SlideShare a Scribd company logo
1 of 32
Download to read offline
LAPP/SELinux
A secure web application stack powered by SELinux


        KaiGai Kohei <kaigai@ak.jp.nec.com>
             NEC OSS Promotion Center
Self Introduction

▐ KaiGai Kohei
  has worked at NEC for 7 years,
  and contributed to SELinux development, such as
          SMP scalability improvement
          A series of efforts to port embedded platform
          Development of SE-PostgreSQL
          Per thread security context setting support

   Recently, I have focused on web-system's security.




 Page 2      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
1. Background

2. SE-PostgreSQL

3. Apache/SELinux Plus

4. LAPP/SELinux
Security nightmare in Web systems




                     (Reference: JSOC analysis report of the incursion trend, vol.12, LAC)



▐ Attacks to web systems have been rapidly increasing.
▐ It is estimated the cause is growth of web-based commerce.
  Existing security features are really attractive?


 Page 4   Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
LAPP - A typical web application stack

▐ LAPP
          Full OSS web application stack, also knows as LAMP
           • Linux, Apache, PostgreSQL and PHP/Perl
▐ Security concerns
          Each layer has its own access controls
             Lack of consistency
          No individual privileges for users via web-interfaces
          (Security depends on quality of web-applications in other word)
              Lack of comprehensiveness
                                                                      Its own access controls               Web Applications
▐ Keyword ... Analogy                                                  Its own access controls                 (PHP/Perl)

                                                                                 .htaccesses                  Web Server
                                                                                  .htaccesses                   (Apache)

                                                                              Database ACLs                 Database Server
                                                                               Database ACLs                  (PostgreSQL)

                                                                       Filesystem permissions               Operating System
                                                                        Filesystem permissions                   (Linux)
 Page 5      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
An analogy between OS and Database
                                                                                                                            Info
                                                                                                                            Asset
                                          System                                              Filesystem
                                            call                                              Permission              Filesystem
                                                                                                            SELinux
                                                                                   OS (Linux)
                                                                                                                            Info
                                                                                                                            Asset
                                                                                               Database
                                            SQL                                                  ACLs                 Database

                                                                                   RDBMS (PostgreSQL)
   User Process                         Request                                            Object manager and Resource

▐ Same relationship in user processes and information assets
▐ Differences in the way to store and access
          System call for Filesystem, SQL for Database
▐ Access control is to decide what are allowed or disallowed
  on relationships between certain users and resources.
          No reason why we cannot apply a common security model.
          It guarantees consistency of access controls.
 Page 6      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
An analogy between ssh and web
                                                                                       Privilege

                                         and              sshd                                              Filesystem
                             co m m
                       Shell
                                                                                           Shell process
                                                     Authentication
                                                     Authentication

                        HTTP
                             Reque
                                   st                    httpd                                              Database

                                                                                               WebApp
                                                                                               Instance
User (Human)              Requests                    Daemons                                User Agent     Resource


▐ User is a human; an user agent performs instead of himself.
▐ The user agent must have correct privilege set of the human.
          Authentication can identify the human and assign privileges.
          Httpd launches web-apps without individual privileges.
          OS/DB cannot distinguish who is behind on the user agent.
▐ Need to assign privileges of the human user on the web-apps.
 Page 7      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
What can we find out from the analogies?

▐ SE-PostgreSQL
          Advanced access controls for SQL queries based on SELinux
          Consistency in access controls

▐ Apache/SELinux Plus
          Advanced privilege mechanism for web applications based on SELinux
          Comprehensiveness in web-application security

   LAPP/SELinux
          Utilization of SELinux at the LAPP stack                                                            Web Applications
           • SELinux + SE-PostgreSQL                                                                              (PHP/Perl)
                   + Apache/SELinux Plus                                                                         Web Server
                                                                                                            (Apache/SELinux Plus)

                                                                                                              Database Server
                                                                                                              (SE-PostgreSQL)
                                                                                                              Operating System
                                                                                                                  (SELinux)

 Page 8      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
1. Background

2. SE-PostgreSQL

3. Apache/SELinux Plus

4. LAPP/SELinux
Architecture of SE-PostgreSQL
   User Process
                                                                                              SQL Query
                                                SQL                                           Processing                          Database



                                                                             Database ACL                   SE-PgSQL
                    System
                     Call
                                                                                                            subsystem
User Space                                                           SE-PostgreSQL

                                                                                                   denied
                                                                                                   denied                        Kernel Space
                Filesystem                                  Security
Filesystem       Routines                                    Server                  Security                           Can I allow the
                                                                                                                         Can I allow the
                                                                                      Policy                            given accesses?
                                                                                                                        given accesses?
                                                         SELinux

▐ SELinux hooks system-call processing
▐ SE-PostgreSQL also hooks SQL Query processing
▐ SELinux makes its decision based on its security policy
▐ SE-PostgreSQL controls execution of the SQL query
  according to the SELinux's access control decision.
  It means the security policy controls both of accesses on OS and DB.
 Page 10     Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Decision-making in SELinux
   security context
   security context                      required actions
                                         required actions
   of user agent
    of user agent
                                                                                           Security              Allowed or Denied
                                                                                                                 Allowed or Denied
                 security context
                 security context                                                           Policy
                of target object
                of target object                                                                                      decision
                                                                                                                      decision
                                                             Input                         SELinux           Output

▐ SELinux looks like a function
           SELinux returns a binary state for the given arguments.
           Kernel internally gives them to SELinux and follows its decision.
           Userspace application also can utilize this mechanism,
           as long as it can provide the pair of security contexts.
▐ Security context
           A SELinux specific identifier of processes and any other objects
           The kernel manages security context of the kernel objects.
           Applications must manage security context of the userspace objects.

