic Solaris User All $ pfexec zfs set quota=4g laptop/ws $ pfexec zfs list -o name,mountpoint,quota NAME MOUNTPOINT QUOTA laptop /laptop none laptop/briefcase /laptop/briefcase none laptop/ws /laptop/ws 4G

•Grant or revoke specific rights to ZFS pools and volumes. >create, destroy, clone, snapshot, mount, etc. •Set specific properties on ZFS pools and volumes. >mountpoint, sharenfs, compression, setuid, etc. •Assignments can be made to both users and groups. >assigned rights can optionally be granted to other users and groups.

$ id uid=102(gmb) gid=102(gmb) $ zfs list -r pool/home/gmb NAME USED AVAIL REFER MOUNTPOINT pool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmb $ zfs allow pool/home/gmb $ zfs snapshot pool/home/gmb@backup cannot create snapshot 'pool/home/gmb@backup': permission denied $ pfexec zfs allow gmb snapshot,mount pool/home/gmb $ zfs allow pool/home/gmb ------Local+Descendent permissions on (pool/home/gmb) user gmb mount,snapshot ------$ zfs snapshot pool/home/gmb@backup $ zfs list -r pool/home/gmb NAME USED AVAIL REFER MOUNTPOINT pool/home/gmb 19.5K 25.9G 19.5K /pool/home/gmb pool/home/gmb@backup 0 - 19.5K -

$ pfexec zpool history -l History for 'pool': 2008-10-09.15:55:12 zpool create pool c0d1 [user gmb on myhost:global] 2008-10-17.13:46:48 zfs create pool/tmp [user gmb on myhost:global] 2008-10-17.13:49:46 zfs recv -F -d pool [user gmb on myhost:global] 2008-10-17.13:51:38 zfs destroy pool/bin@2008-10-17-001 [user gmb on myhost:global] 2008-10-17.13:51:38 zfs destroy pool/etc@2008-10-17-001 [user gmb on myhost:global]

!Standards-based, pluggable framework >Kernel support as well as user-land (PKCS#11) >Supports administrative policies (e.g., FIPS 140 algorithms only) !By default, supports major algorithms. >Encryption: AES, ECC, Blowfish, RC4, DES, 3DES, RSA >Digest : MD5, SHA-1, SHA-256, SHA-384, SHA-512 >MAC : DES MAC, MD5 HMAC, SHA-1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC >Optimized for both SPARC, Intel and AMD •Framework supports pluggable hardware/software providers: >e.g., UltraSPARC T1/T2 and the Sun CryptoAccelerator 6000

• Now the framework for Open Source Sun Java Java VM Web Server Web Server Application • cryptography is standardized • and extensible. NSS Java JCE Java • OpenSSL Enterprise Crypto. System Extensions • Your current cryptographic

Commercial App • choices and any future PKCS 11 Consumer Interface (PKCS 11) • technology can easily plug in • and just work. Cryptographic Framework • Provider Interface (PKCS 11) !Standards-based framework •Same API, software or hardware Sun Software Hardware Hardware Crypto. Plug-in Accelerator Crypto. •Extensible for future technologies (DES, 3DES, Accelerator AES, Blowfish, RSA, UltraSPARC T1 6000 MD5, SHA_, RC4) UltraSPARC T2

•Access to T2 accelerators is controlled by Solaris CF •Userland access is via PKCS#11 >Simple to modify applications to use PKCS#11 (if not used already) >Can interface via OpenSSL >Offload from Java (JCE) •Kernel modules communicate directly with the kernel crypto framework >e.g. KSSL, IPsec

Copyright © 2009 Sun Microsystems, Inc. 68 UltraSPARC T2 Processor Performance Competitive Cryptographic Performance •Outperforms competing processors by up to 10X > With significant core idle time that can be used for other processing

Cipher 2.2GHz dual-core Opteron 2.7GHz quad-core Clovertown 1.4GHz UltraSPARC T2 RSA1024 2.3K Ops/sec 4.8 K Ops/sec 37.0K Ops/sec AES-128 1.6 Gb/sec 4.2 Gb/s 44.0 Gb/sec •Outperforms accelerator cards by a wide margin

Cipher Sun SCA6000 Cavium Nitrox PX 1.4GHz UltraSPARC T2 RSA1024 13K Ops/sec 12K Ops/sec 37K Ops/sec AES-128 1.0Gb/sec 2.5Gb/sec 44Gb/sec •On-chip accelerators are more versatile than off-chip solutions >Cost effective to off-load even small packets with UltraSPARC T2 processor

