 Today I will talk about these several sections. The first one we will talk about is the background of the leads and what kind of leads we need here, and the architecture, and then the implementation issues. And then I will talk about what kind of attack and what kind of defense leads can provide. And finally I will talk about how to secure the linear kernel with the leads and then the summary. And if any one of you have any questions during my talk, you can just raise your hand. I can answer the question in the middle. All right, let's begin. Now the attack and defense, is that attacks and defenses that this mitigates or against this? All right, there are attacks again leads and attacks again the system. They are both. So will you be talking about? Yes, I will talk about the attack to the leads and the attack to the kernel and the attack to the system that leads can provide what kind of measures that can prevent this attack. Okay, so will you be talking about the attacks against leads? Yes. If I have a system that leads on, it has leads on it? Yes. Okay. All right, here's the background. And I will talk about very quickly about this background kind of things. The very first one we will talk about is the programs and, okay, the problems and current solutions to this problem. We face these internet ages and we have seen a lot of horses being hacked and defaced and all the information being leaked and all kinds of things. And there are a lot of wounds and viruses sparing about this world like the Colwex and the Linda kind of things. And there are a lot of vulnerability found every day. Even the very secure software like OpenSSH and Apache recently they found a very serious bug. So what kind of problem that we have made this problem occur? Even we have used some of the secure software like OpenSSH and OpenSSL kind of things, but we cannot prevent all of these problems. The reason for this is that the application software, right now I'm not trustworthy because it's more and more complicated implementation because you have to meet the customer's requirements and you have to add more features to this software. And the software became more and more complicated and you cannot avoid any, you cannot avoid the bug in the software. So the application software is not trustworthy. So you have to find a way to make this application, this untrustworthy application software became secure. And the kernel is not trustworthy. It means that I can just insert modules into the Linux kernel and I can intercept all the system calls and I can do whatever things I want to do even if the upper application layer, the application software is secure. And the first one is access control is not perfect. It means that right now being a root or super user you can do anything you want. You became a god in the system so you can, if you can fire a remote exploit code or use the local exploit and you can become a root and you can do anything you want. So it's not perfect right now with the access control. Okay, the solution right here with our solution is we need a trusted kernel. This kernel can protect the kernel itself. It means that nobody can modify the kernel, nobody can intercept the system call, nobody can change it. And also this kernel would also provide this MAC, MAC is a mandatory access control and this MAC is not, is different from what we have used in the UNIX environment right now. And it is, it means that no one can change the MAC rules but somebody can change the rules that right now the UNIX environment use. For example, if you can, you can, you can change the file. You can use change more to change the file to, you can just say, change somebody, everybody can read it or everybody can write, right. But as a root, you can change anything. So this is not very secure but with the MAC, with the mandatory access control no one can change these rules even if as a root or super user. And with this MAC, you can implement the least privileged rules. It means that if, for example, for the ETC password, this file is, is to contain all the passwords in this file. Right now everybody can read it because you need to read the password for the user to log in. But after logging in, this file is not, is not useful to the, to the users. So you can just make the login program to read this password file. And nobody can read it right now. So it means that nobody can read this ETC password except the login program. Right now the least privileged can implement the decent mandatory access control. All right. The history of the least just from the, is about two years, about three years projects. And, and we have a lot of developers to help this project. Especially the core developer, Philip Bondy, he'll be here, I guess, and he had a talk yesterday. And also we have an FAQ maintainer, Steve Brammer, and I guess he'll be, he'll also be deaf content. And there's another FAQ maintainer, Stanley Cray. All of these people's help leads projects to, to be growing. And we have added capability rules and like why Mac in the 2000. And before, in match of this year, we have also add LSM based versions. LSM is a linear security modules and will be added to the kernel 2.5 right now. I guess maybe in the next one or two months, all the, all these LSM or linear security modules will be added in the kernel. And we just talk about the background. And next we talk about architecture