 Page 11      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
"security_context" system column
 security context of the regular relation
  postgres=# SELECT security_context, * FROM drink;
  postgres=# SELECT security_context, * FROM drink;
              security_context
              security_context             | id | name | price
                                           | id | name | price
  -----------------------------------------+----+-------+-------
  -----------------------------------------+----+-------+-------
   system_u:object_r:sepgsql_table_t:s0
   system_u:object_r:sepgsql_table_t:s0    | 3 | juice |
                                           | 3 | juice |    130
                                                            130
   system_u:object_r:sepgsql_table_t:s0
   system_u:object_r:sepgsql_table_t:s0    | 4 | cofee |
                                           | 4 | cofee |    180
                                                            180
   system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer |
   system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer |     240
                                                            240
   system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake |
   system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake |     320
                                                            320
   system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine |
   system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine |     380
                                                            380
   system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea
   system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea    |
                                                        |   140
                                                            140
  (6 rows)
  (6 rows)

                                                                                                          System catalog
 security context of the system relation
  postgres=# SELECT security_context, attname, attnum FROM pg_attribute
  postgres=# SELECT security_context, attname, attnum FROM pg_attribute
          WHERE attrelid = 'drink'::regclass AND attnum > 0;
           WHERE attrelid = 'drink'::regclass AND attnum > 0;
               security_context
               security_context             | attname | attnum
                                            | attname | attnum
  -----------------------------------------+---------+--------
  -----------------------------------------+---------+--------
   system_u:object_r:sepgsql_table_t:s0
   system_u:object_r:sepgsql_table_t:s0     | id
                                            | id      |
                                                      |      11
   system_u:object_r:sepgsql_table_t:s0
   system_u:object_r:sepgsql_table_t:s0     | name
                                            | name    |
                                                      |      22
   system_u:object_r:sepgsql_ro_table_t:s0 | price
   system_u:object_r:sepgsql_ro_table_t:s0 | price    |
                                                      |      33
  (3 rows)
  (3 rows)

 Page 12   Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Privileges of the client

▐ SE-PostgreSQL applies the security context of peer process.
           It does NOT depend on database authentication.
           SELinux provides an API to obtain the security context of peer process.
            • See the getpeercon(3)
▐ Labeled IPsec
           It enables to deliver the security context of remote processes
           An enhancement of IPsec, available at kernel-2.6.18 or later
       [ymj@saba ~]$ id -Z
       [ymj@saba ~]$ id -Z
       uid=1002(ymj) gid=100(users) groups=100(users) ¥
       uid=1002(ymj) gid=100(users) groups=100(users) ¥
               context=staff_u:staff_r:staff_t:s0-s0:c0.c15
               context=staff_u:staff_r:staff_t:s0-s0:c0.c15

       [ymj@saba ~]$ psql -q postgres -U dbguest
       [ymj@saba ~]$ psql -q postgres -U dbguest
       postgres=> SELECT sepgsql_getcon(), current_user;
       postgres=> SELECT sepgsql_getcon(), current_user;
                   sepgsql_getcon
                   sepgsql_getcon            | current_user
                                             | current_user
       --------------------------------------+--------------
       --------------------------------------+--------------
        staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest
        staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest
       (1 row)
       (1 row)

 Page 13      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Usage of SE-PostgreSQL (1/2)
 Row level access control
postgres=# SELECT security_context, * from drink;
postgres=# SELECT security_context, * from drink;
                 security_context
                 security_context                  | id | name | price
                                                   | id | name | price
---------------------------------------------------+----+--------+-------
---------------------------------------------------+----+--------+-------
 system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water |
 system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water |     100
                                                                     100
 system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke
 system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke    |
                                                                 |   120
                                                                     120
 system_u:object_r:sepgsql_table_t:Unclassified
 system_u:object_r:sepgsql_table_t:Unclassified    | 3 | juice |
                                                   | 3 | juice |     130
                                                                     130
 system_u:object_r:sepgsql_table_t:Unclassified
 system_u:object_r:sepgsql_table_t:Unclassified    | 4 | coffee |
                                                   | 4 | coffee |    180
                                                                     180
 system_u:object_r:sepgsql_table_t:Classified
 system_u:object_r:sepgsql_table_t:Classified      | 5 | beer
                                                   | 5 | beer    |
                                                                 |   240
                                                                     240
 system_u:object_r:sepgsql_table_t:Classified
 system_u:object_r:sepgsql_table_t:Classified      | 6 | sake
                                                   | 6 | sake    |
                                                                 |   320
                                                                     320
 staff_u:object_r:sepgsql_table_t:Unclassified
 staff_u:object_r:sepgsql_table_t:Unclassified     | 7 | soda
                                                   | 7 | soda    |
                                                                 |   150
                                                                     150

▐ when SELECT?
           The Classified tuples are invisible for Unclassified clients.
▐ when UPDATE/DELETE?
           It also prevents to update Read-Only (sepgsql_ro_table_t) tuples.
           But, Classified client can update Read-Writable and Classified tuples.
▐ when INSERT a tuple?
           A default security context is assigned on the new tuple.

 Page 14      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Usage of SE-PostgreSQL (2/2)
 Table/Column level access control
                                                                               It allows to assign an individual security
                                                                               It allows to assign an individual security
 postgres=# CREATE TABLE customer (
 postgres=# CREATE TABLE customer (
       cid      integer primary key,   context on a certain table/column.
                                       context on a certain table/column.
       cid      integer primary key,
       cname
       cname    varchar(32),
                varchar(32),
       ccredit varchar(32)
       ccredit varchar(32)
           SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0'
           SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0'
       );
       );
 CREATE TABLE
 CREATE TABLE

 postgres=> SELECT * FROM customer;
 postgres=> SELECT * FROM customer;
 LOG: SELinux: denied { select } ¥
 LOG: SELinux: denied { select } ¥
     scontext=staff_u:staff_r:staff_t:Unclassified ¥
     scontext=staff_u:staff_r:staff_t:Unclassified ¥
     tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥
     tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥
     tclass=db_column name=customer.ccredit
     tclass=db_column name=customer.ccredit
 ERROR: SELinux: security policy violation
 ERROR: SELinux: security policy violation
 postgres=> SELECT cid, cname FROM customer;
 postgres=> SELECT cid, cname FROM customer;
  cid | cname
  cid | cname
 -----+-------
 -----+-------                           SE-PostgreSQL prevent unprivileged
                                         SE-PostgreSQL prevent unprivileged
   10 | jack
   10 | jack                             client to access to the column labeled
                                         client to access to the column labeled
   13 | adam
   13 | adam
   14 | liza                             as "Secret".
                                         as "Secret".
   14 | liza
 (3 rows)
 (3 rows)

 Page 15   Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Performance - SE-PostgreSQL
                                                            comparison of pgbench results
                                                       PostgreSQL v8.4.1            SE-PostgreSQL v8.4.1
                                       450
                                       400

                                       350
              transaction per second


                                       300
                                       250

                                       200

                                       150

                                       100
                                        50

                                         0
                                             20   40   60        80     100      120      140            160   180   200
                                                                database size (scaling factor)

▐ 2~4% of trade-off in performance
           userspace AVC minimizes the number of kernel invocations
▐ Environments
           CPU Xeon (2.33GHz) Dual, Mem: 2GB (shared_buffer=512m)
           measured by pgbench -c 2 -t 200000
 Page 16      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
System image: system-wide consistency in access control
                                                         Classified
                                                             User                                                  Login
                                                             Process
         Consistent
          Consistent
       access controls
        access controls
                                                                                                             Information
                                      Information
                                                                                                                Assets
       Security
                                         Assets
                                                                                                                            Inter-process
                                                                                                                             Inter-process
        Policy                                                                                                             communication
                                                                                                                            communication
       SELinux                              Filesystem          Networks          IPC Objects           Database              channels
                                                                                                                               channels


                                  Login                                                 User
                                                                                     Process
                                                                                           Unclassified


▐ SELinux controls ANY inter-processes communication channels.
           No read-up, No write-down
▐ SE-PostgreSQL allows to deploy RDBMS in this scheme.
           No differences in FS and DB from the viewpoint of access control

 Page 17      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
1. Background

2. SE-PostgreSQL

3. Apache/SELinux Plus

4. LAPP/SELinux
Web system overview                                                                             No individual
                                                                                                No individual
                                                                                                privileges set
                                                                                                privileges set
                                   Authentication
                                   Authentication
                                                                                                                 Filesystem
                        HTTP Request


                        HTTP Response
 User (human)                                                                                   Web-app          Database
                                                          Apache/httpd                          instance


▐ Steps to handle user's request
     1. User sends HTTP request.
     2. Apache/httpd may (not) apply HTTP authentication.
     3. It launches a web-app instance which performs as an user agent.
                But its privilege set is identical to the web-server process.
     4. Apache/httpd replies HTTP response.
▐ Our headache and prescription
           OS/DB cannot apply valid access controls on user agents.
           Need to assign correct privileges prior to launch web-apps.
           Apache/SELinux Plus module does it.
 Page 19     Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Apache/SELinux Plus (1/2)
      Apache without SELinux support

1. HTTP request from users
2. HTTP authentication may be applied
3. Required contents handler is invoked with server process's privileges
           It works off the burden of access controls to web applications.


                                                             Parse HTTP Request                               OS/DB cannot distinguish
                                                                                                              OS/DB cannot distinguish
                                                                                                                 user's privileges.
                                                                                                                  user's privileges.
                                                             HTTP Authentication
              HTTP
             Request
                                    Accept                                                                   .html
                                  connection
              HTTP                                                Invoke
            Response                                          Contents Handler
                                                                                                             .php

                                                                                                             .cgi


                                                             Send HTTP Response
                              Apache/httpd

 Page 20      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Apache/SELinux Plus (2/2)
           Apache/SELinux Plus

1.   HTTP request from users
2.   HTTP authentication may be applied
3.   Creation of one-time worker thread
4.   The worker assigns user's privileges on itself, then invokes the handler
           Web-apps can perform with the least privilege set

                                                              Parse HTTP Request

                                                                                                                 Set user's privileges first
                                                                                                                 Set user's privileges first
                                                              HTTP Authentication
               HTTP
              Request
                                     Accept                   Create worker thread                             Change Security context         .html
                                   connection
               HTTP
             Response                                                                                                Invoke
                                                                                                                 Contents Handler
                                                                                                                                               .php

                                                                Join worker thread                                Exit worker thread           .cgi

                                                                                                              Apache/SELinux Plus
                                                              Send HTTP Response
                               Apache/httpd

 Page 21       Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Performance - Apache/SELinux Plus
                                                                                             $$ab -c 88-t 60 -A <user:password> <URL>
                                                                                                ab -c -t 60 -A <user:password> <URL>
                               700
                                                                                             CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12
                                                                                              CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12
                               600                                                           TEST1) Regular HTML file
                                                                                              TEST1) Regular HTML file
    # of requests per second


                                                                                             TEST2) PHP Script
                                                                                              TEST2) PHP Script
                               500
                                                                                             TEST3) PHP Script with DB connection
                                                                                              TEST3) PHP Script with DB connection
                               400                                                           TEST4) CGI Program
                                                                                              TEST4) CGI Program
                               300

                               200

                               100

                                 0
                                                 .html file                      .php script                 .php with DBconn       .cgi program

                                                        Apache (normal)                                          Apache/SELinux Plus

▐ The cost to assign privileges is relatively large in lightweight request.
▐ Less differences in our major target (Web+DB applications)
                               Database-queries need higher cost than creation of worker threads.

 Page 22                             Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
System image (1/2) : Per web-user privileges


Valid access controls
Valid access controls
using OS/DB based on
using OS/DB based on
per-user privileges.
per-user privileges.




                                                                                            • HTTP Authentication
                                                                                            • HTTP Authentication
                                                                                            • Launch one-time worker thread
                                                                                            • Launch one-time worker thread
 Database
                                                                                            • Set its own security context
                                                                                            • Set its own security context
                                                                                              corresponding to the username.
                                                                                              corresponding to the username.
                   Filesystem

 Page 23    Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
System image (2/2) : Per virtual host separation
                                                                               ▐ SELinux performs as a logical-wall
                                                                                 separating system resources.
  Filesystem
                                                                               ▐ MCS policy will be suitable.

                                                red
   Database

                                                                                                              http://red.example.com/
  Filesystem                                                                                                  http://blue.example.com/
                                                                                                              http://green.example.com/



   Database                                    blue
                                                                                   A logical-wall:
                                                                                   A logical-wall:
                                                                                   SELinux prevent to access an user agent
                                                                                   SELinux prevent to access an user agent
   Filesystem                                                                      to the objects within other categories.
                                                                                   to the objects within other categories.


                                              green
                                                                    Contents handler of
                                                                    Contents handler of
   Database                                                       the "green" virtual host
                                                                  the "green" virtual host

 Page 24       Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
1. Background

2. SE-PostgreSQL

3. Apache/SELinux Plus

4. LAPP/SELinux
SELinux has expanded its coverage

       Web Applications                                        Web Applications                               Web Applications
            (PHP/Perl)                                                (PHP/Perl)                                  (PHP/Perl)
           Web Server                                               Web Server                                   Web Server
             (Apache)                                       (Apache/SELinux Plus)                            (Apache/SELinux Plus)
       Database Server                                         Database Server                                Database Server
           (PostgreSQL)                                          (SE-PostgreSQL)                               (SE-PostgreSQL)
      Operating System                                        Operating System                               Operating System
             (SELinux)
              (Linux)                                                  (SELinux)                                   (SELinux)
             Prehistory
                Past                                                    Today                                       Future

▐ Prehistory, we have no MAC security.
▐ God said "let there be SELinux".
           SELinux applies MAC policy on the operating system.
▐ Today, it expanded its sphere of life.
           SE-PostgreSQL, Apache/SELinux Plus, XACE/SELinux, sVirt, ...
▐ Future, it will cover whole of the web application stack.

