Linux Gets Host Application Security
New modules in the Linux 2.6 kernel make for easier host-based application security.
Application, secure thyself.
When it comes to security, telling applications what they’re allowed to do can be a useful antidote to today’s unending software vulnerabilities. Simply put, host-based application security allows applications to only perform or communicate in prescribed ways.
The approach is taking off. Gartner expects half of all servers and almost a third of desktops to have application security by 2006. Microsoft is investing significant resources to protect Windows users, but experts say Linux users should also explore such technology.
Application security is a concern on Linux, warns The Yankee Group. Today Linux users have a range of host-based application security options, including Argus, Immunix, Linux Intrusion Defense System (LIDS), SELinux, and Systrace.
To discuss application security and Linux, Security Strategies spoke with Cheryl Traverse, CEO of Immunix, and Dr. Crispin Cowan, Immunix’s chief technology officer. Cowan created the Linux Security Modules (LSM) interface now found in the Linux 2.6 kernel (also available from SuSE; Red Hat plans a late-2004or early 2005 release).
What’s the mandate for Linux host-based application security?
Traverse: Government and businesses are starting to put pressure on application vendors to fix software, but the way the marketplace is handling this … is by using patching … [Yet that] is a maintenance-activity only, in our view, because you’ve got a 45-to-60-day window from when that vulnerability is disclosed to when a fix becomes available.
Cowan: The top-level view [here] is that all security intrusions result from imperfect software and configurations, there being a tremendous amount of imperfect software. You need a plan B at some point.
What’s your plan B?
Cowan: We seek a way to distinguish good behaviors from bad, using what we call “Spandex Security” for applications—flexible enough to move and grow, but also able to stop attacks … All of which is motherhood—it’s easy to say let’s be simple and effective, but how do you do that? The answer is application security …
Now, users are big, hairy monsters, so models of access control got complicated … [but] if you take users out of the equation, it’s much easier to build a secure application.
How do you distinguish acceptable and unacceptable application behavior?
Cowan: You’re going to want deep semantics, to distinguish the true intent of what the application is trying to do. [That’s opposed to] shallow semantics, using system call interposition that shows only the arguments presented to the kernel.
Prior to Linux 2.6, you could either provide shallow semantics, or deep semantics by hacking the Linux kernel.
What’s the problem with shallow semantics?
Cowan: Well … system call interposition is where you inspect the arguments presented to the kernel. The problem is … you see that process 1379 has requested to open for write some file called “foo,” but you don’t know what directory “foo” is in, so you have to go fake it. And eventually you can reconstruct the context of what the process was trying to do, but you end up taking a lot of time, duplicating [the kernel’s efforts] … and you’re likely to get it wrong … Also it takes a lot of code.
What’s different about Linux 2.6?
Cowan: The Linux Security Module (LSM), something we started and actually built for Linus [Torvalds, creator of Linux]… We designed it in collaboration with the NSA, IBM, and several other large organizations. We built it, Linus adopted it.
Traverse: It was in the works for three years. Immunix used to ship a [Linux] operating system (OS) with its security products …. [containing a hacked kernel], but now we can give the same level of deep security [through the standard Linux distribution].
How does the deep semantics approach work?
Cowan: Just as [the application] is about to finally grant access, it turns to the LSM module and says, this is what [I’m] about to do …
So the LSM arbitrates all access to the application?
Cowan: What we’re doing is providing controlled interaction, so the application can live on the server and talk to it in approved ways, but not in arbitrary ways. [So] ensuring the mail server acts as mail spool, the Web server as a Web server. The Web server can serve Web pages, mail can share mail with the Web server, but it can’t arbitrarily scribble on the Web spool.
Traverse: We do this at a sub-process level.
Cowan: That’s a pretty special property we have … we can do this on small Web CGI scripts, even if they’re being interpreted by ModPerl and ModPHP.
How do you keep track of what’s allowed to talk to what?
Traverse: [On] the SuSE Linux 2.6 kernel, out now … our module plugs into that, builds up the stack from the management console back down, from a set of easy-to-use tools, most automated.
What has final say over which applications get access?
Cowan: The [Immunix] SubDomain tool chain describes the process by which everything can communicate.
Do organizations have to secure all applications?
Cowan: Other security models require that you eat the whole enchilada at once, and if you don’t do it correctly, you get a non-working machine. [By] contrast, you can apply SubDomain to this product over here today, this other one next week. So … you don’t need to apply this to all programs, just the ones that are exposed.
How does that work?
Cowan: The Server Analyzer [component] listens for open network ports, then basically complains about programs without SubDomain profiles.
So how does a security manager add an application to Immunix?
Cowan: You put SubDomain into auto-learning mode where rules are not enforced, but violations are logged, and you run it for hours, days, weeks, until you have the pattern built up … So you build up that log file of events—there might be thousands of them—and then you get to the Interactive Optimizer … where our software analyzes the log of events, and … generalizes [them] … In that way it can reduce thousands of events to dozens of questions.
What about stopping unknown attacks?
Cowan: We’re using a default-deny model, where the only thing it’s allowed to do is what we say.
Traverse: This is why we view patching as a maintenance strategy … It just removes this illusion that software can ever be perfect and you can just get it patched in time, because you can’t.
Does the product ship with any presets for widely used software?
Cowan: We provide a library of standard files for the usual suspects you usually find on a Linux box, such as Mail, Apache, Sendmail …
We also provide a collection of standard profile components. These are things you can include when creating your own application. So, for example, the authorization component is useful for anyone who’s going to create an authorization component of an application, such as looking up users, DNS service. This is another way that an Interactive Optimizer reduces thousands of events to dozens of questions.
How much training is needed to use the tool?
Traverse: We use regular expressions, so even when we show it to novice Linux user [they understand it]. Also it’s very scalable, so you don’t need to do the whole enchilada, you can do pieces … and we give you the advantage of the deep semantics and process confinement without the disadvantage of … having another kernel, of having to get into the OS.
How much processing power does this approach require?
Traverse: It operates with a two percent overhead …
Is this for enterprise users only?
Cowan: We supply this not only to [enterprise IT] end users but also to the OEMs who want to [bundle it], and also [appliance makers].
Over in IT land, some of them will used the blessed version of the distribution and never deviate from it, and others will exploit the open source nature of Linux but tweak it …
Traverse: But if you do roll your own kernel and decide to [modify] Apache [for example], you don’t have to secure the whole SuSE OS. You can pick that roll-your-own Apache application, and secure it along with other stuff.
Cowan: Which produces a tremendous cost savings. You don’t have to do everything.
Host Intrusion Prevention: A New Approach to Keeping Systems Safe
Integrating Security into Software Development