that leads with some, the architecture here, there's a, there's a map here. All right, leads contain several components. The core one is this access control models. And it contain the access control database. And it contain the administration interface. And it contain a whole checking centers. And then the user program, then the user program, when the user program begin to exactly in the system, he will fork. And he will use the fork and EXECV, this EXECV to, to, to execute. And right now the access control database with a patch, he's attached the access controllers to the process. And when he will try to access something, he will, the leads we check with the access database and then to determine if he can let this access continue or not. And we have divides the system into two categories. The one is subject and the other is object. And we place a checking between this subject and object. The subject is a process and the object is all kinds of resources such as file, device, and all kinds of things that the process would like to access. And we have a lot to allow everything that maybe is related to the security. We have also an administration interface that can manipulate the access control database. The features with the leads is that leads is a kernel patch. It's a Linux kernel patch. And in the future it will be the Linux security kernel modules. And he's, he implement a trusty kernel and he have the light wire Mac in the kernel. And he have the admin tools. He include these admin tools use the IP chains likely use that is maybe easier to use for the users. And here we show an example. It's not very clear. I'll say if you have login to a system you get, you use the local display code or remote display code to get a route. And right now you want to try to get the shadow or get the password file. Right now it does do a cat ETC shadow at the very first line. And then before that as a route you can do anything. So you can, you can see the shadow file. You can see all the contents. But right now you can just, the system will return as operation not permitted. You cannot see the shadow file. You cannot catch the shadow file right now with the leads. And from a lot the leads we tell that somebody and with the UID, what kind of UID, GID and what kinds of program try to access this shadow file. And just another example is if you try to insert something, insert the modules into the kernel. Maybe use the rootkit, some, some kinds of rootkit. And right now the leads will tell you that operation is not permitted. Even if you are, you as a route. And just talk about architecture and next we talk about implementation. Do you have any question about this section? Okay, let's continue. All right, leads actually include several components and enable to, in order to implement these components we have several very important structures. Here the very first one is secure. I know this one is a global, global access control list. It means that everybody and any resource need to use this, need to check this ACL first. And we, and there's leads see ACL also in the kernel. And this structure apply to individual process. It means that every process in the kernel got this leads see ACL in include all the rules, all the privileges that this process can get. And all these structures got two significant, significant structure here. I know this is I know number and the DV number. This I know number and DV number identify a single file name or directory name or the device name kind of things. And we have also capabilities and we have also all the ACL that this process contain. And this is a task structure in the Linux kernel structure, in the Linux kernel. This task structure is when you, when the process is in the kernel, this process has a task structure and only task structure to identify this process. And we have, for the leads we add one, we have add a pointer in this task structure with the leads see ACL. This means that when the process running under the lead led with control, he would got this leads see ACL structures and he would have this ACL, and this structure will tell him that what kinds of access or control leads that this process got and what kinds of things can do or he cannot do. And here we just go into the program and see when you do a fork in the program and what leads do is he will inherit all the access control leads, all the access ACL from his parent. And you can see when you do a fork, we have the copy leads see ACL this function to copy all everything from the parent. And after you do a fork, maybe you can, you will do the ESECVE to actually exactly this program. And from when you do the ESECVE, we have leads set ACLs to set all the ACLs that he gets from this program. So, when the program is in the system, he would got two ACLs. One is inherited from his parents. Another one is get from ESECVE. For example, if a program in ABC program, this program got have the privilege to read password file. But you use another program to exactly this program. The other program is his parents. When this ABC running, he got the privilege, he got the ACL from his parents. And also he got the ACLs from the ACLs that he got. And after we have all the tracking and all the process attaching kind of things, right now we will see a system call that we have at the checkpoint. For example, there is a sort of the transfer more. When you use