 Page 26      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Conceptual diagram of LAPP/SELinux
                                                      Classified
                                                      User                                                            HTTP Req
                                                      Process
        Consistent
         Consistent
      access controls
       access controls
                                                                                                            Information
                                    Information
                                                                                                               Assets
      Security
                                       Assets
                                                                                                                           Inter-process
                                                                                                                            Inter-process
       Policy                                                                                                             communication
                                                                                                                           communication
      SELinux                            Filesystem           Networks         IPC Objects           Database                channels
                                                                                                                              channels


                 HTTP Req                                                                   User
                                                                                         Process
                                                                                              Unclassified


▐ SE-PostgreSQL provides system-wide consistency in access controls.
▐ Apache/SELinux plus enables web-apps to perform correct privileges.
  The LAPP/SELinux enables us to set up web systems
  with consistent and comprehensive access controls.

 Page 27     Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
LAPP/SELinux applicability: threats by malicious insider

▐ Database Administrator (DBA)
           In normally, he is allowed anything on databases.
           Need to prevent accesses unnecessary information, including backups.
           Consistent access controls using SELinux, prevent information leaks.

   HTTP Req
   HTTP Req
                                                                                  SE-PostgreSQL



                                                                                           Database                    DDL statement   DBA
                                                  SQL
 customer
                                                                                                         Dump the table

                                                                                           backup Execute command
                                                                                            utils
                                                                       Audit
                  Web                                                   Log
                 server                                                                                      Database
                                                                                                                      Read the file
                                                                                                              backup


 Page 28      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Our principle

                                                                     Price of Notebook : $8.00
                                                                     Price of Privacy:   priceless


▐ Worth of information asset
           It depends on the contents, not the way to store them
           Need to apply consistent access control on the same relationship
▐ Purpose of access controls
           It decides what are allowed and disallowed on the relationship
           of a certain human-user and information asset
           Again, it is a relationship between a human and information
▐ Principle in LAPP/SELinux
           Common security identifier
           Common access control decision
           Utilization of the platform features in maximum

 Page 29      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Project status & history

▐ Status
           Now, kernel supports all the needed features of LAPP/SELinux
           Now, Fedora includes sepostgresql and mod_selinux package
           SE-PostgreSQL is now discussed in the pgsql community
▐ History
           '06/09           launched to develop SE-PostgreSQL
           '07/03           SELinux Symposium & Developer Summit 2007 (Baltimare, USA)
           '07/08           Fedora merged SE-PostgreSQL package (F8 or later)
           '07/11           IPA gave an award due to the development of SE-PostgreSQL
           '08/03           The PostgreSQL conference 2008 (Ottawa, CA)
           '08/05           SE-PostgreSQL was proposed to pgsql-8.4.x development.
           '08/12           Bounds domain feature got merged (2.6.28 or later)
           '09/04           Fedora merged Apache/SELinux Plus (F11 or later)
           '09/07           SE-PostgreSQL was proposed to pgsql-8.5.x development.
           '09/10           Japan Linux Symposium 2009

 Page 30      Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
Any Questions?
Thank you!

More Related Content

What's hot

Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecuring and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecureDBA
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsNovell
 
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...BIOVIA
 
(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should know(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should knowBIOVIA
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesRakesh Gujjarlapudi
 
Oracle day co_opensource_final
Oracle day co_opensource_finalOracle day co_opensource_final
Oracle day co_opensource_finalManuel Contreras
 
Introducing WebLogic 12c OTN Tour 2012
Introducing WebLogic 12c OTN Tour 2012Introducing WebLogic 12c OTN Tour 2012
Introducing WebLogic 12c OTN Tour 2012Bruno Borges
 
Ccmigration 09186a00807a15d0
Ccmigration 09186a00807a15d0Ccmigration 09186a00807a15d0
Ccmigration 09186a00807a15d0j_papanna
 
WebLogic for DBAs 1.0h
WebLogic for DBAs 1.0hWebLogic for DBAs 1.0h
WebLogic for DBAs 1.0hSimon Haslam
 
WebClient Overview and 1.8 Roadmap
WebClient Overview and 1.8 RoadmapWebClient Overview and 1.8 Roadmap
WebClient Overview and 1.8 RoadmapCM First Group
 
Rudder - Configuration management benefits for everyone (FOSDEM 2012)
Rudder - Configuration management benefits for everyone (FOSDEM 2012)Rudder - Configuration management benefits for everyone (FOSDEM 2012)
Rudder - Configuration management benefits for everyone (FOSDEM 2012)RUDDER
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...RUDDER
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Securing and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecuring and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecureDBA
 

What's hot (19)

Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecuring and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White Paper
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell Applications
 
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...
(ATS4-APP01) Tips and Tricks for a Successful Installation of Accelrys Electr...
 
(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should know(ATS4-APP03) Top 10 things every Notebook administrator should know
(ATS4-APP03) Top 10 things every Notebook administrator should know
 
Cl221
Cl221Cl221
Cl221
 
Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
 
Oracle day co_opensource_final
Oracle day co_opensource_finalOracle day co_opensource_final
Oracle day co_opensource_final
 
Introducing WebLogic 12c OTN Tour 2012
Introducing WebLogic 12c OTN Tour 2012Introducing WebLogic 12c OTN Tour 2012
Introducing WebLogic 12c OTN Tour 2012
 
Ccmigration 09186a00807a15d0
Ccmigration 09186a00807a15d0Ccmigration 09186a00807a15d0
Ccmigration 09186a00807a15d0
 
WebLogic for DBAs 1.0h
WebLogic for DBAs 1.0hWebLogic for DBAs 1.0h
WebLogic for DBAs 1.0h
 
WebClient Overview and 1.8 Roadmap
WebClient Overview and 1.8 RoadmapWebClient Overview and 1.8 Roadmap
WebClient Overview and 1.8 Roadmap
 
Rudder - Configuration management benefits for everyone (FOSDEM 2012)
Rudder - Configuration management benefits for everyone (FOSDEM 2012)Rudder - Configuration management benefits for everyone (FOSDEM 2012)
Rudder - Configuration management benefits for everyone (FOSDEM 2012)
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
 
keerthi-resume
keerthi-resumekeerthi-resume
keerthi-resume
 
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...
Configuration management benefits for everyone - Rudder @ FLOSSUK Spring Conf...
 
