chrome os hardening
play

Chrome OS Hardening - PowerPoint PPT Presentation

Sep 14, 2022 •470 likes •974 views

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case") Overview Overview Identifying the threat model not the

  1. Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case")

  2. Overview

  3. Overview ● Identifying the threat model ○ not the authenticated physically local user ● Doing what others do ○ common hardening strategies ● Doing what others will be doing ○ filling the gaps in common strategies ● Doing what others haven't done ○ Chrome OS is unique and so are our opportunities ● Testing ourselves ○ make sure this stuff actually works ● Seeing the future ○ what's next

  4. Identifying the threat model

  5. Identifying the threat model ● Malware ○ do not allow persistent control ● Theft ○ encrypt user and enterprise data ● Evil coffee shop patron ○ impose minimum physically local attack time ● Not the authenticated physically local user ○ developer mode

  6. Doing what others do

  7. Doing what others do ● Linux ○ TPM, GPT partitions, software auto-update ● Encryption ○ eCryptfs, dm-crypt ● Compiler hardening ○ stack-protector, FORTIFY_SOURCE, relro, bind- now, PIE ● Userspace hardening ○ RO/NX, ASLR, glibc runtime checks, namespaces, ptrace restrictions, link restrictions ● Kernel hardening ○ stack-protector, memory restriction, RO/NX, kptr_restrict

  8. Linux: TPM ● Key storage ● Entropy source ● Data "sealing" localhost ~ # tpm_version TPM 1.2 Version Info: Chip Version: 1.2.3.18 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: IFX Vendor Specific data: 03120009 00 TPM Version: 01010000 Manufacturer Info: 49465800 localhost ~ # initctl stop tcsd tcsd stop/waiting localhost ~ # tpmc pcrread 0 865aedd337518e56f648440b81b4cbd9359fdff3

  9. Linux: GPT partitions STATE KERN-A KERN-B ROOT-A ROOT-B

  10. Linux: software auto-update ● Signed by Google ● Block-delta or full update STATE KERN-A KERN-B ROOT-A ROOT-B

  11. Encryption: eCryptfs ● Per-user, TPM-tied ● Mounted/unmounted at login/logout ● Overlay filesystem ● Need to share space between users localhost ~ # cryptohome-path user keescook@chromium.org /home/user/E1B39A9A13AA747E1F0D3EBD9708E21484616B1B localhost ~ # mount | grep -i E1B39A9A /home/.shadow/e1b.../vault on /home/.shadow/e1b.../mount type ecryptfs (rw,nosuid,nodev,noexec,relatime,ecryptfs_sig=be..., ecryptfs_fnek_sig=783...,ecryptfs_cipher=aes,ecryptfs_key_bytes=16, ecryptfs_unlink_sigs) /home/.shadow/e1b.../vault on /home/chronos/user ... /home/.shadow/e1b.../vault on /home/user/E1B... ... /home/.shadow/e1b.../vault on /home/root/E1B... ... localhost ~ # ls -l /home/.shadow/e1b.../vault/user/ -rw-r--r-- 1 chronos chronos 45056 Nov 7 14:35 ECRYPTFS_FNEK_ENCRYPTED.FXZtC.K15HueW-Sm351moE8t9.k00. MnaSXZ43fRjGZnz6WGBMm4AX-QyyWWIeq19OYaiISZGRooJqg- ...

  12. Encryption: dm-crypt ● Per-system, TPM-tied ● Mounted/unmounted at boot/shutdown ● Must share space: sparse backing file ○ discard (TRIM), hole-punching localhost ~ # mount | grep enc /dev/mapper/encstateful on /mnt/stateful_partition/encrypted type ext4 (rw, nosuid,nodev,noexec,relatime, discard ,commit=600,data=ordered) /dev/mapper/encstateful on /var type ext4 (rw,nosuid,nodev,noexec,... /dev/mapper/encstateful on /home/chronos type ext4 (rw,nosuid,nodev,... localhost ~ # dmsetup table --showkeys /dev/mapper/encstateful 0 6748024 crypt aes-cbc-essiv:sha256 e9aef... 0 7:0 0 1 allow_discards localhost ~ # dmsetup deps /dev/mapper/encstateful 1 dependencies : ( 7, 0 ) localhost ~ # ls -la /dev/loop0 brw-rw---- 1 root disk 7, 0 Nov 7 14:33 /dev/loop0 localhost ~ # losetup -a /dev/loop0: [2049]:12 (/mnt/stateful_partition/encrypted.block)

  13. Compiler: -fstack-protector ● Add canary BEFORE AFTER function arguments function arguments ● Reorder variables ... ... saved program counter saved program counter saved frame pointer saved frame pointer $ objdump -d -M intel exe... local variables random canary prologue char foo[...]; local variables int sensitive; mov rax,QWORD PTR fs:0x28 char foo[...]; char bar[...]; mov QWORD PTR [rbp-0x8],rax char bar[...]; ... ... int sensitive; ... epilogue mov rdx,QWORD PTR [rbp-0x8] xor rdx,QWORD PTR fs:0x28 je 400629 <func+0x5d> call 4004a0 <__stack_chk_fail@plt> ...

  14. Compiler: -D_FORTIFY_SOURCE=2 ● Compile-time checking ○ return value usage (system(), write(), etc) ○ specification of optional arguments (open() modes) ○ when size of target buffers known: swap in bounded functions (sprintf -> snprintf) ○ when size of target buffers unknown: swap in runtime checking (strcpy -> __strcpy_chk) ● Runtime checking ○ block "%n" in format strings ○ block format string parameter skipping localhost ~ # readelf -s /opt/google/chrome/chrome | grep _chk 17: ... FUNC GLOBAL DEFAULT UND __printf_chk@GLIBC_2.3.4 (3) 20: ... FUNC GLOBAL DEFAULT UND __vsnprintf_chk@GLIBC_2.3.4 (3) 22: ... FUNC GLOBAL DEFAULT UND __strcat_chk@GLIBC_2.3.4 (3) ...

