Bunkers: Jail Application Level Firewall for the Mitigation and Identification of Service Takeover Attacks on HardenedBSD

Abstract

Jails are a lightweight operating-system based virtualization framework that allow safe delegation of subsets of a FreeBSD operating system to guest root users. HardenedBSD is a security-enhanced fork of FreeBSD, with Jail capabilities. In this paper we introduce Bunkers for Bank IT infrastructure security. Bunkers are security-enhanced HardenedBSD jails having only UNIX domain sockets enabled, and refusing all other types of socket creation including networking sockets. Bunkers also disable the execve() system call inside and only allow bit exact validated binaries from a global whitelist to be loaded and executed.The main objectives are to prevent elevation of privilege attacks and to isolate remote payloads and exploits from their source of origin. Bunkers detect, log, monitor and prevent all attempts to use network communications or unwanted binaries by isolating all the internal processes to UNIX domain sockets and filtering the execve() system call. Two use-cases are presented for isolating the ClamAV antivirus engine and all the necessary compressed file unpackers into HardenedBSD Bunkers: for e-mail security in a store and forward system and a real mail server and for web browsing security through the Squid proxy. Extensive benchmarks show that in both cases, for store and forward systems and for timely content delivery web systems the impact of the Bunker kernel module is comparable to rival approach Integriforce or with Regular Jails. More importantly, enforcing UNIX domain sockets for internal communication provides faster and safer inter-process communication mechanisms, between service processes and between Jails. The bit-exact execve() firewall has a consistent 13%–19% additional computation regardless of the type of service protected (web application firewall, SQL database). For the utmost security of mission-critical services we consider the results to be adequate.