!MIT Kerberos v1.4 Code-base Refresh

!Kerberos Ticket / Credentials Auto-Renewal

!Kerberos LDAP Backend

!KDC Incremental Propagation

!kclient Auto-configuration Tool

!pam_krb5_migrate KDC Auto-population Tool

!TCP and IPv6 Support

!AES-128, AES-256, 3DES, RC4-HMAC Support

!SPNego – GSS-API Dynamic Security Negotiation

!Bundled Remote Applications (Clients & Servers) >telnet, ftp, rlogin, rsh, rcp, rdist, Secure Shell, Mozilla and Apache •Public Kerberos Developer APIs

!GSS-API Support !OpenSSL Engine (optional HW Accel.) Support !Enhanced Password Aging Support !Keyboard “Break” Sequence Support !X11 Forwarding “on” by default !RC4, AES CTR mode Encryption Support !/etc/default/login Synchronization !SSH2 Rekeying !Server Side Keepalives

!Uses the Solaris Cryptographic Framework for IPsec and IKE !NAT-Traversal (RFC 394[78]) Support !Full Tunnel Mode Support !AES Cipher Support for IPsec and IKE !Diffie-Hellman modp Groups: 1024, 1536, 2048, 3072, 4096 !HMAC-SHA2 (SHA-256, SHA-384, SHA-512) for IPsec/IKE !PKCS#11 locked RSA private keys w/on-disk PIN !Sun Cluster 3.2 (Clustered IPsec SAs) Support

!Stateful and stateless packet inspection – IPv4, IPv6 !Kernel-based packet filtering !Protocol proxies (TCP, UDP, FTP, rcmds, etc.) !Transparent proxy support !Text-based configuration !Support for both NAT and PAT !SYSLOG Logging !Lightweight, small footprint, high performance

pass out quick all keep state keep frags # Drop all NETBIOS traffic but don't log it. block in quick from any to any port = 137 #netbios-ns block in quick from any to any port = 138 #netbios-dgm block in quick from any to any port = 139 #netbios-ssn # Allow incoming IKE/IPsec pass in quick proto udp from any to any port = ike pass in quick proto udp from any to any port = 4500 pass in proto esp from any to any # Allow ping pass in quick proto icmp from any to any icmp-type echo # Allow routing info pass in quick proto udp from any to port = route pass in quick proto icmp from any to any icmp-type 9 # routeradvert pass in quick proto igmp from any to any # Block and log everything else that comes in block in log all block in from any to 255.255.255.255 block in from any to 127.0.0.1/32

!Supports both tcpd and libwrap and integrated with: >ssh and sendmail (automatically) >rpcbind (optionally) •$ svcprop -p config rpc/bind | grep wrappers config/enable_tcpwrappers boolean false

>inetd-services (optionally, globally or per-service) •$ svcprop -p defaults inetd | grep wrappers defaults/tcp_wrappers boolean false •$ inetadm -l telnet | grep wrappers default tcp_wrappers=FALSE !Configured using /etc/hosts.{allow, deny} and logs to syslog: •Nov 10 15:18:03 blackhole sshd[17568]: [ID 947420 auth.warning] refused connect from 192.168.1.136

• File-level integrity validation tool: >Evalutes: uid, gid, permissions/acls, contents, mtime, size, type, etc. >Enables point-in-time comparison against a previous snapshot.

# cat ./rules /etc CHECK all # find /etc | bart create -I > newManifest # bart compare -r ./rules ./oldManifest ./newManifest /etc/user_attr: size control:28268 test:23520 acl control:user::rw-,group::rw-,mask:r-x,other:r-- test:user::rw-,group::rw-,mask:r-x,other:rw- contents control:28dd3a3af2fcc103f422993de5b162f3 test:28893a3af2fcc103f422993de5b162f3 For more information on BART, see the Sun BluePrint: Automating File Integrity Checks, http://www.sun.com/blueprints/0305/819-2259.pdf

Searchable database of MD5 fingerprints for files included in Solaris, Trusted Solaris, and bundled software.

