Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
Weekly Edition
Return to the Security page
| |||||||||||||
Umbrella 0.7This week the Umbrella team released version 0.7 of Umbrella, a "security mechanism" that implements Process-Based Access Control (PBAC) and authentication of signed binaries for Linux. Since Umbrella 0.7 is the first feature complete release, we thought now might be a good time to take a look at the project. Kristian Sørensen, one of the Umbrella Team members, was kind enough to respond to our questions about Umbrella. While Umbrella sounds a bit like Security-Enhanced Linux or other on the surface, Sørensen pointed out that Umbrella is designed for consumer devices rather than general-purpose servers or other systems, though it might be useful for "specific server environments." Sørensen provided this explanation of Umbrella:
Umbrella does not deal with users, roles, types or domains. The security
policy is _only_ enforced on running processes. Every time a new process is
created, the policy of its parent is inherited to the child - possibly with
additional policies, specified by the parent.
There are two categories of policies: File system restrictions (FSR) and Capability restrictions (CR). A FSR is simply a path (e.g. /etc/passwd), which restricts the process having this policy from accessing that file. If the restriction were "/etc" the entire directory is off limits, and thus a restriction on "/" denies access to the entire file system. The capability restrictions are non-file system restrictions, such as creation of sockets (IP networking, bluetooth etc.), sending signals, creation of new processes etc. Umbrella has no need for a security administrator to manage the security policy of an entire system. Umbrella relies of the programmers of to embed the security policy into programs. This is done in a very simple manner: By replacing fork() with rfork() and by embedding execute restrictions to the binary. The security policy in the binaries (both rfork and execute restrictions) is protected by a digital signature: A signed SHA1 hash of the binary is placed in the ELF header, and checked on time of execution. If the binary or its restrictions has been tampered with, the hash will not match and the binary is denied access to run. In order for the signed binaries to be authenticated in the first place, the public key of the vendor must be placed within the key ring of Umbrella. Umbrella requires a 2.6.9 kernel (or later) and includes a kernel patch, the Umbrella library and a user-space program. Binaries that will be restricted by Umbrella need to be signed using Bsign and GnuPG. Umbrella and DigSig are the only projects this author is aware of that check digital signatures of binaries. The policy for the application is stored in the binary itself. Since Umbrella can be used to restrict binaries unless they are signed by an authority, we asked Sørensen if Umbrella was similar to so-called "trusted computing" efforts. Sørensen confirmed that Umbrella was "related to 'trusted computing'."
As the binaries are signed you can verify that they are not tampered with
on each execution. The unique thing here, is that this "tamper-proof"
concept is utilized to protect the security policy and the binary at the
same time.
While it's desirable to prevent attacks on consumer electronics devices, we asked if Umbrella could also be used to prevent users from "hacking" devices to expand the capabilities of a device -- something that may not be desirable from the end-user's point of view. Sørensen acknowledged that a device could be designed so that it would be "very difficult" for a user to "tamper with the software of the device." What about performance? Sørensen said that the team had just finished benchmarking Umbrella, and found that it had "between 2.5% and 4.5% overhead, depending on how the system is stressed. Thus, having Umbrella in the kernel is not noticeable." According to Sørensen, the Umbrella project started as a master's project, but he has plans to start a company in the fall, based on the Umbrella technology, called Linnovative. It should be interesting to see how Umbrella develops and whether this approach catches on. It is simpler than SELinux, but doesn't look suitable for use in general systems at this time -- which is a shame, as it would be nice to have a simpler system that's usable for general purpose server and desktop systems. However, Umbrella may be another tool that helps Linux gain acceptance in the embedded and consumer electronics market. (Log in to post comments)
Umbrella 0.7 Posted May 5, 2005 4:02 UTC (Thu) by tzafrir (subscriber, #11501) [Link] note that on just about any linux system you don't need to create a new binary to do damage. If you can execute some arbitrary code, you can dump a shell scrpt to a file and use /bin/sh to "execute" it. Umbrealla only sees an execution of the stnadard signed system binary /bin/sh.
Umbrella 0.7 Posted May 5, 2005 9:12 UTC (Thu) by rjw (guest, #10415) [Link] Remember that processes inherit the restrictions of their parent process.So if you can "execute some arbitrary code", you can already do everything that you could do by spawning a shell. The danger is when there is a privilege *granting* mechanism : suid, filesystem caps, and some selinux policies. That isn't present AFAIK.
This is only about restrictions. What is very interesting is the signed binary thing: even if you mount the filesystem on another machine and bypass filesystem security, you won;t be able to replace a choice binary with an updated or modified version.
|
|||||||||||||