Skip to main content
SpringerLink
Log in

Bunkers: Jail Application Level Firewall for the Mitigation and Identification of Service Takeover Attacks on HardenedBSD

  • Conference paper
  • First Online:
Computer Security (IOSEC 2019, MSTEC 2019, FINSEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11981))

  • 1028 Accesses

Abstract

Jails are a lightweight operating-system based virtualization framework that allow safe delegation of subsets of a FreeBSD operating system to guest root users. HardenedBSD is a security-enhanced fork of FreeBSD, with Jail capabilities. In this paper we introduce Bunkers for Bank IT infrastructure security. Bunkers are security-enhanced HardenedBSD jails having only UNIX domain sockets enabled, and refusing all other types of socket creation including networking sockets. Bunkers also disable the execve() system call inside and only allow bit exact validated binaries from a global whitelist to be loaded and executed.The main objectives are to prevent elevation of privilege attacks and to isolate remote payloads and exploits from their source of origin. Bunkers detect, log, monitor and prevent all attempts to use network communications or unwanted binaries by isolating all the internal processes to UNIX domain sockets and filtering the execve() system call. Two use-cases are presented for isolating the ClamAV antivirus engine and all the necessary compressed file unpackers into HardenedBSD Bunkers: for e-mail security in a store and forward system and a real mail server and for web browsing security through the Squid proxy. Extensive benchmarks show that in both cases, for store and forward systems and for timely content delivery web systems the impact of the Bunker kernel module is comparable to rival approach Integriforce or with Regular Jails. More importantly, enforcing UNIX domain sockets for internal communication provides faster and safer inter-process communication mechanisms, between service processes and between Jails. The bit-exact execve() firewall has a consistent 13%–19% additional computation regardless of the type of service protected (web application firewall, SQL database). For the utmost security of mission-critical services we consider the results to be adequate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.freebsd.org.

  2. 2.

    https://www.hardenedbsd.org.

  3. 3.

    https://www.netbsd.org.

  4. 4.

    https://www.openbsd.org.

  5. 5.

    https://www.postfix.org.

References

  1. Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703, USENIX Association, Savannah (2016)

    Google Scholar 

  2. Bauer, M.: Paranoid penguin: introduction to seLinux. Linux J. 2007(154), 15 (2007)

    Google Scholar 

  3. Crooks, A.: NetPGP and Signed Execution. https://www.netbsd.org/agc/netpgp-signedexec-2012.pdf. September 2012

  4. Furnell, S.: Vulnerability management: not a patch on where we should be? Netw. Secur. 2016(4), 5–9 (2016)

    Article  Google Scholar 

  5. Oracle Inc.: Enterprise Manager Ops Center User’s Guide 11g Release 1 Update 3 (11.1.3.0.0) Chapter 12 Oracle Solaris Zones. Oracle Inc., November 2011

    Google Scholar 

  6. Kamp, P.-H., Watson, R.N.M.: Jails: confining the omnipotent root. In: Proceedings of the 2nd International SANE Conference (2000)

    Google Scholar 

  7. Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017)

    Google Scholar 

  8. Canonical Ltd.: Linux containers LXC (2019). https://linuxcontainers.org/. Accessed 2019

  9. Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.: Automatic security hardening and protection of linux containers. In: Workshop on Security and Privacy in the Cloud, September 2015

    Google Scholar 

  10. McCorkle, E.: A trust infrastructure for FreeBSD. In: BSDCan - The BSD Conference, Ottawa, June 2018

    Google Scholar 

  11. McKusick, M.K., Neville-Neil, G.V., Watson, R.N.M.: The design and implementation of the FreeBSD operating system, 2nd edn. Addison Wesley, Boston (2015)

    Google Scholar 

  12. Phrack: Hardening the Linux Kernel: Trusted Path Execution. Phrack Mag. 8(52), 6–20 (1998)

    Google Scholar 

  13. Rahimi, N.A.: Trusted Path Execution for the Linux 2.6 kernel as a Linux Security Module (2004)

    Google Scholar 

  14. Samarati, P.: Data security and privacy in the cloud. In: Proceedings of 10th International Conference on Information Security Practice and Experience (ISPEC 2014), Fuzhou, China, May 2014

    Google Scholar 

  15. Samarati, P., De Capitani di Vimercati, S.: Data protection in outsourcing scenarios: issues and directions. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2010), Beijing, China, April 2010. invited paper

    Google Scholar 

  16. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    Chapter  Google Scholar 

  17. The Grsecurity project: Filesystem hardening: Trusted Path Execution 2019. https://www.grsecurity.net. Accessed 2019

  18. The NetBSD Project: The NetBSD Guide Part III chapter 20: NetBSD Veriexec subsystem (2019). https://www.netbsd.org/docs/guide/en/index.html

  19. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2

    Chapter  Google Scholar 

  20. Watson, R.N.M., Anderson, J., Laurie, B., Kennaway, K.: A taste of Capsicum: practical capabilities for UNIX. Commun. ACM 55(3), 97–104 (2012)

    Article  Google Scholar 

  21. Webb, S., Salcedo, B.: HardenedBSD Easy Feature Comparison (2019). https://hardenedbsd.org/content/easy-feature-comparison. Accessed 2019

  22. Webb, S., Salcedo, B.: HardenedBSD Integriforce (2019). https://github.com/HardenedBSD/secadm. Accessed 2019. secadm 0.2

Download references

Acknowledgement

We acknowledge Dr. Luca Verderame, our shepherd, and the anonymous reviewers for help improving this paper.

Author information

Authors and Affiliations

  1. Department of Computer and Information Technology, Faculty of Automation and Computers, Politehnica University Timisoara, 2nd Vasile Parvan Avenue, 300223, Timis, Timisoara, Romania

    Alin Anton & Răzvan Cioargă

Authors
  1. Alin Anton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Răzvan Cioargă
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alin Anton .

Editor information

Editors and Affiliations

  1. Industrial Systems Institute/Research Center ATHENA, Patras, Greece

    Apostolos P. Fournaris

  2. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Manos Athanatos

  3. University of Patras, Patras, Greece

    Konstantinos Lampropoulos

  4. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Sotiris Ioannidis

  5. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    George Hatzivasilis

  6. University of Milan, Milan, Italy

    Ernesto Damiani

  7. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  8. Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  9. University of Genoa, Genoa, Italy

    Luca Verderame

  10. Fondazione Bruno Kessler, Trento, Italy

    Alberto Siena

  11. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Anton, A., Cioargă, R. (2020). Bunkers: Jail Application Level Firewall for the Mitigation and Identification of Service Takeover Attacks on HardenedBSD. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42051-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42050-5

  • Online ISBN: 978-3-030-42051-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation