Open Source Security

Installing and configuring eCryptfs with a trusted platform module (TPM) key

Emily Ratliff — Mon, 10 Nov 2008 21:33:55 +0000

Mike Halcrow has written a paper on Installing and configuring eCryptfs with a trusted platform module (TPM) key. This paper is available on IBM Systems Information Center along with a bunch of other step-by-step guides.
This paper describes how to use a TPM key directly with eCryptfs. It demonstrates the flexibility of eCryptfs’ pluggable key module framework. Since the TPM wasn’t designed to do bulk encryption, if you actually set eCryptfs up this way, you’ll get pretty low performance, but it is an interesting exercise nonetheless and if you have small bits of information that you want strongly protected, this does provide one good option. I hear that Mike is working on replicating this experiment with a wrappered key which should provide much better performance but requires a little additional code.
In addition to showing how to integrated the TPM with eCryptfs, this paper also contains a step-by-step descriptions on how to do ancillary operations like how to enable encrypted swap in Red Hat Enterprise Linux 5.2 and how to get your TPM up and operational. This side content alone makes the paper useful.

One Year of Blogging…

Emily Ratliff — Mon, 10 Nov 2008 19:58:08 +0000

I’ve been writing this blog just over a year now. The year started out very strong with some my favorite posts coming early on. As my core job responsibilities moved beyond security, writing a security focused blog has become more difficult, and I have posted much less frequently over the past several months.

Looking back over the year, the posts with the most hits:

While that list certainly includes the posts that are my favorites, I also keep going back to Linux Security Best Practices because the NSA guide is so valuable and contains the answers to many of the most often asked security questions.
And I remain surprised at how popular the posts of weekly news links have been.

I’ve enjoyed having this forum (far more than I expected) as a place to put my opinions and thoughts about Linux security, a place to focus my attention on Linux security, and a place to even post a few facts from time to time.

Thank you.

Rings within rings of understanding

Emily Ratliff — Mon, 01 Sep 2008 04:38:24 +0000

The NSA is even smarter than I realized. User Friendly explains it all. I laughed out loud at each pane in today’s strip. Thanks UF!

Linux Blueprint - Protecting Data at Rest

Emily Ratliff — Wed, 28 May 2008 15:18:59 +0000

My colleagues have written a comprehensive step-by-step guide to enabling disk encryption in your choice of RHEL 5.2 or SLES 10 SP2. This is pretty much as easy as it gets. If you have questions or comments about the paper, they also have an online forum for security discussions. I suggest the PDF version which packages the whole (short) paper up into a single, easily consumable whole.

This document is just the first of the new series of “Linux blueprints” (step-by-step guides for accomplishing specific tasks with Linux) which will be published on the IBM Systems Information Center (Info Center).

Enjoy!

Red Hat Enterprise Linux 5.2 contains two security Technology Previews

Emily Ratliff — Wed, 21 May 2008 21:47:29 +0000

Red Hat Enterprise Linux 5.2 was released today. That is significant news in and of itself, but I am especially excited because it contains Technology Previews of eCryptfs, TrouSerS, and tpm-tools! As Technology Previews, they are not yet supported for production use, but this is the first step to allow for experimentation and time for ripening. I’m happy to see Red Hat’s continued dedication to security. If you try these packages out in RHEL, I’d love to hear of any successes or problems that you encounter.

[1] http://www.press.redhat.com/2008/05/21/red-hat-enterprise-linux-52/
[2] http://ecryptfs.sourceforge.net/
[3] http://trousers.sourceforge.net/

Fedora users love SELinux

Emily Ratliff — Thu, 10 Apr 2008 17:19:15 +0000

Fedora Weekly News continues to be a(n unexpectedly) great source for security content. I’ve recently been cleaning up the backlog of my email and have discovered nuggets of valuable information such as