James G. Joyner
James G. JoynerJames G. Joyner
James G. Joyner
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Derrick_L_resume3
Derrick_L_resume3Derrick_L_resume3
Derrick_L_resume3
 
Securing and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecuring and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP Server
 

Viewers also liked

Full Stack Web Application Performance Tuning
Full Stack Web Application Performance TuningFull Stack Web Application Performance Tuning
Full Stack Web Application Performance TuningFabian Lange
 
Mean full stack development
Mean full stack developmentMean full stack development
Mean full stack developmentScott Lee
 
처음 시작하는 라라벨
처음 시작하는 라라벨처음 시작하는 라라벨
처음 시작하는 라라벨KwangSeob Jeong
 
서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드KwangSeob Jeong
 
bamboo 로 PHP 프로젝트 지속적인 배포
bamboo 로 PHP 프로젝트 지속적인 배포bamboo 로 PHP 프로젝트 지속적인 배포
bamboo 로 PHP 프로젝트 지속적인 배포KwangSeob Jeong
 
Laravel로 스타트업 기술 스택 구성하기
Laravel로 스타트업 기술 스택 구성하기Laravel로 스타트업 기술 스택 구성하기
Laravel로 스타트업 기술 스택 구성하기KwangSeob Jeong
 
Php faker 를 활용한 의미있는 테스트 데이타 생성
Php faker 를 활용한 의미있는 테스트 데이타 생성Php faker 를 활용한 의미있는 테스트 데이타 생성
Php faker 를 활용한 의미있는 테스트 데이타 생성KwangSeob Jeong
 
UX, Front-end and Back-end: How front-end can help these guys?
UX, Front-end and Back-end: How front-end can help these guys?UX, Front-end and Back-end: How front-end can help these guys?
UX, Front-end and Back-end: How front-end can help these guys?Diego Eis
 
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성KwangSeob Jeong
 
Sonatype nexus 로 docker registry 관리하기
Sonatype nexus 로 docker registry 관리하기Sonatype nexus 로 docker registry 관리하기
Sonatype nexus 로 docker registry 관리하기KwangSeob Jeong
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기Juwon Kim
 

Viewers also liked (11)

Full Stack Web Application Performance Tuning
Full Stack Web Application Performance TuningFull Stack Web Application Performance Tuning
Full Stack Web Application Performance Tuning
 
Mean full stack development
Mean full stack developmentMean full stack development
Mean full stack development
 
처음 시작하는 라라벨
처음 시작하는 라라벨처음 시작하는 라라벨
처음 시작하는 라라벨
 
서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드서버 아키텍처 이해를 위한 프로세스와 쓰레드
서버 아키텍처 이해를 위한 프로세스와 쓰레드
 
bamboo 로 PHP 프로젝트 지속적인 배포
bamboo 로 PHP 프로젝트 지속적인 배포bamboo 로 PHP 프로젝트 지속적인 배포
bamboo 로 PHP 프로젝트 지속적인 배포
 
Laravel로 스타트업 기술 스택 구성하기
Laravel로 스타트업 기술 스택 구성하기Laravel로 스타트업 기술 스택 구성하기
Laravel로 스타트업 기술 스택 구성하기
 
Php faker 를 활용한 의미있는 테스트 데이타 생성
Php faker 를 활용한 의미있는 테스트 데이타 생성Php faker 를 활용한 의미있는 테스트 데이타 생성
Php faker 를 활용한 의미있는 테스트 데이타 생성
 
UX, Front-end and Back-end: How front-end can help these guys?
UX, Front-end and Back-end: How front-end can help these guys?UX, Front-end and Back-end: How front-end can help these guys?
UX, Front-end and Back-end: How front-end can help these guys?
 
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성
Atlassian confluence WIKI를 활용한 공유와 협업 환경 구성
 
Sonatype nexus 로 docker registry 관리하기
Sonatype nexus 로 docker registry 관리하기Sonatype nexus 로 docker registry 관리하기
Sonatype nexus 로 docker registry 관리하기
 
RESTful API 제대로 만들기
RESTful API 제대로 만들기RESTful API 제대로 만들기
RESTful API 제대로 만들기
 

Similar to LAPP/SELinux - A secure web application stack powered by SELinux

SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlSE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlKohei KaiGai
 
The Security-Enhanced PostgreSQL - "system wide" consistency in access control
The Security-Enhanced PostgreSQL - "system wide" consistency in access controlThe Security-Enhanced PostgreSQL - "system wide" consistency in access control
The Security-Enhanced PostgreSQL - "system wide" consistency in access controlKohei KaiGai
 
system automation, integration and recovery
system automation, integration and recoverysystem automation, integration and recovery
system automation, integration and recoveryDerek Chang
 
Rakuten LeoFs - distributed file system
Rakuten LeoFs - distributed file systemRakuten LeoFs - distributed file system
Rakuten LeoFs - distributed file systemRakuten Group, Inc.
 
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Ivo Lukač
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityDarren Sim
 
Oracle rac 10g best practices
Oracle rac 10g best practicesOracle rac 10g best practices
Oracle rac 10g best practicesHaseeb Alam
 
Common Sense Performance Indicators in the Cloud
Common Sense Performance Indicators in the CloudCommon Sense Performance Indicators in the Cloud
Common Sense Performance Indicators in the CloudNick Gerner
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for DevelopersJeff Potts
 
Planning For High Performance Web Application
Planning For High Performance Web ApplicationPlanning For High Performance Web Application
Planning For High Performance Web ApplicationYue Tian
 
Virtualization for Development
Virtualization for DevelopmentVirtualization for Development
Virtualization for Developmentelliando dias
 
AWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best PracticesAWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best PracticesAmazon Web Services
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea webhostingguy
 
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)Shared personalization service. How to scale to 15 k rps (Patrice Pelland)
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)Ontico
 

Similar to LAPP/SELinux - A secure web application stack powered by SELinux (20)

SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlSE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
 
The Security-Enhanced PostgreSQL - "system wide" consistency in access control
The Security-Enhanced PostgreSQL - "system wide" consistency in access controlThe Security-Enhanced PostgreSQL - "system wide" consistency in access control
The Security-Enhanced PostgreSQL - "system wide" consistency in access control
 
Solr -
Solr - Solr -
Solr -
 
system automation, integration and recovery
system automation, integration and recoverysystem automation, integration and recovery
system automation, integration and recovery
 
Lamp
LampLamp
Lamp
 
Rakuten LeoFs - distributed file system
Rakuten LeoFs - distributed file systemRakuten LeoFs - distributed file system
Rakuten LeoFs - distributed file system
 
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
 
Oracle rac 10g best practices
Oracle rac 10g best practicesOracle rac 10g best practices
Oracle rac 10g best practices
 