# digest -v -a md5 /usr/lib/ssh/sshd md5 (/usr/lib/ssh/sshd) = b94b091a2d33dd4d6481dffa784ba632 [Process fingerprint using the Solaris Fingerprint DB] b94b091a2d33dd4d6481dffa784ba632 - (/usr/lib/ssh/sshd) – 1 match(es) * canonical-path: /usr/lib/ssh/sshd * package: SUNWsshdu * version: 11.10.0,REV=2005.01.21.15.53 * architecture: sparc * source: Solaris 10/SPARC

For more information on the Solaris Fingerprint Database, see the Sun BluePrint: Solaris Fingerprint Database, http://www.sun.com/blueprints/0306/816-1148.pdf

•Kernel auditing of system calls and administrative actions. >Can record events happening in any zone (from the global zone). >Can also delegate audit configuration to local zone administrators. >Can capture complete command line and environment. >Records original (audit) ID as well as current credentials. >Audit trail can be formatted as text, XML, and/or delivered via syslog. •Example: •header,77,2,su,,tundra,2006-11-06 21:55:31.386 -08:00 subject,joe,joe,other,joe,other,2444,1898931306, 12114 22 marduk text,root return,failure,Authentication failed

Example adapted from the Sun BluePrint: Enforcing the Two-Person Rule Via Role-based Access Control in the Solaris 10 OS, http://www.sun.com/blueprints/0805/819-3164.pdf Copyright © 2009 Sun Microsystems, Inc. 78 Trusted Solaris History

Product Year Evaluation SunOS MLS 1.0 1990 TCSEC Conformance (1985 Orange Book) SunOS CMW 1.0 1992 ITSEC Certified for E3 / F-B1 Trusted Solaris 1.2 1995 ITSEC Certified for E3 / F-B1 Trusted Solaris 2.5.1 1996 ITSEC Certified for E3 / F-B1 Trusted Solaris 8 2000 Common Criteria Evaluated: CAPP, RBACPP, LSPP at EAL4+

Mandatory Access Control, Labeled Desktop, Labeled Printing, Labeled Networking, Labeled Filesystems, Device Allocation, etc.

•A redesign of the Trusted Solaris product using a layered architecture. •An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects. •A set of label-aware services which implement multilevel security.

•Process Rights Management (Privileges) >Fine-grained privileges for X windows >Rights management applied to desktop actions •User Rights Management (RBAC) >Labels and clearances >Additional desktop policies •Solaris Containers (Zones) >Unique Sensitivity Labels >Trusted (label-based) Networking

•Every object has a label associated with it. >Files, windows, printers, devices, network packets, network interfaces, processes, etc. •Accessing or sharing data is controlled by the relationships between the labels of different objects. >'Secret' objects can not see 'Top Secret' objects. >'Company Internal' can not send to 'Partner' networks. •Administrators utilize Solaris Roles for duty separation. >Installation, System Admin., Security Admin., etc.

•Services that are trusted to protect multi-level information according to predefined policy. •Trusted Extensions label-aware service include: >Labeled Desktops >Labeled Printing >Labeled Networking >Labeled Filesystems >Label Configuration and Translation >System Management Tools >Device Allocation

• Solaris 10 Security – A Secure Foundation for Success: >Reduced Networking Meta Cluster >Signed Binary Execution >Secure Service Management >User Rights Management >Process Rights Management >Resource Management >Kerberos, SSH, IPsec >Cryptographic Framework >Containers / Zones >IP Filter, TCP Wrappers >Auditing, BART >Trusted Extensions Copyright © 2009 Sun Microsystems, Inc. 86 But wait! There's more!

•Network Security Improvements >Kernel SSL Proxy >IPsec/IKE NAT Traversal >RIPv2 Protocol Support >Packet Filtering Hooks >Randomized TCP/UDP Ephemeral Port Selection •Auditing Improvements >Audit Trail Noise Reduction >Audit Event Reclassification !New Mount Options >noexec, nodevices

•“root” GID is now “0” (root) not “1” (other)

!ip_respond_to_timestamp now “0”. •find(1) Support for ACLs •“death by rm” safety •OpenSSL libraries with a PKCS#11 engine •Hardware RNG using Crypto Framework •open(2) [O_NOFOLLOW], getpeerucred(3c), and many other developer enhancements... •“Off the Record” plugin for pidgin (nee gaim) •Sendmail support for TLS

!NFSv4 >Support for GSS_API, ACLs, etc. !Sendmail 8.13.8 >Support for rate limiting and milters, TLS, etc. •BIND 9.3.6-P1 >DNSSEC, Views, IPv6 Support •Java 5 Security (1.5.0_17-b04) >Security tokens, better support for more security standards (SASL, OCSP, TSP), various crypto and GSS security enhancements, etc. • ... and the list keep right on going...