94% of Fedora 8 installs have SELinux enabled

in Fedora Weekly News Issue 121 (Feb. 18, 2008). Now if you read the article, the number I selected to highlight is the raw number that James got off-list. 47%, 50%, and 74% were also tossed out there. Dan Walsh said that the statistics are misleading but being improved and Yaakov Nemoy says that smolt only measures 10% of Fedora machines. So, they are still working out the details. Even so, what they have measured so far is a quite a bit different from the statistics that we see about enterprise customers. I expect it is probably because Fedora users are satisfied with a completely open source stack and do not install as many 3rd party ISV applications which are not as integrated and do not have application specific SELinux policy. Still, this is an incredibly encouraging statistic. Once the Fedora community has been collecting the statistics a little longer, collects whether SELinux is enforcing or not, and starts publicizing these statistics widely, they may be able to help drive ISV adoption (or at least tolerance) of SELinux which will encourage commercial customers to follow the Fedora wave of early adopters on short order.

P.S. Yes, the title is tongue in cheek with a nod to the guys who participated in the discussion.

http://fedoraproject.org/wiki/FWN/Issue121

So, would you call it SESolaris? SEOpenSolaris?

Emily Ratliff — Wed, 05 Mar 2008 22:46:20 +0000

In a major validation of the FLASK architecture, the OpenSolaris community has created a new project called Flexible Mandatory Access Control (fmac) to adapt the FLASK architecture to OpenSolaris. (The FLASK architecture that is the basis for SELinux.) Stephen Smalley will be one of the community leads. OSNews picked up the email thread today with some interesting comments.

James Morris notes related work in his blog posting from this morning and offers to help the community preserve interoperability with SELinux.

Personally, I would be delighted to see widespread adoption of the FLASK architecture lead to usability improvements and complexity reduction across the board.

[1] http://www.opensolaris.org/os/project/fmac/
[2] http://www.opensolaris.org/jive/thread.jspa?messageID=204568𱼘
[3] http://www.osnews.com/thread?303491
[4] http://james-morris.livejournal.com/2008/03/05/

New Article on Polyinstantiation at developerWorks

Emily Ratliff — Fri, 29 Feb 2008 23:33:51 +0000

One of the cool new features included in Red Hat Enterprise Linux 5 was VFS polyinstantiation. This work was in support of the Multi Level Security configuration. It allows files to exist in a directory at different security classifications. The subset of files visible to the user depends on the user’s clearance. There is an excellent description of the functionality in both section 4.1.2 of Extending Linux for Multi-Level Security by Klaus Weidner, George Wilson and Loula Salem, as well as Russell Coker’s article Polyinstantiation of directories in an SELinux system.

Now there is an excellent new article on developerWorks by Robb Romans Improving Security with polyinstantiation which describes in simple and detailed terms how administrators can polyinstantiate /tmp (and other world writable directories) to help prevent attacks through /tmp. This technique usable whether or not SELinux is enabled. This article helps answer calls for the complete elimination of world writable directories so as to defeat resource exhaustion attacks (quotas were described as “non-optimal”). One can instead use the method described in this paper to polyinstantiate world writable directories to completely different devices to effectively eliminate the attack. (Yes, they grok TMPDIR. And, yes, unfortunately there are customers who won’t use SELinux.)

So if you were wondering how you can get your feet wet with polyinstantiation, give the steps described in Robb’s article a try.

[1] http://download.boulder.ibm.com/ibmdl/pub/software/dw/linux/lspp-rbac.pdf
[2] http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
[3] http://www.ibm.com/developerworks/linux
[4] http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/

All the news fit to print - Feb. 21, 2008 edition

Emily Ratliff — Sat, 23 Feb 2008 05:16:56 +0000

Ed Felten this week released some research on defeating disk encryption by recovering keys from DRAM. His blog entry mentioned by name Bitlocker, FileVault and dm-crypt as implementations which can be defeated in this way. Some 70+ articles appeared over the next 24 hours discussing the attack. Of course, we all immediately pinged Mike Halcrow to hear his thoughts on the issue. Between this article and the one a few weeks ago “Encryption could make you more vulnerable”, he just isn’t feeling the love, so he sat down and pounded out his own blog response. In light of news stories such as these, it is well worth keeping in mind that a key motivator for server encryption is to ease disposition of obsolete hardware. It is just too easy to do it the wrong way if you don’t employ encryption.

