Security:SecurityAnalyer

From Tizen Wiki
Jump to: navigation, search

What is the Security Analyzer?

Security Analyzer is GUI tool for TIZEN, which is used for debugging running processes, checking security related configurations, testing security hardening features and ETCs.
It is developed with Python language, can be executed on Ubuntu PC with the target via SDB connection.


This tool has been created to help Tizen's daemon and app development, and provides the following features:

  • Inquiry and analysis of authority related to access control of daemon and app process of the connected device
  • Check and change the system security configuration status of the connected device
  • Provide the Security verification tests


It is made of Python to provide a UI environment to users, and it exchanges information through SDB communication with the device, and it needs root user authority to change configuration and inquire information.
Therefore, the following conditions are required.

  • Linux development environment
  • SDB connection with the device and root shell authority


Source code can be found at samsung github.
https://github.sec.samsung.net/RS7-SECIOTSW/sean

How to start

  1. Connect the target device to your desktop, and check sdb connection.
  2. Download security-analyzer exec file to LINUX desktop, and run it.
  3. Choose the target device which you want to debug.
  4. Then, Main Window will be shown as below.

Usage

Debugging

Debugging Daemon Process

Check & Change security related information of Systemd Services.
  1. Choose "Debugging" at the 1st page.
  2. Check "Daemon Process" radio button and select the service you want to debug.
  3. See the brief information and click NEXT button.
  4. See the detailed information at the 3rd page, and modify UID / GID / SMACK process label / Capabilites if you want to.
  5. The current service file can be downloaded after clicking "Download Service File".

Debugging App Process

Check & Change security related information of Applications.
  1. Choose "Debugging" at the 1st page.
  2. Check "App Process" radio button and select PKG ID you want to debug.
  3. Choose the target device which you want to debug.
  4. See the brief information and click NEXT button.
  5. See the detailed information at the 3rd page. It includes privileges the selected PKG has.
  6. You can delete or add privileges. Also, if the privilege is privacy, you can change the status.

Configuration

Privilege Info

Provides privilege information for app development and simple privilege add test.
  1. Configuration > Select 'Privilege Info' & click 'NEXT'
  2. Choose privilege you want to get information from the list.
  3. If you want to test new privilege briefly then click 'ADD NEW' button. You can see guide message by clickling 'See Hint' button.
    After filling all fields with bold text, click 'APPLY' button.After applying new privilege, you can test an app with added privilege in its manifest file.

Privilege Management

Provides overall privilege management function. You can import or export privilege data and modify and apply it directly.
  1. Configuration > Select 'Privilege Management' & click 'NEXT'
  2. You can see privilege info and mapping data. You can add or del rows by using '+' and '-' buttons on the right side.
    Import all data or partial data from existing .csv files and export current data as .csv format.
    When applying changes to the target, don't forget to click 'SAVE' button.

Privacy whitelist

Provides functions to check and modify whitelist for privacy privileged apps.
  1. Configuration > Select 'Privacy whitelist' & click 'NEXT'.
  2. You can see current privacy whitelisted apps and its option.To add new privacy whitelist policy for an app, click 'ADD' button and fill Package ID and select Privacy to whitelist from the list.
    For user-serttable value, if you want to allow an user to change the status of the whitelisted privacy then leave it to 'yes' or set it as 'no'.
    Platform privacy whitelist policy for preloaded app is that whitelisting *all privacies except location* privacy and setting them as *not user-settable*.
    If you filled all required field then click 'APPLY' button. If the change is applied, you can see it on the table.

MDM blacklist

Provides functions to check and modify MDM blacklist privileges.
  1. Configuration > Select 'MDM blacklist' & click 'NEXT'
  2. You can see MDM blacklist privileges.Platform doesn't have MDM privileges so no default MDM blacklist policy.If you are using MDM privileges and they are set to blacklist, you can see the list of them.
    You can add and delete rows by using buttons on the right side and import or export files in .csv format.When applying changes to the target, don't forget to click 'SAVE' button.

DPM blacklist

Provides functions to check and modify DPM blacklist privileges.
  1. Configuration > Select 'DPM blacklist' & click 'NEXT'
  2. You can see DPM blacklist privileges.There's no default DPM blacklist policy. If the DPM set some privileges as blacklist then you can see tham on the list.
    You can add and delete rows by using buttons on the right side and import or export files in .csv format. When applying changes to the target, don't forget to click 'SAVE' button.

Add GID

Check & modify current GIDs in the target.
  1. Configuration > Select 'Add GID' & click 'NEXT'
  2. See GROUP ID lists. It contains group name, group id and usernames.
  3. New GID can be added by inserting data in the right side of window, and clicking "APPLY".
  4. GID can be deleted by selecting an item in the list, and clicking "DEL".
  5. Your changes can be restored by clicking "RESTORE".
  6. GID can be modified using raw file by clicking "Edit with Raw File".
  7. You can find this list "/etc/group" in the target.