1 Enjoy the benefits of Solaris 10 Security today!

2 Join the OpenSolaris Security Community!

3 Share your requirements, experiences, etc!

! MIT Kerberos v1.6.3 resync (with PKINIT) > PKINIT: Public Key Initial Authentication for Kerberos > Allow various authentication mechanisms

! kdcmgr > Configure Kerberos server through the command line interface > Automate server configurations > Server status information

! kclient v2 (configure Kerberos clients via command line interface) > Option for joining various Kerberos servers > Windows 2000, 2003, and 2008 servers > MIT, Shishi, and Heimdal servers > Setup Kerberos authentication for PAM > Configure Kerberos client for cluster > Support for dynamic clients (w/o keytab)

! MIT Kerberos v1.7 resync > better interoperability with MS > negotiating mechanisms (NT Lan Manager mechanism) > follow client principal referrals in client library when obtaining initial tickets > CIFS (Common Internet File System from MS) with Kerberos > DCE (Distributed Computer Environment) standard > master key rollover support > makes it easier to change master key passwords or encryption types > Privilege Attribute Certificate (PAC) support

! Credential expiry vs. long running processes > provisions credentials for use with cron/at and long running processes. ! PAM with PKINIT support > PAM: Pluggable Authentication Module > Will provide PKCS#11 interface for smartcard support

Copyright © 2009 Sun Microsystems, Inc. 96 Labeled Networking - Problem • Today, trusted networking involves explicitly-labeled packets. • Today, most explicitly-labeled networks must be physically secure. > Labels can be easily forged/injected otherwise. • IPsec can protect packets against forgery/injection > But explicit labels are IP options outside ESP's protection.

Intranet Intranet Intranet

Need-to- Internal know Use Public

SunRay Network Global Zone

Solaris Kernel

Multilevel Network

Copyright © 2009 Sun Microsystems, Inc. 98 CIPSO problems • Cleartext label visible on the wire in each packet • Not protected end-to-end against modification • Uses extra space in every packet - complicates MTU discovery

Copyright © 2009 Sun Microsystems, Inc. 99 Labeled IPsec - Solution • Why not associate a packet's label with its IPsec cryptographic key?!? • IKE can be either unlabeled or a single explicit label, depending on existing Trusted Networking databases. • IPsec-protected traffic can have implicit labeling, or also implicit PLUS explicit labeling (which can be different or the same as the implicit label). • With Labeled IPsec, the network need not be physically secure.

• Sensitivity label is an attribute of an IPsec Security Association (SA). • Each SA is single-label, set by Key Management at creation. • IPsec flow policy enforces label match. • Label made available to applications is securely bound to traffic.

Copyright © 2009 Sun Microsystems, Inc. 101 Labeled IPsec: SADB Extensions • PF_KEY (RFC 2367) planned for this 10 years ago • Labels are SA properties • Inner sensitivity label matches cleartext traffic • Outer sensitivity label appears on wire in clear • Outer sensitivity label may be omitted from packet > No extra space on the wire vs unlabeled IPsec! • Outer label under control of key management daemon

Copyright © 2009 Sun Microsystems, Inc. 102 Labeled IPsec: more information • Limited prototype is working; not yet available • Watch: > http://www.opensolaris.org/os/project/txipsec • Questions/comments: > [email protected]

Copyright © 2009 Sun Microsystems, Inc. 103 SMC Replacement • Replaces aging Sun Management Console functionality related to user/account management and RBAC. Includes “Separation of Duty” features. • Adds a GUI to administer Trusted Extensions networking features. • Based on Gnome User Manager. • Back end of GUI interfaces with multiple command line interfaces to do the work. CLI's will also be available for scripting, or advanced users. • User's requiring this are sites deploying Trusted Extensions (mostly Intelligence Community) Copyright © 2009 Sun Microsystems, Inc. 104 Encrypted Storage with ZFS

“To create a reliable storage system from inherently unreliable components” • Data Integrity > Historically considered “too expensive” > Turns out, no it isn't > Real world evidence shows silent corruption a reality > Alternative is unacceptable