Common Sense Performance Indicators in the Cloud
Common Sense Performance Indicators in the CloudCommon Sense Performance Indicators in the Cloud
Common Sense Performance Indicators in the Cloud
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for Developers
 
LAMP TECHNOLOGY
LAMP TECHNOLOGYLAMP TECHNOLOGY
LAMP TECHNOLOGY
 
Planning For High Performance Web Application
Planning For High Performance Web ApplicationPlanning For High Performance Web Application
Planning For High Performance Web Application
 
Virtualization for Development
Virtualization for DevelopmentVirtualization for Development
Virtualization for Development
 
AWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best PracticesAWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best Practices
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
 
devops_
devops_devops_
devops_
 
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)Shared personalization service. How to scale to 15 k rps (Patrice Pelland)
Shared personalization service. How to scale to 15 k rps (Patrice Pelland)
 
slides (PPT)
slides (PPT)slides (PPT)
slides (PPT)
 
Cl116
Cl116Cl116
Cl116
 

More from Kohei KaiGai

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_HistoryKohei KaiGai
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_APIKohei KaiGai
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrowKohei KaiGai
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_countKohei KaiGai
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0Kohei KaiGai
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCacheKohei KaiGai
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_IndexKohei KaiGai
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGISKohei KaiGai
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGISKohei KaiGai
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_ProcessingKohei KaiGai
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_OnlineKohei KaiGai
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdwKohei KaiGai
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_FdwKohei KaiGai
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_TokyoKohei KaiGai
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.JapanKohei KaiGai
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_BetaKohei KaiGai
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStromKohei KaiGai
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGaiKohei KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStromKohei KaiGai
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdwKohei KaiGai
 

More from Kohei KaiGai (20)

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_count
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_Online
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.Japan
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStrom
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStrom
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw
 

