Abstract
Jails are a lightweight operating-system based virtualization framework that allow safe delegation of subsets of a FreeBSD operating system to guest root users. HardenedBSD is a security-enhanced fork of FreeBSD, with Jail capabilities. In this paper we introduce Bunkers for Bank IT infrastructure security. Bunkers are security-enhanced HardenedBSD jails having only UNIX domain sockets enabled, and refusing all other types of socket creation including networking sockets. Bunkers also disable the execve() system call inside and only allow bit exact validated binaries from a global whitelist to be loaded and executed.The main objectives are to prevent elevation of privilege attacks and to isolate remote payloads and exploits from their source of origin. Bunkers detect, log, monitor and prevent all attempts to use network communications or unwanted binaries by isolating all the internal processes to UNIX domain sockets and filtering the execve() system call. Two use-cases are presented for isolating the ClamAV antivirus engine and all the necessary compressed file unpackers into HardenedBSD Bunkers: for e-mail security in a store and forward system and a real mail server and for web browsing security through the Squid proxy. Extensive benchmarks show that in both cases, for store and forward systems and for timely content delivery web systems the impact of the Bunker kernel module is comparable to rival approach Integriforce or with Regular Jails. More importantly, enforcing UNIX domain sockets for internal communication provides faster and safer inter-process communication mechanisms, between service processes and between Jails. The bit-exact execve() firewall has a consistent 13%–19% additional computation regardless of the type of service protected (web application firewall, SQL database). For the utmost security of mission-critical services we consider the results to be adequate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016), pp. 689–703, USENIX Association, Savannah (2016)
Bauer, M.: Paranoid penguin: introduction to seLinux. Linux J. 2007(154), 15 (2007)
Crooks, A.: NetPGP and Signed Execution. https://www.netbsd.org/agc/netpgp-signedexec-2012.pdf. September 2012
Furnell, S.: Vulnerability management: not a patch on where we should be? Netw. Secur. 2016(4), 5–9 (2016)
Oracle Inc.: Enterprise Manager Ops Center User’s Guide 11g Release 1 Update 3 (11.1.3.0.0) Chapter 12 Oracle Solaris Zones. Oracle Inc., November 2011
Kamp, P.-H., Watson, R.N.M.: Jails: confining the omnipotent root. In: Proceedings of the 2nd International SANE Conference (2000)
Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017)
Canonical Ltd.: Linux containers LXC (2019). https://linuxcontainers.org/. Accessed 2019
Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.: Automatic security hardening and protection of linux containers. In: Workshop on Security and Privacy in the Cloud, September 2015
McCorkle, E.: A trust infrastructure for FreeBSD. In: BSDCan - The BSD Conference, Ottawa, June 2018
McKusick, M.K., Neville-Neil, G.V., Watson, R.N.M.: The design and implementation of the FreeBSD operating system, 2nd edn. Addison Wesley, Boston (2015)
Phrack: Hardening the Linux Kernel: Trusted Path Execution. Phrack Mag. 8(52), 6–20 (1998)
Rahimi, N.A.: Trusted Path Execution for the Linux 2.6 kernel as a Linux Security Module (2004)
Samarati, P.: Data security and privacy in the cloud. In: Proceedings of 10th International Conference on Information Security Practice and Experience (ISPEC 2014), Fuzhou, China, May 2014
Samarati, P., De Capitani di Vimercati, S.: Data protection in outsourcing scenarios: issues and directions. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2010), Beijing, China, April 2010. invited paper
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
The Grsecurity project: Filesystem hardening: Trusted Path Execution 2019. https://www.grsecurity.net. Accessed 2019
The NetBSD Project: The NetBSD Guide Part III chapter 20: NetBSD Veriexec subsystem (2019). https://www.netbsd.org/docs/guide/en/index.html
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2
Watson, R.N.M., Anderson, J., Laurie, B., Kennaway, K.: A taste of Capsicum: practical capabilities for UNIX. Commun. ACM 55(3), 97–104 (2012)
Webb, S., Salcedo, B.: HardenedBSD Easy Feature Comparison (2019). https://hardenedbsd.org/content/easy-feature-comparison. Accessed 2019
Webb, S., Salcedo, B.: HardenedBSD Integriforce (2019). https://github.com/HardenedBSD/secadm. Accessed 2019. secadm 0.2
Acknowledgement
We acknowledge Dr. Luca Verderame, our shepherd, and the anonymous reviewers for help improving this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Anton, A., Cioargă, R. (2020). Bunkers: Jail Application Level Firewall for the Mitigation and Identification of Service Takeover Attacks on HardenedBSD. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-42051-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42050-5
Online ISBN: 978-3-030-42051-2
eBook Packages: Computer ScienceComputer Science (R0)