Copyright © 2009 Sun Microsystems, Inc. 105 ZFS Elevator Pitch • Ease of Use > Combined filesystem and volume management > Underlying storage managed as Pools which simply admin > Two commands: zpool & zfs > zpool: manage storage pool – aka volume management) > zfs: manage filesystems

“To create a secured reliable storage system from inherently unreliable components”

Copyright © 2009 Sun Microsystems, Inc. 107 ZFS Terminology • Pool > Collection of disks in RAID • Dataset > Filesystem or Emulated volume (ZVOL) • Copy on Write > Everything in ZFS is COW & checksumed, written in transactions. Always consistent on disk. > (POSIX) Sync write via Intent Log (ZIL)

Copyright © 2009 Sun Microsystems, Inc. 108 High Level Requirements • Support software only solution > Including single disk laptop use case • SPARC, Intel, AMD64 > Anything that OpenSolaris runs on and that ZFS has already been ported to • Support keys & cryptographic operations in hardware:eg UltraSPARC T2 • Local key management: > HSM, TPM, smart card, passphrase • Remote/Centralised key management

Copyright © 2009 Sun Microsystems, Inc. 109 High Level Requirements • Don't break Copy-On-Write semantics • Integrate with existing ZFS admin model > CLI & GUI • Support existing ZFS pools • Delegation of key management to users, virtualized & Multi Level (MLS) environments > ability to create encrypted datasets > Including separation of key use vs key change

Copyright © 2009 Sun Microsystems, Inc. 110 ZFS Encryption • Set encryption policy at the ZFS data set > Most systems have only one or two pools but many (10s, 100s, 1000s,) datasets > AES-128 and AES-256 only initially but designed to be extensible • Encrypted iSCSI & FCoE targets via ZVOLs > No key management on Initiator • Encrypted datasets CAN be shared using NAS: NFSv2,v3,v4 & CIFS (SMB) > No key management for NAS clients

Copyright © 2009 Sun Microsystems, Inc. 111 Doing the Encryption • Data set encryption property set at create time • Actual encryption key is randomly generated > wrapped by user/admin provided key • Avoids encrypt later problem > Avoids old clear text due to COW • Encryption algorithm and ZFS checksum cannot be enabled or changed later for existing dataset > ZFS checksum forced to SHA256 rather than default for data Fletcher2 • AES CCM MAC stored with checksum in block pointer.

Copyright © 2009 Sun Microsystems, Inc. 112 Key Management • Wrapping keys provided by user/admin > passphrase, > Raw (or hex) key > TPM/HSM/Smartcard (PKCS#11 accessible) • Wrapping key inherited by child datasets • Clones can have new encryption key > Opt in default is to share origin dataset key.

Copyright © 2009 Sun Microsystems, Inc. 113 Key Change • Key change supported > Doesn't actually re-encrypt data > May support this type of mode in future. > Changes wrapping key. • Key Change is online > Datasets must be mounted – or at least key available > Datasets stay mounted/shared during key change

Copyright © 2009 Sun Microsystems, Inc. 114 “External” Key Management • “Base ZFS” > Key in file, passphrase, PKCS#11 token • API in libzfs to provide key by value or PKCS#11 object name. • zfs(1M) scriptable interface • TPM support via PKCS#11 > Future encrypted boot may access directly using TCS API

Copyright © 2009 Sun Microsystems, Inc. 115 What is encrypted ? Yes No • All “application” data • Pool metadata • POSIX layer data > > Permissions, owner etc Disks, raid config, etc. • Directory structure > Dataset properties • All ZVOL data • All the above in a snapshot Deployment Issues • All the above in a clone • Dataset names • Dataset user properties properties

Copyright © 2009 Sun Microsystems, Inc. 116 SSD Storage & Crypto • ZFS can use SSD for two distinct purposes > ZIL – ZFS Intent Log > Fast write device required > L2ARC – Cache between memory and disk > Fast read device required • SSD is persistent so data MUST be encrypted > ZIL is always encrypted anyway SSD case is no different > L2ARC encrypt on “evict” to cache device, in memory checksum. Ephemeral key.