Privilege-GID mapping

Check & modify privilege and gid mapping lists in the target.
  1. Configuration > Select 'Privilege-GID mapping' & click 'NEXT'
  2. See lists of privilege-gid mapping.
  3. New list can be added by choosing privilege and gid in the right side of window, and clicking "ADD".
  4. Existed list can be deleted by choosing privilege in the left side of window, and clicking "DEL".
  5. Your changes can be restored by clicking "RESTORE".
  6. You can find this list "/usr/share/security-manager/policy/privilege-mount.list" in the target.

Privilege-mount

Check & modify privacy privilege base controlled resources in the target.
  1. Configuration > Select 'Privilege-mount' & click 'NEXT'
  2. See lists of privilege and target resource mapping table.
  3. New list can be added by choosing privilege and typing target resource path in the right side of window, and clicking "ADD".
  4. Existed list can be deleted by choosing an item in the left side of window, and clicking "DEL".
  5. Your changes can be restored by clicking "RESTORE".
  6. You can find this list "/usr/share/security-manager/policy/privilege-mount.list" in the target.

Change SMACK label

Check & modify SMACK label of the resource.
  1. Configuration > Select 'Change SMACK label' & click 'NEXT'
  2. File system tree will be shown at the left side of window, and SMACK label attributes of selected file / directory are displayed on the right side.
  3. Resource path can be selected in the tree or direct input.
  4. SMACK attributes of the selected resource can be changed by writing values on the right side of the window and "APPLY" button.
  5. Restoration of your changes are not provided.

Add SMACK rule

Check currentl SMACK rules and add & remove the rule.
  1. Configuration > Select 'Add SMACK rule' & click 'NEXT'
  2. See lists of all SMACK rules at the left side of the window.
  3. New rule can be added by writing SUBJECT / OBJECT / RULE and click "ADD".
  4. Rule can be deleted by selecting the rule (or directly writing on the right) and click "DEL".
  5. Your changes can be restored by clicking "RESTORE".
  6. Rules can be filtered using "SEARCH" button on the top of the window.

Only CAP

Check current SMACK rules and add & remove the rule.
  1. Configuration > Select 'Only CAP' & click 'NEXT'
  2. See lists of onlycap labels at the left side of the window.
  3. New list can be added by writing the label and click "ADD".
  4. Existed list can be deleted by choosing an item in the left side of window, and clicking "DEL".
  5. Your changes can be restored by clicking "RESTORE".
  6. You can find this list "/sys/fs/smackfs/onlycap" in the target. Permanent labels can be checked in "/etc/smack/onlycap".

View Certificates

Check certificate lists in the target and view those information.
  1. Configuration > Select 'View Certificates' & click 'NEXT'
  2. See lists of certificates at the left side of the window.
  3. Choose the item which you want to see the detail information.

Kernel Patch Verify (Under Construction)

Check SMACK related patches are included in the selected kernel code.
  1. Configuration > Select 'Kernel Patch Verify' & click 'NEXT'
  2. Choose the root path of kernel code, then click 'Check'
  3. Display shows whether each patches are included or not.
  4. You can see the conflict code line by clicking 'Not - Detail'.

Verification test

  1. Select 'Test' & Click 'NEXT' button
  2. Select each test to run or select 'All', 'Mandatory' and 'Custom' to use preset configuration. You can save custom config as a file and use them to config tests to run.
    You can see the descriptions of the selected tests on the right side.
  3. To run tests, click 'NEXT' button.
  4. You can check pass rate and logs.
  5. If you want, you can see logs of failed tests and export them as .csv format.

Memory / Stack Protection

ASLR
See if the kernel is enabled to apply ASLR(Address Space Layout Randomization).
Modern Linux kernels(2.6.12~) have ASLR enabled by default with the specific value 2 and so is the Tizen platform.
If it fails, inform to the security part.
PIE
See if PIE(Position Independent Executable) option is applied to each executables.
To configure exception list, click 'config' button right next to the test name and write down abs path of the executables to except.
If it fails, add a compiler option and a linker option
e.g.
SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS} -Wall -fPIE")
SET(CMAKE_EXE_LINKER_FLAGS "-Wl,--as-needed -pie")
in case of library, -fPIC option is needed
DEP
See if DEP(Data Execution Prevention) is applied to each ELF files. It prevents executing code from a non-executable memory location.
To configure exception list, click 'config' button right next to the test name and write down abs path of the executables to except.
If it fails, add a linker option (noexecstack)
e.g.
Export LDFLAGS+="-Wl,-z,noexecstack"
in case of external file, use execstack tool
# execstack -c $file_path
RELRO
See if RELRO(RELocation Read-Only) is applied. It is a security measure which makes some binary sections read-only.
There're partial RELRO and full RELRO.
Platform mandatory is partial RELRO.
If it fails, add a compiler option
  • partial RELRO : -Wl,-z,relro
  • full RELRO : -Wl,-z,relro,-z,now
Stack Canary
See if Stack canary is applied. Stack Canaries are a secret value placed on the stack which changes every time the program is started.
Prior to a function return, the stack canary is checked and if it appears to be modified, the program exits immediately.
If it fails, add a compiler option
1) add -fstack-protector : protect some vulnerable functions
2) add -fstack-protector-all : protect all functions, but lower performance
3) add -fstack-protector-strong : protect more functions than 1), better performance than 2)