Recently uploaded

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 

Recently uploaded (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 

LAPP/SELinux - A secure web application stack powered by SELinux

  • 1. LAPP/SELinux A secure web application stack powered by SELinux KaiGai Kohei <kaigai@ak.jp.nec.com> NEC OSS Promotion Center
  • 2. Self Introduction ▐ KaiGai Kohei has worked at NEC for 7 years, and contributed to SELinux development, such as SMP scalability improvement A series of efforts to port embedded platform Development of SE-PostgreSQL Per thread security context setting support Recently, I have focused on web-system's security. Page 2 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 3. 1. Background 2. SE-PostgreSQL 3. Apache/SELinux Plus 4. LAPP/SELinux
  • 4. Security nightmare in Web systems (Reference: JSOC analysis report of the incursion trend, vol.12, LAC) ▐ Attacks to web systems have been rapidly increasing. ▐ It is estimated the cause is growth of web-based commerce. Existing security features are really attractive? Page 4 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 5. LAPP - A typical web application stack ▐ LAPP Full OSS web application stack, also knows as LAMP • Linux, Apache, PostgreSQL and PHP/Perl ▐ Security concerns Each layer has its own access controls Lack of consistency No individual privileges for users via web-interfaces (Security depends on quality of web-applications in other word) Lack of comprehensiveness Its own access controls Web Applications ▐ Keyword ... Analogy Its own access controls (PHP/Perl) .htaccesses Web Server .htaccesses (Apache) Database ACLs Database Server Database ACLs (PostgreSQL) Filesystem permissions Operating System Filesystem permissions (Linux) Page 5 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 6. An analogy between OS and Database Info Asset System Filesystem call Permission Filesystem SELinux OS (Linux) Info Asset Database SQL ACLs Database RDBMS (PostgreSQL) User Process Request Object manager and Resource ▐ Same relationship in user processes and information assets ▐ Differences in the way to store and access System call for Filesystem, SQL for Database ▐ Access control is to decide what are allowed or disallowed on relationships between certain users and resources. No reason why we cannot apply a common security model. It guarantees consistency of access controls. Page 6 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 7. An analogy between ssh and web Privilege and sshd Filesystem co m m Shell Shell process Authentication Authentication HTTP Reque st httpd Database WebApp Instance User (Human) Requests Daemons User Agent Resource ▐ User is a human; an user agent performs instead of himself. ▐ The user agent must have correct privilege set of the human. Authentication can identify the human and assign privileges. Httpd launches web-apps without individual privileges. OS/DB cannot distinguish who is behind on the user agent. ▐ Need to assign privileges of the human user on the web-apps. Page 7 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 8. What can we find out from the analogies? ▐ SE-PostgreSQL Advanced access controls for SQL queries based on SELinux Consistency in access controls ▐ Apache/SELinux Plus Advanced privilege mechanism for web applications based on SELinux Comprehensiveness in web-application security LAPP/SELinux Utilization of SELinux at the LAPP stack Web Applications • SELinux + SE-PostgreSQL (PHP/Perl) + Apache/SELinux Plus Web Server (Apache/SELinux Plus) Database Server (SE-PostgreSQL) Operating System (SELinux) Page 8 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 9. 1. Background 2. SE-PostgreSQL 3. Apache/SELinux Plus 4. LAPP/SELinux
  • 10. Architecture of SE-PostgreSQL User Process SQL Query SQL Processing Database Database ACL SE-PgSQL System Call subsystem User Space SE-PostgreSQL denied denied Kernel Space Filesystem Security Filesystem Routines Server Security Can I allow the Can I allow the Policy given accesses? given accesses? SELinux ▐ SELinux hooks system-call processing ▐ SE-PostgreSQL also hooks SQL Query processing ▐ SELinux makes its decision based on its security policy ▐ SE-PostgreSQL controls execution of the SQL query according to the SELinux's access control decision. It means the security policy controls both of accesses on OS and DB. Page 10 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 11. Decision-making in SELinux security context security context required actions required actions of user agent of user agent Security Allowed or Denied Allowed or Denied security context security context Policy of target object of target object decision decision Input SELinux Output ▐ SELinux looks like a function SELinux returns a binary state for the given arguments. Kernel internally gives them to SELinux and follows its decision. Userspace application also can utilize this mechanism, as long as it can provide the pair of security contexts. ▐ Security context A SELinux specific identifier of processes and any other objects The kernel manages security context of the kernel objects. Applications must manage security context of the userspace objects. Page 11 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 12. "security_context" system column security context of the regular relation postgres=# SELECT security_context, * FROM drink; postgres=# SELECT security_context, * FROM drink; security_context security_context | id | name | price | id | name | price -----------------------------------------+----+-------+------- -----------------------------------------+----+-------+------- system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | 3 | juice | | 3 | juice | 130 130 system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | 4 | cofee | | 4 | cofee | 180 180 system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240 240 system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320 320 system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | system_u:object_r:sepgsql_table_t:s0:c1 | 7 | wine | 380 380 system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea system_u:object_r:sepgsql_table_t:s0:c1 | 8 | tea | | 140 140 (6 rows) (6 rows) System catalog security context of the system relation postgres=# SELECT security_context, attname, attnum FROM pg_attribute postgres=# SELECT security_context, attname, attnum FROM pg_attribute WHERE attrelid = 'drink'::regclass AND attnum > 0; WHERE attrelid = 'drink'::regclass AND attnum > 0; security_context security_context | attname | attnum | attname | attnum -----------------------------------------+---------+-------- -----------------------------------------+---------+-------- system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | id | id | | 11 system_u:object_r:sepgsql_table_t:s0 system_u:object_r:sepgsql_table_t:s0 | name | name | | 22 system_u:object_r:sepgsql_ro_table_t:s0 | price system_u:object_r:sepgsql_ro_table_t:s0 | price | | 33 (3 rows) (3 rows) Page 12 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 13. Privileges of the client ▐ SE-PostgreSQL applies the security context of peer process. It does NOT depend on database authentication. SELinux provides an API to obtain the security context of peer process. • See the getpeercon(3) ▐ Labeled IPsec It enables to deliver the security context of remote processes An enhancement of IPsec, available at kernel-2.6.18 or later [ymj@saba ~]$ id -Z [ymj@saba ~]$ id -Z uid=1002(ymj) gid=100(users) groups=100(users) ¥ uid=1002(ymj) gid=100(users) groups=100(users) ¥ context=staff_u:staff_r:staff_t:s0-s0:c0.c15 context=staff_u:staff_r:staff_t:s0-s0:c0.c15 [ymj@saba ~]$ psql -q postgres -U dbguest [ymj@saba ~]$ psql -q postgres -U dbguest postgres=> SELECT sepgsql_getcon(), current_user; postgres=> SELECT sepgsql_getcon(), current_user; sepgsql_getcon sepgsql_getcon | current_user | current_user --------------------------------------+-------------- --------------------------------------+-------------- staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest staff_u:staff_r:staff_t:s0-s0:c0.c15 | dbguest (1 row) (1 row) Page 13 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 14. Usage of SE-PostgreSQL (1/2) Row level access control postgres=# SELECT security_context, * from drink; postgres=# SELECT security_context, * from drink; security_context security_context | id | name | price | id | name | price ---------------------------------------------------+----+--------+------- ---------------------------------------------------+----+--------+------- system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | system_u:object_r:sepgsql_ro_table_t:Unclassified | 1 | water | 100 100 system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke system_u:object_r:sepgsql_ro_table_t:Unclassified | 2 | coke | | 120 120 system_u:object_r:sepgsql_table_t:Unclassified system_u:object_r:sepgsql_table_t:Unclassified | 3 | juice | | 3 | juice | 130 130 system_u:object_r:sepgsql_table_t:Unclassified system_u:object_r:sepgsql_table_t:Unclassified | 4 | coffee | | 4 | coffee | 180 180 system_u:object_r:sepgsql_table_t:Classified system_u:object_r:sepgsql_table_t:Classified | 5 | beer | 5 | beer | | 240 240 system_u:object_r:sepgsql_table_t:Classified system_u:object_r:sepgsql_table_t:Classified | 6 | sake | 6 | sake | | 320 320 staff_u:object_r:sepgsql_table_t:Unclassified staff_u:object_r:sepgsql_table_t:Unclassified | 7 | soda | 7 | soda | | 150 150 ▐ when SELECT? The Classified tuples are invisible for Unclassified clients. ▐ when UPDATE/DELETE? It also prevents to update Read-Only (sepgsql_ro_table_t) tuples. But, Classified client can update Read-Writable and Classified tuples. ▐ when INSERT a tuple? A default security context is assigned on the new tuple. Page 14 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 15. Usage of SE-PostgreSQL (2/2) Table/Column level access control It allows to assign an individual security It allows to assign an individual security postgres=# CREATE TABLE customer ( postgres=# CREATE TABLE customer ( cid integer primary key, context on a certain table/column. context on a certain table/column. cid integer primary key, cname cname varchar(32), varchar(32), ccredit varchar(32) ccredit varchar(32) SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0' SECURITY_CONTEXT = 'system_u:object_r:sepgsql_secret_table_t:s0' ); ); CREATE TABLE CREATE TABLE postgres=> SELECT * FROM customer; postgres=> SELECT * FROM customer; LOG: SELinux: denied { select } ¥ LOG: SELinux: denied { select } ¥ scontext=staff_u:staff_r:staff_t:Unclassified ¥ scontext=staff_u:staff_r:staff_t:Unclassified ¥ tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥ tcontext=system_u:object_r:sepgsql_secret_table_t:Unclassified ¥ tclass=db_column name=customer.ccredit tclass=db_column name=customer.ccredit ERROR: SELinux: security policy violation ERROR: SELinux: security policy violation postgres=> SELECT cid, cname FROM customer; postgres=> SELECT cid, cname FROM customer; cid | cname cid | cname -----+------- -----+------- SE-PostgreSQL prevent unprivileged SE-PostgreSQL prevent unprivileged 10 | jack 10 | jack client to access to the column labeled client to access to the column labeled 13 | adam 13 | adam 14 | liza as "Secret". as "Secret". 