the HMOD, this system call, we have intercept, we have adding this checking in this system call in the kernel. You can see that this is if the red line one is, we add if, please check base. When this function do is, he will check all everything that this program got. And he will check, he will make sure that if this process had the privilege to do the transfer more to the destination file. And if he do not get this privilege, he would, we have a lock here, lead security alert. And he would lock everything that attempt to do this transfer more. And here we say this function leads check base. Here we have this leads check base function. And this function is do is checking all the ACL database to see if this, if this first you check if the destination file, you can change that, if anybody can change the destination file. If not, he will check if the program try to do the CHMOD, the transfer more, have the privilege to do the transfer more to this destination file. If he's not, he will just deny it and just return. All right. Anybody have question about this section? No. All right. Just now we just talk about implementation issues. Actually, all these implementation kind of things, we have the how to, but it's kind of obsolete. So I guess maybe in the future, I will write another how to to talk about these implementation issues. And next one, we talk about attack and defense with the leads. The very first one is we will attack, we will attack the leads and the main password. In the leads, we have super user, right? The super user cannot do things that he can do before. So, but in order to admin all kinds of this access, this control, you have to dot the super super users that he can do the privilege. He can do everything that the root can do before. In order to become this super super user, you have to got a password. This password is in store in the kernel. So, somebody will say that if I can get the password, I can do anything, right? But this password, we have several defenses. The first one is this password is 160 bits and defines how to guess. And another one, the second one is the most important one that we have the restricted login TTY. It means that even if you got, you know the password. If you just log in from the remote host, maybe you get a remote spot call, you get a route from the remote signs. But right now, even if you know the password, you cannot just become this super super user because we check the TTY. We check if you just log in from local or log in from remote sites or log in from a serious port. We can define these restrictions when you compare the kernel. And there's another way to modify the kernel's structure, the kernel's data. It's used the Rode, IO, the Rode devices just right, maybe modify the hard disk through the IO operations. But right now, all the IO operation is controlled by this cap, CIS, Rode IO capability. This capability has been disabled by default. So if you want to use, if you want to change the kernel by this DVK memory or DVK code, you cannot just write to these devices because this cap, CIS, Rode IO has been disabled. The second one, we show that there's a lot of trojans, a lot of invocates and sensing information leaking in these kernel years. The tag is include the trojans. The first trojan, if I can log in the system, I can modify this bin log in and I put the trojans in this program and next time when I log in, I will not use the password. And the log clean, maybe I just clean all the log because they will lock something in this log directory. And we have the password, you can just store the password, etc, shadow, file, and you can use the other password cracking tools to crack it. And for the modules, you can insert or remove the modules from the kernel and you can just insert some invocates in the kernel and you can modify the system call. And there's lots of kernel invocates that can help you to hide your process, to hide your file. But the defense by the LDS is that we can use file system protection first. This file system protection is implemented as a lead and it's in the VFS layer, it's a virtual file system layer. And if you have the read-only, you can set a file to only read-only that nobody can just write to it. For example, for this bin log in, you can just set the rules that made the log in to read-only. And in this case, nobody can write to it, nobody can change it. And for the log, you can just set it to append. So every log could append to this log file, but you cannot write it. And there's another mode is deny access. You can just set the file to deny access. It means that nobody can see this file when he do the LDS, so just modify this file. The example for this deny access is that you can set the ETC shadow as a hidden file, so nobody can see it. And the modules operation, you can program, insert more or remove modules from the kernel before if you have your routes. But right now, because all the modules operation is controlled by this cap, this modules. This modules has been disabled by default by the leads, so you cannot do anything to the modules right now. We saw a log here, and when you do the insert mode and the leads, we saw there's a log here. It means that we saw that which person and violate this cap system modules so he can increase the kernel security by this way. And the next one is LD, this LD preload, this LD preload can insert the malicious