One of the most common requests I hear is for automation of security hardening, so it was pretty cool when TCS announced their Security Blanket product last fall. Earlier this month they announced that it is now compliant with DISA’s STIG. This is cool and all, but didn’t anyone tell their marketing branch that a security blanket just makes you feel better but doesn’t offer any real security? Not exactly the message that you want your hardening tool to confer.

I have a weakness for stories like Hacks, Phreaks, Worms, Tigers
and Bears–Oh My “The top eight events that changed the course of computer security history (and two that didn’t)” Nothing earth shattering, but a fun quick read.

And, of course, IBM to collaborate on NSA program is just amazingly awesome good news.

Links in this edition:
[1] http://citp.princeton.edu/memory/
[2] http://www.freedom-to-tinker.com/?p=1257
[3] http://www.infoworld.nl/idgns/002570DE00740E18002573F6007D544C/disk-encryption-easily-cracked–researchers-find.html
[4] http://www.techworld.com/security/news/index.cfm?newsID=11371
[5] http://halcrow.us/cgi-bin/blosxom
[6] http://www.nydailynews.com/money/2008/01/28/2008-01-28_sensitive_info_lives_on_in_old_computers.html
[7] http://www.gcn.com/online/vol1_no1/45781-1.html
[8] http://www.washingtontechnology.com/online/1_1/32222-1.html

Not with a bang, but a whimper

Emily Ratliff — Fri, 15 Feb 2008 04:04:38 +0000

Roy Fielding[1] finally quit the OpenSolaris community today, see his resignation letter[2]. The kettle finally boiled over and the realization come to many (but not all) that Sun is publishing their Solaris code for marketing purposes, rather than creating an independent, community-led, open source project with the ability to make real decisions.

It seemed so promising at first: “[T]hey made promises about it being an open development project. … Sun gave up its right to make arbitrary decisions regarding the phrase ‘OpenSolaris’ as part of its public agreement with the community in the form of the Charter. That was a self-imposed restriction in exchange for the benefits of community-driven development, freely made, and cannot be changed except in accordance with the charter itself (for example, by amending or dissolving the charter).” (excerpt from Roy Fielding’s resignation letter) But it was a sham: “The charter has therefore been violated. … Sun agreed that ‘OpenSolaris’ would be governed by the community and yet has refused, in every step along the way, to cede any real control over the software produced or the way it is produced, and continues to make private decisions every day that are later promoted as decisions for this thing we call OpenSolaris.” (excerpt from Roy Fielding’s resignation letter)

To be fair, most developers recognized the community as a sham right away merely based on the copyright and patent assignments required by the contributors agreement[3]. To date, Sun has received 578 patches[4], which represents a rate of 0.6 patches a day (first patch dated 6/17/05, there were some earlier undated contributions). Linus gets more patches while he is brushing his teeth than OpenSolaris gets in a week. Despite Roy’s efforts to build a real community, contributing to OpenSolaris always has been and seemingly always will be, corporate welfare.

For me, the realization that Sun just doesn’t get it, and never will, was crystallized the day I was turned away from an OpenSolaris Users’ Group meeting for refusing to sign an NDA.

It is a credit to the Solaris engineers that a few hearty souls want to soldier on amidst the wreckage: “Nonetheless I believe the time has come for a reboot and I am looking for other like-minded people to stand and form a full Board for positive change.”[5] And others who are even contemplating forking: “We will need to build out our infrastructure so that we can host development, mailing-lists and etc.. Once that is done, we will need to make the case to start moving development to the new organization/infrstructure. This will mean that even Sun employees will have to chose to move their development work to a community ‘controlled’ development infrastructure.”[6] It is to them, that I dedicate the title.

[1] http://en.wikipedia.org/wiki/Roy_Fielding
[2] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004488.html
[3] http://www.opensolaris.org/os/about/sun_contributor_agreement/
[4]http://www.opensolaris.org/os/bug_reports/request_sponsor/
[5] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004487.html (Yes, the author of this email is a Sun employee.)
[6] http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004477.html