Security Configuration

Mount option
See if the mount option of the directories are set properly.
Mount option of the platform is as followings:
  • /tmp, /run: noexec, nosuid, nodev
  • external storage: noexec, nosuid, nodev
If it fails, inform to the security/system part.
Setuid bit
See if setuid bit is set. There should be *NO* setuid bit when releasing product.
To configure exception list, click 'config' button right next to the test name and write down abs path of the executables to except.
If it fails, change file permission of the file (755).
# chmod 755 $file_path
Shellscript
See if all scripts define 'PATH' variable.
To configure exception list, click 'config' button right next to the test name and write down abs path of the script to except.
If it fails, recommend to add PATH environment variable in the script
eg.
#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin
or define subdirectories of /bin, /sbin, /usr, /etc.
[NOTE] Do not use the inherited $PATH value in the script.
[DON'T] PATH=$PATH:/usr/bin:/bin

Systemd Unit Test

Service configuration
See if installed Systemd service units properly configure uid, gid, and SMACK label.
To configure exception list, click 'config' button right next to the 'System Unit Test' and write down on the proper text box as follows:
;[systemd-service-name];[user];[group];[SMACK-label];
If 'user' or 'group' is empty then write them as 'root'.
ex) ;a.service;app_fw;app_fw;System;
 ;b.service;root;root;System;
If it fails, contact security part. This units should be reviewed by security part refer to the service file review process.
Socket configuration
See if installed Systemd socket units properly configure SocketUser, SocketGroup, SocketMode and SmackLabelIPIn&Out.
To configure exception list, click 'config' button right next to the 'System Unit Test' and write down on the proper text box as follows:
;[systemd-socket-name];[SocketUser];[SocketGroup];[SocketMode];[SmackLabelIPIn];[SmackLabelIPOut];
If some of the fields above are empty then leave them empty.
ex) ;a.socket;owner;users;;*;@;
 ;b.socket;;;;*;@;
If it fails, contact security part. This units should be reviewed by security part refer to the service file review process.
DBUS configuration
See if installed DBUS services does not run executables instead of using systemd based activation.
To configure exception list, click 'config' button right next to the 'System Unit Test' and write down abs path of service file to except.
If it fails, contact security part. This units should be reviewed by security part refer to the service file review process.

SMACK

SMACK basic features
Check SMACK basic features.
- netlabel: Should be set
- unconfined mode: If unconfined mode supported then it should be empty.
- l mode: Should be supported.
- long label: Should be supported.
- ptrace: Recommend it to set as 1.
If it fails, inform to the security part.
Rule / Label
- See if executables with arbitrary execute label with the floor access label exist.
- Find un-allowed SMACK rules are defined.
- Find SMACK label in files which does not exist in current rule lists.
If it fails, add a proper access label,
if a specific daemon executes it, use the label of that daemon
or if it is executed on the shell, use "System::Tools" label
in post section of the spec file,
/usr/bin/chsmack -a "$label" $file_path
or in the smack manifest
<manifest>
...
<assign>
<filesystem path="/file/path" label="label"/>
...
</assign>
...
</manifest>
Onlycap
This contains SMACK labels of processes must have for CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to be effective. If this file is empty these capabilities are effective at for processes with any label.
With CAP_MAC_ADMIN, the process can change SMACK label's of processes, directories, and files. With CAP_MAC_OVERRIDE, the process can access to files with any SMACK label. SO, we highly recommend you to use Onlycap.
If it fails, inform to the security part.

Application Privacy

Privacy feature
See if the selected target support privacy features.
If it fails, inform to the security part.

Certificate

Forbidden Certs
Check if forbidden certificates exist. There should be *NO* public certificates in released product image.
If it fails and if it is a platform binary, it is expected behavior. If not, inform to the security part.
Trust Zone
Check whether key-manager is on the basis of H/W TrustZone backend.
In case of product, if there's no H/W backend then need to check S/W backend is supported.
If it fails, check secure OS is not included. Then, test failure is the expected behaviour.
If not, please inform to the security part.
Expired Certs
Check if expired certificates exist.

ETCs

Internet privilege test
Check internet privilege is properly checked when network is used.
In case of loopback nw, SMACK check is also needed even it has an internet privilege.
Security DB recovery test
Check Security-Manager & Cynara DBs are recovered correctly when those are broken.