code in the process when this program runs. So in this case, if this program gets privileged from the leads and I can just compile a preload library and I can just insert this library. I can use LD preload and run with this privileged program. And because this preload program, maybe he can read the password file, right now I can write this library with LD preload and I can do anything as this preload program. This part is discovered by the Tesla team in the early this year. And we have a solution is that we check the LD in the environment P because all the LD preloads is in the environment pointer. We can just check one by one and we just check this LD and underscore and we check if there's any LD kind of things. When the program is active, we just create all the ACL. So it means that you can still use LD preload but you cannot get ACL, the leads ACL. So in this case, we made a system more usable and more secure. Another one is that we have also a very light-wise shellcode detection in the kernel. You know, a lot of local exploit code we use the shellcode to get a shell. And this shellcode provides as parameters to the program or as an environment to this program. And what we defend is we check the shellcode is very easy. We just check some of the piece of the shellcode in the environment P or the arguments in the environment or the arguments C. In this way, we can prevent shellcode in parameters and environments. Some of the examples is that I just run this X-Lock exploit code. You can find this one on the internet. And when the lead is on, when I run this exploit code, the local exploit code, and the leads can find it and he will say the shellcode detected when exactly this file and program terminate it. It means that when the program is running with the shellcode in the parameters or in the environment, leads can just terminate this program and the local exploit code. In this way, we can prevent some of the exploit code but it's not all of them because we just check a piece of the shellcode just like the system code. The next attack is dynamic one-time kernel modification. This attack you can find in Flink Magazine 58. It's a very recent one. They provide a message to modify the kernel code through this K-codes or this DEV K-memory, and he can modify the kernel's one-time data. In order to do this, he had to write to this proxy K-code, this file, and all this DEV K-memory. He had to have the ability to write. So right now, the leads, what leads can do is he can define it. It's just by this, we have talked about it, just by this cat-sys row IO. This row IO is the capability that he had disabled by before. He controlled everything to access to this row IO file, include the hard disk, include all the drivers, all the row IO devices. And we have a solid log here, an example here is that when you try to do this, write to this DEV K-memory, the leads will terminate the system core, and return an arrow, and log this operation. Say you have this cat-sys row IO, so it can prevent this kind of attack. All right, we just talked about the attack and the defenses with the leads. Next, we talked about how to build a secure Linux with leads. All this information you can find on our website is www.lids.org. You can get all the FAQs and all the how-to on the website. First of all, you need to get a vanilla kernel from www.kernel.org. A lot of people just sent an email to me saying, why can I use RedHead's kernel to patch because we do not support RedHead's kernel because right now we only support the vanilla kernel. It's easier for us to maintain it. So you have to download the kernel from this website. After you do that, you can download the kernel patch from our website and all the tools. If you want to use Linux security modules, you can just go to this lsm.inlinux.org. After you untyle this kernel source, you can use the patch program to patch with these leads. After you patch the leads with the vanilla kernel, you can configure the kernel. There are several options in the kernel in the lids and you can decide if you want to use it. After that, you can rebuild the kernel and just install the kernel and compile and install all the lead tools. We have the default ACL setting by default, but maybe you need to add a new ACL by yourself. There are several important directory for leads. The first one is etc. This directory includes all the list.com, list.mail, and list.pw files. This file will be read when the kernel is booted up and you read everything in the kernel. This directory is protected by lids, but defaults. You cannot go into this directory, you cannot change this directory, anything you cannot do. You cannot do anything to this directory if you are not a super user. There are two lids.conf. This choice is used to manipulate the access control list. You can just say lids.conf. I need the program, this subject, the program. I want this program to read a file or write a file. The desktop is an object, and you can just say there are several options here. You can also use the lids.conf.conf to configure the capability with this inherited level of things. The lids.admin is used to do some administration tasks. For example, if you want to enable or disable leads on a machine, you can just log in and do these leads dash as and dash leads. Here you need to provide a password and then the leads can be disabled. And you need to