Copyright © 2009 Sun Microsystems, Inc. 117 “The Cryptography Bit” • Data encrypted with AES in CCM mode > Integrity of ciphertext > ZFS Checksum (SHA256) not “keyed” -> for data verification and reconstructions. > CCM MAC for ciphertext blocks > ZFS has multiple block sizes: 512 bytes -> 128k • Key wrapping also uses AES in CCM mode > Wrapped key integrity > “Correct Key” checking for free (helps key change)

Copyright © 2009 Sun Microsystems, Inc. 118 CCM Params • Data can be 512 bytes to 128k > nonceSize = 12 (13 is CCM max: too small) • AuthDataSize = 0 • Nonce built from blkptr / zio bookmark > Txg – 64bit non repeating transaction id for pool – Can't easily determine which txg a write for a given dataset will happen in, A single txg can contain writes for many datasets. > Blkid > Object • MACsize = 16 > MAC stored in high two uint64_t of zio checksum > Low two uint64_t store truncated SHA256 (bigendian) Copyright © 2009 Sun Microsystems, Inc. 119 CCM For Key wrapping • Also use CCM for wrapping the per dataset encryption key. • CCM Params for wrapping: > Noncesize 13 > Randomly generated Nonce > Ensure it isn't already used on key change operations. > MACsize 16 • Nonce & MAC stored with wrapped key in ZFS dataset property

Copyright © 2009 Sun Microsystems, Inc. 120 Future Key wrapping • NIST AES Keywrap > Once it is included in PKCS#11 • May consider wrapping using RSA • Key wrapping algorithm will be able to be changed by doing a key change operation 'zfs key -c -o keywrap=....' • Won't require pool/dataset to be offline.

Copyright © 2009 Sun Microsystems, Inc. 121 Crypto bit for Caching • L2ARC written to “differently” from normal IO (zio_phys_write) > Currently a “non persistent cache” - but written to persistent media > Encryption using pool wide ephemeral key > AES_CBC not AES_CCM > Safe enough since we have in memory checksum > No space for MAC on disk • L2ARC will switch to AES_CCM when it becomes “persistent” cache.

Copyright © 2009 Sun Microsystems, Inc. 122 What about all the decrypted data? • ZFS in memory cache (ARC) contains very large amounts of decrypted data > Requires full privilege to see (/dev/kmem) > But still a risk. • Can control use data in the cache per dataset > Primarycache (memory): none, metadata, all > Secondarycache (SSD): none, metadata, all • Future may have encrypted data in primarycache (ARC) as well as secondarycache (L2ARC).

Copyright © 2009 Sun Microsystems, Inc. 123 Unwrapped keys in RAM? • In the pure software case yes the unwrapped keys are in host RAM • May not be the case with some hardware crypto keystore/accelerator. • Keys (and expanded schedule) only in kernel memory > kmem_alloc(9F) on OpenSolaris, not paged when system swaps > OpenSolaris x86 suspend to RAM only (S3) > Solaris SPARC can suspend to disk

Copyright © 2009 Sun Microsystems, Inc. 124 Current Deployment Restrictions • Initially can't boot from encrypted dataset > /var/tmp could be a separate file system > /tmp is backed by swap • No support initially for encrypted crash dump devices > But Swap on an encrypted ZVOL is supported > Encrypted crash dumps could be supported but maybe better to have support independent of ZFS.

Copyright © 2009 Sun Microsystems, Inc. 125 What about when ZFS evolves • Most storage in ZFS is via DMU layer objects • Encryption selected per DMU object > Some objects need to be in the clear to allow pool traversal for resilver/scrub and initial import > 11 out of 40 in current codebase encrypted > Encryption support is a new pool version. • Future encryption features may version on disk format – will be upwards compatible. • New dataset types (eg for pNFS) could have different rules to filesystem & ZVOL.

Copyright © 2009 Sun Microsystems, Inc. 126 ZFS Encryption Support Availability • OpenSolaris project > All project code is opensource (CDDL) > Depends on OpenSolaris Crypto Framework > Porting to other OS Platforms should be relatively easy. > http://opensolaris.org/os/project/zfs-crypto/ • Should port to other platforms that already have ZFS relatively easy. > Nothing really OpenSolaris specific

Copyright © 2009 Sun Microsystems, Inc. 128 Solaris Future • Stack Shadowing for SPARC • IKE v2 - Internet Key Exchange protocol • Kerberos • Device Allocation • Solaris Audit • Read-Only Root Environments • Validated Execution • BART Extensions • Copyright © 2009 Sun Microsystems, Inc. 129 Stack Shadowing for SPARC •Stack buffer overflows widely recognized as the leading cause of security vulnerabilities >Responsible for 45% of CERT advisories >Huge customer impact •We can completely stop this class of attack •Very small one-time development cost