  15. Userspace: RO/NX localhost ~ # cat boom.c #include <stdlib.h> unsigned int ret_insns = 0xc3c3c3c3; void main(int argc, char *argv[]) { void(*func)(void) = (void*)strtoul(argv[1], NULL, 16); func(); } localhost ~ # cc boom.c -o boom localhost ~ # readelf -l boom | egrep -A1 'LOAD|VirtAddr' Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align -- LOAD 0x0000000000000000 0x0000000000 400000 0x0000000000400000 0x00000000000006d4 0x00000000000006d4 R E 200000 LOAD 0x0000000000000e10 0x0000000000 600e10 0x0000000000600e10 0x000000000000022c 0x0000000000000230 RW 200000 localhost ~ # objdump -d boom | grep retq | head -n1 4003d5 : c3 retq localhost ~ # ./boom 0x 4003d5 localhost ~ # readelf -s boom | grep ret_insns 47: 00000000 601038 4 OBJECT GLOBAL DEFAULT 24 ret_insns localhost ~ # ./boom 0x 601038 Segmentation fault (core dumped)

  16. Compiler: -Wl,-z,relro void main(int argc, char * argv[]) { unsigned char *ptr = (void*)strtoul(argv[1], NULL, 16); char cmd[80]; sprintf(cmd, "cat /proc/%d/maps", getpid()); system(cmd); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); } localhost ~ # gcc -Wl,-z,norelro plt.c -o lazy localhost ~ # objdump lazy | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200662(%rip) # 600b88 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./lazy 600b88 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/lazy 00600000-00601000 rw-p 00000000 fc:00 159545 /tmp/lazy ... 0x26 0x05 0x40 0x00 0x00 0x40 0xb8 0x95 0x26 0x50 localhost ~ # gcc -Wl,-z,relro plt.c -o lazy localhost ~ # objdump lazy | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200aca(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./lazy 601030 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/lazy 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/lazy 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/lazy ... 0x66 0x05 0x40 0x00 0x00 0x40 0xa8 0x9e 0xa0 0xee

  17. Compiler: -Wl,-z,now void main(int argc, char * argv[]) { unsigned char *ptr = (void*)strtoul(argv[1], NULL, 16); char cmd[80]; sprintf(cmd, "cat /proc/%d/maps", getpid()); system(cmd); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); } localhost ~ # gcc -Wl,-z,relro plt.c -o now localhost ~ # objdump now | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200aca(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./now 601030 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/now 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/now 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/now ... 0x66 0x05 0x40 0x00 0x00 0x40 0xa8 0x9e 0xa0 0xee localhost ~ # gcc -Wl,-z,relro -Wl,-z,now plt.c -o now localhost ~ # objdump now | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200a72(%rip) # 600fd8 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./now 600fd8 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/now 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/now 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/now ... 0x40 0x28 0x6c 0xd0 0x8e 0x40 0x28 0x6c 0xd0 0x8e

Recommend

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Chrome Extension Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome Extension Extension Small software programs that can modify and enhance the functionality of the Chrome browser. Written

576 views • 18 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides
Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett Chrome OS Internals LinuxCon Europe 2014 1 / 43 Overview Intro to Chrome OS Architecture of Chrome OS Verified boot and developer mode Security

1.39k views • 110 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA Software Institute About me Im Pepe @cgvwzq http://vwzq.net/ Some notes about Chrome Chrome was a blackbox for me. Its code base is immense.

622 views • 38 slides
a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

Oh the things you could do if you had a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer www.manichord.com So what are Chromebooks, ChromeOS And Chrome (Packaged) Apps? Chromebooks (and

612 views • 28 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2. Scroll down to Privacy and security and click on Clear browsing data 3. Select the time frame, then Clear data Google Meet Grid View Issues If you are

297 views • 10 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Freehold Borough Schools Technology Department Training Manual Google Docs and the Chrome browser work great together! If you do not have the Chrome browser on your laptop, please put in a helpdesk ticket. Go to the district website

575 views • 18 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP, Gttingen June 06, 2018 Topics Chrome OS and Chromebooks Active Directory Integration How it works, management, Android apps, certificates,

774 views • 45 slides
Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum: 12GeV Hardening Vacuum Improvements &amp; Status Synchrotron Radiation Effects Vacuum Spares Page 2 Vac Improvements - Linac Viewer

309 views • 13 slides
Accessing Google at home Parent s Handbook For laptops (if you have a Chrome device, log into

Accessing Google at home Parent s Handbook For laptops (if you have a Chrome device, log into

Accessing Google at home Parent s Handbook For laptops (if you have a Chrome device, log into device and go straight to Google homepage): 1. Open a new Google homepage using Google Chrome (you may need to download the Google Chrome app) 2.

409 views • 6 slides
Security Architecture Presenter: Jienan Liu Network, Intelligence &amp; security Lab outline

Security Architecture Presenter: Jienan Liu Network, Intelligence &amp; security Lab outline

Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence &amp; security Lab outline Chrome extension introduction Threats towards extension Chrome extensions security architecture What is Chrome

348 views • 23 slides
To view this event we advise you to use the following browsers. DESKTOP: we support Chrome,

To view this event we advise you to use the following browsers. DESKTOP: we support Chrome,

To view this event we advise you to use the following browsers. DESKTOP: we support Chrome, Firefox, Safari and Edge. Here are the minimum version requirements for each browser: Chrome 55+, Firefox 53+, Safari 12.1+, Edge 42 MOBILE: we have native

882 views • 51 slides

More recommend