this dash i is to seal the kernel. To seal the kernel, it means that after I start everything, I need the program, I need the SSHD kind of things. After I do everything, I finish the machine and I do this dash i and I can seal the kernel and right now the kernel is unbreakable. You cannot insert modules, you cannot do anything to the kernel itself right now. There's a very good FAQ in our website. Anything contained, maybe if you have any questions, you can just check this FAQ first. Right now we have, after you install the leads, you have, right now we can see some testing. Alright, after we build the system, you seal the kernel, you do the more prob leads if you have used leads as a modules and you do the leads dash i. This means that you have sealed the kernel and from a lot you can see Linus Intrusion Detection System started and how many objects and how many source ACL and how many objects I in this access control this database and it can do the CAD, ETC, shadow. You can see that the operation is not permitted. You cannot see the shadow password right now and if you want to touch ABC in a beam directory, you can see that operation is not permitted and if you want to remove the modules of the leads, you can see that operation is not permitted, you can do anything. You cannot do, you cannot do, you can do nothing to this kernel right now. We saw that somebody, the PID and the UID, the kinds of users and the kind of process he use to liable this program, to liable this is CAD system modules. And finally we have a summary, okay the leads project actually is a free software efforts. We have, this leads is under the GPL and we develop this one for free and we do not have any support right now. All these things is by interest and I can, I have to thank many people because without them there's no any leads cannot go too far right now. And the leads actually is implemented as security modules in the kernel because we talk about architecture, we show the tag and defense means that leads can enhance the links kernel security in some efforts. Finally I want to acknowledge you and you take your time to listen to this speech and I want to thank the leads users and developers especially the Philip and the Steve kind of, and all the these users here. And I also want to thank the wonderful world of the free software. With the free software you can do a lot of things, you can get anything you want from the internet. If you do not like it you can just modify it so you have all the rights that with the commercial one you have to pay and you cannot do something you want to do. So I just, this is the wonderful world of the free software. With the free software support we can develop very interesting tools to enhance our kernel. And I want to thank my employer in TrueNever which sponsored this trip for me and one of the things that I've come to provide opportunity for me to prevent these leads here. All right, any questions? Thanks, any questions? There's one distribution already included, there's a in-guardie distribution. You can find it on www.linussecurity.com, there's a website and there's a distribution made by this company. Oh yeah, in the Linus kernel, the Linus security modules we go into the Linus kernel maybe in one or two months, but as modules maybe we go into the kernel in the future but I don't know if I will, I guess I will surprise this kernel that leads to the Linus but I don't know if he would accept it. Has he commented? No, I don't think so right now. I need to quiz on the performance, right? Yeah, apparently whenever you go to a Cisco, you are checking some conditions and that's open now. For performance, frankly I never checked the performance on this list before but somebody on the marines told me that he had used the server with the lead support and he never saw any performance down in any case so I guess even if because the I do not check every system call, for example when you open the file I just check when you open the file, if you read or write the file I do not check it, I just check and the very first checkpoint. Cisco? Yes, I just checked the sys opened, I do not check sys read or sys write, so I guess this will improve the performance. Another question, can you verify the integrity of the kernel after it's been attacked? Yes, so can you detect, let's say somebody attacked your kernel, but some unknown method, can you verify the integrity of the kernel? All right, if the lead found somebody trying to attack the kernel, he would, okay attack the kernel has several measures, the first one is you use modules and the second one you use the role Ios and so right now all these things have been checked by the leads, so in this case if leads found somebody trying to do things like that to insert modules kind of things he would provide information in the lock just tell that it's who use what kind of tools to insert or do what kind of things, so in this case after leads found this one he would terminate all the operations that this program do, so he will not affect the kernel he sell, in this case he can protect the leads kernel, so in this case I guess the integrity could be guaranteed. I see, so you just block the known vectors rather than try to verify integrity afterwards? Everything is just terminate, what is the process? Thank you. Sure, and no, okay let's finish this, thank you, take your time here, thanks.