Copyright © 2009 Sun Microsystems, Inc. 130 Stack Buffer Overflow •On a typical processor, the stack contains Low Addresses >Local variables Local variables >Function arguments >Return address •Local variables may Return address Arguments include an array used as a

Local variables data buffer •Writing past the end of the buffer overwrites the High Addresses return address

Local variables modifies registers, including return address •SPARC still vulnerable High Addresses

Copyright © 2009 Sun Microsystems, Inc. 132 Partial Solutions •Non-executable stacks >Default for 64-bit SPARC applications >Only stops one attack variant (code included in payload) •Stack frame canaries >Verified upon function return >Adds run-time overhead >Can be fooled by more sophisticated attack •Source code analysis >No tool that catches all vulnerabilities >Too much code – including code we don't control

Copyright © 2009 Sun Microsystems, Inc. 133 Stack Shadowing •Kernel maintains shadow copy of register save area •Part of register window fault handler >Copy after register spill >Compare before register fill •Unique advantage of SPARC architecture >Hardware provides traps exactly when we need them

Copyright © 2009 Sun Microsystems, Inc. 134 Current Status •Idea developed by NSA researcher >Presented to Sun as part of cooperative R&D agreement •SPARC prototype developed in 2005 by Solaris Security >Proof of concept, but too simplistic for product •Product-quality implementation now in progress

Copyright © 2009 Sun Microsystems, Inc. 135 Opportunity •Complete solution to a whole class of security vulnerabilities •Unique opportunity for SPARC and Solaris to lead the market >Very likely in future x86 processors >Much easier for SPARC – no HW change needed >Even works on existing SPARC systems •Requires small software development effort

Copyright © 2009 Sun Microsystems, Inc. 136 IKEv2 in OpenSolaris • Direct port of racoon2 not possible > Problem: Both OpenSolaris and BSD (via KAME/WIDE) differ from RFC2367 in different ways • New work-in-progress: in.ikev2d • Design of ikev2d > MT-hot > large code-overlap from > open-sourceable in.iked and > racoon2's IKEv2 packet processing

! Easily configure credential renewal for the user > reduces administrative overhead

! Kerberos as a first class account authority > tighter coupling with our PAM framework and password utilities • Client side multi-master support for password changes • Integrate Solaris specific code directly to MIT source base > helps in working towards the goal of dropping in MIT source code to Solaris • Improve KDC (Key Distribution Center) load-balancing > provides configurable auto load-balancing on a per-host basis

Copyright © 2009 Sun Microsystems, Inc. 138 Device Allocation • Moves device allocation/deallocation and re-use to “standard” Solaris (had been in Trusted Solaris in the past). • Meets Common Criteria device re-use requirements. • Built on HAL and/or Device Kit I/Fs currently being added to OpenSolaris. • Project ties into work with Gnome, SunRay, DeviceKit, and other teams. • Required for Trusted Extensions users.

User Device Access: Design Diagram Device SunRay Team Team SunRay devfsadm HAL Server Unix /dev or permission pseudo dev Allocation DeviceKit Solaris Policy Database Kernel permission Engine Boomer Boomer Team libdevalloc s m e e t d

e Window System Device Allocation Device Allocation c a t a i c c a v Events Device Allocation “Wizard” “Manager” c o o e l l l l o d l l a a “Agent” (Simple GUI) (Expert GUI) _ t v e a s e d i (Automation) l d GNOME Preferences Device Allocation SMF gnome-volume-manager, Nautilus (deallocate at boot) Message rmvolmgr, etc... Device Allocation Forwarder Preferences D-Bus System (Config GUI) zone_enter Session Nautilus

Security Team Desktop Team

Copyright © 2009 Sun Microsystems, Inc. 140 Solaris Audit • Audit data is produced by the kernel and user program. The Administrator configures the system to record only the event classes he's interested in. • Data written to the audit “trail” is available for forensic analysis. Can also be used (via 3rd party) for Intrustion Detection. • Audit is required by Common Criteria, US Government, Financial Services customers, and most Enterprise-size deployments of Solaris

Copyright © 2009 Sun Microsystems, Inc. 141 Solaris Audit continued • On-going projects include: > Always-On – a project to enable Auditing without requiring a reboot of the OS. Multiple issues related to performance are being addressed. > Secure Remote Audit Trail – a project to securely move audit records to a remote host. A second phase will allow for Solaris to be the remote host, but initially partnering with Kinamik for consolidation.