14 | liza (3 rows) (3 rows) Page 15 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 16. Performance - SE-PostgreSQL comparison of pgbench results PostgreSQL v8.4.1 SE-PostgreSQL v8.4.1 450 400 350 transaction per second 300 250 200 150 100 50 0 20 40 60 80 100 120 140 160 180 200 database size (scaling factor) ▐ 2~4% of trade-off in performance userspace AVC minimizes the number of kernel invocations ▐ Environments CPU Xeon (2.33GHz) Dual, Mem: 2GB (shared_buffer=512m) measured by pgbench -c 2 -t 200000 Page 16 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 17. System image: system-wide consistency in access control Classified User Login Process Consistent Consistent access controls access controls Information Information Assets Security Assets Inter-process Inter-process Policy communication communication SELinux Filesystem Networks IPC Objects Database channels channels Login User Process Unclassified ▐ SELinux controls ANY inter-processes communication channels. No read-up, No write-down ▐ SE-PostgreSQL allows to deploy RDBMS in this scheme. No differences in FS and DB from the viewpoint of access control Page 17 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 18. 1. Background 2. SE-PostgreSQL 3. Apache/SELinux Plus 4. LAPP/SELinux
  • 19. Web system overview No individual No individual privileges set privileges set Authentication Authentication Filesystem HTTP Request HTTP Response User (human) Web-app Database Apache/httpd instance ▐ Steps to handle user's request 1. User sends HTTP request. 2. Apache/httpd may (not) apply HTTP authentication. 3. It launches a web-app instance which performs as an user agent. But its privilege set is identical to the web-server process. 4. Apache/httpd replies HTTP response. ▐ Our headache and prescription OS/DB cannot apply valid access controls on user agents. Need to assign correct privileges prior to launch web-apps. Apache/SELinux Plus module does it. Page 19 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 20. Apache/SELinux Plus (1/2) Apache without SELinux support 1. HTTP request from users 2. HTTP authentication may be applied 3. Required contents handler is invoked with server process's privileges It works off the burden of access controls to web applications. Parse HTTP Request OS/DB cannot distinguish OS/DB cannot distinguish user's privileges. user's privileges. HTTP Authentication HTTP Request Accept .html connection HTTP Invoke Response Contents Handler .php .cgi Send HTTP Response Apache/httpd Page 20 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 21. Apache/SELinux Plus (2/2) Apache/SELinux Plus 1. HTTP request from users 2. HTTP authentication may be applied 3. Creation of one-time worker thread 4. The worker assigns user's privileges on itself, then invokes the handler Web-apps can perform with the least privilege set Parse HTTP Request Set user's privileges first Set user's privileges first HTTP Authentication HTTP Request Accept Create worker thread Change Security context .html connection HTTP Response Invoke Contents Handler .php Join worker thread Exit worker thread .cgi Apache/SELinux Plus Send HTTP Response Apache/httpd Page 21 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 22. Performance - Apache/SELinux Plus $$ab -c 88-t 60 -A <user:password> <URL> ab -c -t 60 -A <user:password> <URL> 700 CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12 CPU: Pentium4 3.20GHz, Apache: 2.2.13-2.fc12 600 TEST1) Regular HTML file TEST1) Regular HTML file # of requests per second TEST2) PHP Script TEST2) PHP Script 500 TEST3) PHP Script with DB connection TEST3) PHP Script with DB connection 400 TEST4) CGI Program TEST4) CGI Program 300 200 100 0 .html file .php script .php with DBconn .cgi program Apache (normal) Apache/SELinux Plus ▐ The cost to assign privileges is relatively large in lightweight request. ▐ Less differences in our major target (Web+DB applications) Database-queries need higher cost than creation of worker threads. Page 22 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 23. System image (1/2) : Per web-user privileges Valid access controls Valid access controls using OS/DB based on using OS/DB based on per-user privileges. per-user privileges. • HTTP Authentication • HTTP Authentication • Launch one-time worker thread • Launch one-time worker thread Database • Set its own security context • Set its own security context corresponding to the username. corresponding to the username. Filesystem Page 23 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 24. System image (2/2) : Per virtual host separation ▐ SELinux performs as a logical-wall separating system resources. Filesystem ▐ MCS policy will be suitable. red Database http://red.example.com/ Filesystem http://blue.example.com/ http://green.example.com/ Database blue A logical-wall: A logical-wall: SELinux prevent to access an user agent SELinux prevent to access an user agent Filesystem to the objects within other categories. to the objects within other categories. green Contents handler of Contents handler of Database the "green" virtual host the "green" virtual host Page 24 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 25. 1. Background 2. SE-PostgreSQL 3. Apache/SELinux Plus 4. LAPP/SELinux
  • 26. SELinux has expanded its coverage Web Applications Web Applications Web Applications (PHP/Perl) (PHP/Perl) (PHP/Perl) Web Server Web Server Web Server (Apache) (Apache/SELinux Plus) (Apache/SELinux Plus) Database Server Database Server Database Server (PostgreSQL) (SE-PostgreSQL) (SE-PostgreSQL) Operating System Operating System Operating System (SELinux) (Linux) (SELinux) (SELinux) Prehistory Past Today Future ▐ Prehistory, we have no MAC security. ▐ God said "let there be SELinux". SELinux applies MAC policy on the operating system. ▐ Today, it expanded its sphere of life. SE-PostgreSQL, Apache/SELinux Plus, XACE/SELinux, sVirt, ... ▐ Future, it will cover whole of the web application stack. Page 26 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 27. Conceptual diagram of LAPP/SELinux Classified User HTTP Req Process Consistent Consistent access controls access controls Information Information Assets Security Assets Inter-process Inter-process Policy communication communication SELinux Filesystem Networks IPC Objects Database channels channels HTTP Req User Process Unclassified ▐ SE-PostgreSQL provides system-wide consistency in access controls. ▐ Apache/SELinux plus enables web-apps to perform correct privileges. The LAPP/SELinux enables us to set up web systems with consistent and comprehensive access controls. Page 27 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 28. LAPP/SELinux applicability: threats by malicious insider ▐ Database Administrator (DBA) In normally, he is allowed anything on databases. Need to prevent accesses unnecessary information, including backups. Consistent access controls using SELinux, prevent information leaks. HTTP Req HTTP Req SE-PostgreSQL Database DDL statement DBA SQL customer Dump the table backup Execute command utils Audit Web Log server Database Read the file backup Page 28 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 29. Our principle Price of Notebook : $8.00 Price of Privacy: priceless ▐ Worth of information asset It depends on the contents, not the way to store them Need to apply consistent access control on the same relationship ▐ Purpose of access controls It decides what are allowed and disallowed on the relationship of a certain human-user and information asset Again, it is a relationship between a human and information ▐ Principle in LAPP/SELinux Common security identifier Common access control decision Utilization of the platform features in maximum Page 29 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-
  • 30. Project status & history ▐ Status Now, kernel supports all the needed features of LAPP/SELinux Now, Fedora includes sepostgresql and mod_selinux package SE-PostgreSQL is now discussed in the pgsql community ▐ History '06/09 launched to develop SE-PostgreSQL '07/03 SELinux Symposium & Developer Summit 2007 (Baltimare, USA) '07/08 Fedora merged SE-PostgreSQL package (F8 or later) '07/11 IPA gave an award due to the development of SE-PostgreSQL '08/03 The PostgreSQL conference 2008 (Ottawa, CA) '08/05 SE-PostgreSQL was proposed to pgsql-8.4.x development. '08/12 Bounds domain feature got merged (2.6.28 or later) '09/04 Fedora merged Apache/SELinux Plus (F11 or later) '09/07 SE-PostgreSQL was proposed to pgsql-8.5.x development. '09/10 Japan Linux Symposium 2009 Page 30 Japan Linux Symposium 2009, LAPP/SELinux -A secure web application stack powered by SELinux-