TOMOYO LINUX ON ANDROID

2009平價電腦應用程式研討會 at Taipei

October 27, 2009原田季栄 (Toshiharu Harada)

半田哲夫 (Tetsuo Handa)

NTT DATA CORPORATION

AGENDA

Part 1: Operating System Security Overview

Part 2: Demonstration

Q and A

DO YOU KNOW THIS?

鉄人28號

正太郎君

Controllerof 鉄人

鉄人 is very powerful

Has no intelligence

Operated by the controller

鉄人28號

正太郎君 is an ordinary boy

(has no power)

He is the owner of the controller of 鉄人28號

正太郎君

Can be used to control 鉄人

Communicate with 鉄人

wirelessly (bluetooth?)

鉄人CONTROLLER

1. 正太郎君 looses his

important 鉄人 controller

2. 鉄人 is operated by bad guys

3. 正太郎君 takes back the

controller

4. Goto line 1

TOTAL SCENARIO

OH

MY GOD!

FAULT OF 鉄人？

No, not really

鉄人 is just a machine

正太郎君 is responsible to keep the control of 鉄人

Like a driver is responsible for a car accident

EVER THOUGHT?

Your PC/Embedded device are the same as 鉄人

It does not know what is good and what is bad

You, as the owner of PC, has to administrate it

Separating accounts and use passwords

Setting access mode for files and directories

UNFORTUNATELY

Those things are not sufficient

Because

1. Bugs can cause buffer overflows

2. It is possible to take over administrator privilege via buffer overflows

3. Administrator privilege means all mighty

SO YOU NEED

Something to restrict (or limit) the administrator privilege

Windows VISTA introduced UAC

Linux and other mainstream OS are equipped with a better access control mechanisms: SELinux, Smack and TOMOYO Linux

The green field is the operating system space

A car is a process (program)

In normal OS, car can go anywhere (can do anything)

If your car is stolen, your damage is unlimited

WHY “UNLIMITED”?

Operating system does not know you

Operating system does not understand good operations and bad operations

If one gets privilege, he is a God and can do anything (format the drive, stop the service, setting a backdoor ..)

Total idea is “limiting” the freedom

You have to be careful not to limit the proper usage

The ideal state is car can go places you need, but cannot go anywhere else

YOUR ROLE

Like 鉄人, SELinux and TOMOYO Linux can’t know

which operation is good and which is bad

You have to tell them as a set of conditions, which are called “policy”

WHY IT IS DIFFICULT?

Because additional access control works in the deep inside of the operating system (in Linux kernel)

Linux kernel is not very user friendly world

inode, file descriptor, lock …

Policy is like a assembler language of computer security

pathname

inode

human

policy

EMBEDDED TOO?

EMBEDDED, TOO?

The more and more devices are using Linux

A rich set of software (TCP/IP, apache, samba …)

Vulnerabilities are the same with server machines

Embedded devices store personal information, so security is more important

Embedded devices can physically cause harm (remotely destroy/damage your possessions)

3 CHOICES

SELinux (fully-featured, most robust and reliable)

Smack (simplified version)

TOMOYO Linux (since 2.6.30)

SELINUX

Makes judge by the combination of “label” (security context information)

You can see labels by executing “ls -Z”, “ps -Z” ...

TOMOYO LINUX

Has a feature called “policy learning mode”

It gathers information inside the kernel and shows you

TOMOYO Linux keeps track of every process executions

Each process has its “history” and we call that “domain”

DEMONSTRATION

TRADEMARKS

Linux is a trademark of Linus Torvalds in Japan and other countries

TOMOYO is a trademark of NTT DATA CORPORATION in Japan

http://www.slideshare.net/haradats/presentations

再見