Copyright © 2009 Sun Microsystems, Inc. 142 Read-Only Root Environments • Boots from Read-Only Image > ZFS filesystem with readonly=on > ZFS snapshot • System executes with unmodifiable root > Some applications/services changed to maintain state in volatile storage > device node creation > logadm > account locking

Copyright © 2009 Sun Microsystems, Inc. 143 Validated Execution: Signed Execution • Executables are Signed > Embedded Signatures: elfsign(1) * > Signed Manifests of Objects > Manifests from Vendors or Locally Created • Validation of object integrity before execution use > Kernel modules validated on load > Programs and libraries: upcall to validation daemon > Executed scripts are subject to validation

* support for elfsign may be removed

Copyright © 2009 Sun Microsystems, Inc. 144 ValEx: Signed Execution (cont.) • Restrictions on use of unvalidated objects > unvalidated_privilege_cap • Configuration controls which certificates are trusted for object validation

Copyright © 2009 Sun Microsystems, Inc. 145 ValEx: unvalidated_privilege_cap • Specifies maximum privileges of a process using unvalidated objects > svccfg -s signex setprop application/unvalidate_privilege_cap = value • Can deny use altogether of unvalidated objects > setprop application/unvalidate_privilege_cap = noexec • Privilege limit reduced for use of unvalidated objects > L = L & upc • Privileged programs restricted from use of unvalidated objects > if ((P & ~upc) != empty) > errno = ENOTSIGNED; /* Object lacks valid signature */

Copyright © 2009 Sun Microsystems, Inc. 146 ValEx: use_global_settings • svccfg -s signex setprop application/use_global_settings = boolean • In global zone, force all local zones to inherit signex configuration • In local zone, configure this zone to inherit global validity determination

Copyright © 2009 Sun Microsystems, Inc. 147 ValEx: Administrator, Trust Anchors • signexadm set-administrator > Token specifies location of administrator's private key > Can specify certificate by DN, CN, or file

• signexadm install-anchor > Can specify certificate by DN, CN, or file > Action requires signing by administrator > Proxies trust between administrator and software vendor

Copyright © 2009 Sun Microsystems, Inc. 148 ValEx: Manifests • signexadm install-manifest > Makes manifest available for validation > Not a trust operation > Only need write access to manifest directory

• signexadm install-revocation > Special form of manifest rescinding signature on specific objects > Not a trust operation > Only need write access to revocation directory

Copyright © 2009 Sun Microsystems, Inc. 149 Bart • Creates, stores, and can then compare the state of files in specified portions of the filesystems based on user-specified attributes. • Uses cryptographic hashs to detect changes in content. • Used by IT departments to verify/track/audit server contents. Used to track malicious changes in the filesystems. • Outputs in either human readable, or machine readable format suitable for post processing. • See Validated Execution project for more details Copyright © 2009 Sun Microsystems, Inc. 150 Bart Extensions • XML-format manifests > Extensibile format > Support for content hashes beyond MD5 > Updated command can create and consume legacy format • Manifest signatures > Standard XML signature format > sign and verify operations • Validation against manifests

•Center for Internet Security – Solaris 10 Benchmark >http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf •Sun/CIS Solaris 10 Benchmark Appendix >http://www.sun.com/security/docs/s10-cis-appendix-v1.1.pdf •You can get both documents from: >http://www.sun.com/security/docs/ Solaris10_Security_Recommendations-080130.tar.gz

•Sun Security Home >http://www.sun.com/security •OpenSolaris Security Community >http://www.opensolaris.org/os/community/security •Sun Security Coordination Center >http://blogs.sun.com/security & [email protected] •Sun Security BluePrints >http://www.sun.com/blueprints •Sun Security Bloggers >http://blogs.sun.com

Special thanks to the following people who contributed to this presentation:

Stephen Browne, Casper Dik, Shawn Emery, Glenn Faden, Dan McDonald, Darren Moffat, Scott Rotondo, Christoph Schuba, Anup Sekhar, Kathy Slattery, Mark Thacker, Paul Wernau, Gary Winiger, and John Zolnowsky

Dr. Christoph Schuba [email protected] http://blogs.sun.com/schuba