improving kernel security
play

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) - PowerPoint PPT Presentation

Oct 22, 2023 •456 likes •735 views

Improving Kernel Security Kernel Summit 2015, Seoul Kees (Case) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf What I mean by Security More than access control

  1. Improving Kernel Security Kernel Summit 2015, Seoul Kees (“Case”) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf

  2. What I mean by “Security” ● More than access control (SELinux) ● More than attack surface reduction (seccomp) ● More than bug fixing (CVEs) ● Must develop “Kernel Self-Protection”

  3. Background: devices using Linux ● Servers, laptops, cars, phones ... ● >1,000,000,000 active Android devices in 2014 ● Vast majority are running v3.4 (with v3.10 a distant second) ● Bug lifetimes are even longer than upstream ● “Not our problem”? None of this matters: even if we fix every bug we find, and they magically get fixed downstream, bug lifetimes are still huge

  4. Upstream Bug Lifetime ● In 2010 Jon Corbet showed average security bug lifetime to be about 5 years from introduction to fix ● My analysis of Ubuntu CVE tracker covering 2011 through 2015: – critical: 2 @ 3.3 years – high: 31 @ 6.3 years – medium: 297 @ 4.9 years – low: 172 @ 5.1 years ● http://seclists.org/fulldisclosure/2010/Sep/268

  5. Fighting Bugs ● We're finding them – static checkers: compilers, smatch, coccinelle, coverity – dynamic checkers: kernel, trinity, KASan ● We're fixing them – Ask Greg KH how many patches land in -stable ● They'll always be around – We keep writing them – They exist whether you're aware of them or not – Whack-a-mole is not a solution

  6. Analogy: 1960s Car Industry ● @mricon's presentation at the Linux Security Summit ● Cars were designed to run, not to fail ● Linux now where the car industry was in 1960s ● We must handle failures safely – Lives depend on Linux

  7. Killing bugs is nice ● Some truth to security bugs being “just normals bugs” ● Your security bug may not be my security bug ● We have little idea which bugs attackers use ● Bug might be in out-of-tree code – un-upstreamed vendor drivers – not an excuse for us to claim “not our problem”

  8. Killing bug classes is better ● If we can stop an entire kind of bug from happening, we absolute should do so! ● Those bugs never happen again ● Not even out-of-tree code can hit them ● But we'll never kill all bug classes

  9. Killing exploitation is best ● We will always have bugs ● We must stop their exploitation ● Eliminate exploitation targets and methods ● Eliminate information leaks ● Eliminate anything that assists attackers ● Even if it makes development more difficult

  10. Typical exploit chains ● Modern attacks tend to use more than one flaw ● Need to know where targets are ● Need to inject (or build) malicious code ● Need to locate malicious code ● Need to redirect to malicious code

  11. What do we do? ● What follows is not an exhaustive list, but I don't have much time...

  12. Bug class: Stack overflow ● The traditional attack is saved return address overwrite, but there are data-only attacks possible too. ● exploit example: – https://jon.oberheide.org/files/half-nelson.c ● Mitigations: – stack canary (e.g. gcc's -fstack-protector(-strong)) – kernel stack location randomization – shadow stacks

  13. Bug Class: Integer over/underflow ● exploit example: – https://jon.oberheide.org/blog/2010/09/10/linux-kern el-can-slub-overflow/ ● Mitigations: – instrument compiler to detect overflows at runtime

  14. Bug class: Heap overflow ● exploit example: – http://blog.includesecurity.com/2014/06/exploit-wal kthrough-cve-2014-0196-pty-kernel-race-condition.ht ml – https://github.com/jonoberheide/kstructhunter ● Mitigations: – runtime validation of variables sizes vs copy_*_user – guard pages – linked list validation

  15. Bug class: format string injection ● exploit example: – http://www.openwall.com/lists/oss-security/2013/06/ 06/13 ● Mitigations: – drop %n entirely ● Still potentially an info leak

  16. Bug class: kernel pointer leak ● exploit example: – examples are legion – http://vulnfactory.org/exploits/alpha-omega.c – /proc entries, INET_DIAG, slabinfo ● Mitigations: – kptr_restrict too weak – detect seq_file + %p and block output

  17. Bug class: uninitialized variables ● This is not just an information leak! ● exploit example: – https://outflux.net/slides/2011/defcon/kernel-exploita tion.pdf ● Mitigations: – clear kernel stack between system calls

  18. Exploitation: finding the kernel ● exploit example: – so many ways, see “kernel pointer leak” above – /proc/kallsyms, /proc/modules – https://github.com/jonoberheide/ksymhunter ● Mitigations: – hide symbols and kernel pointers – kernel ASLR – runtime randomization of kernel functions – X^R memory – structure layout randomization ● Can this class of exploit ever be killed? Have to take it in pieces.

  19. Exploitation: Direct text overwrite ● I shouldn't even have to mention this! ● exploit example: – patch setuid to always succeed ● Mitigations: – W^X kernel page table permission

  20. Exploitation: Function ptr overwrite ● This includes things like vector tables, descriptor tables (which should also be hidden to avoid information leaks) ● exploit example: – https://outflux.net/blog/archives/2010/10/19/cve-2010-2963 -v4l-compat-exploit/ – https://blogs.oracle.com/ksplice/entry/anatomy_of_an_expl oit_cve ● Mitigations: – constify function pointer tables – temporarily make targets writable

  21. Exploitation: Userspace execution ● exploit example: – see almost all previous examples ● Mitigations: – hardware segmentation: SMEP, PXN – instrument compiler to set high bit on function calls – emulate memory segmentation via separate page tables

  22. Exploitation: Userspace data ● exploit example: – https://github.com/geekben/towelroot/blob/master/to welroot.c – http://labs.bromium.com/2015/02/02/exploiting-badire t-vulnerability-cve-2014-9322-linux-kernel-privilege -escalation/ ● Mitigations: – hardware segmentation: SMAP, Domains – emulate memory segmentation via separate page tables

  23. Exploitation: Reused code chunks ● Also known as Return Oriented Programming, Jump Oriented Programming, etc ● exploit example: – http://vulnfactory.org/research/h2hc-remote.pdf ● Mitigations: – compiler instrumentation for Control Flow Integrity – Return Address Protection, Indirect Control Transfer Protection

  24. Challenge: Culture ● Conservatism – 16 years to get symlink protections in, and that was just a userspace defense ● Responsibility – We must accept the need for these features ● Sacrifice – We must accept the technical burden

  25. Challenge: Technical ● Complexity – Very few people are proficient at developing (much less debugging) these features ● Innovation – We must adapt the many existing solutions – We can still innovate

  26. Challenge: Resources ● People – Dedicated developers ● People – Dedicated testers ● People – Dedicated backporters

  27. Thoughts? Kees (“Case”) Cook keescook@chromium.org James Morris james.l.morris@oracle.com https://outflux.net/slides/2015/ks/security.pdf

Recommend

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web

Improving performance for Improving performance for security enabled web security enabled web services services - Dr. Colm higeartaigh - Dr. Colm higeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0

490 views • 44 slides
Vector-Based Kernel Weighting: A Simple Estimator for Improving Precision and Bias of Average

Vector-Based Kernel Weighting: A Simple Estimator for Improving Precision and Bias of Average

Vector-Based Kernel Weighting: A Simple Estimator for Improving Precision and Bias of Average Treatment Effects in Multiple Treatment Settings Jessica Lum, MA 1 Steven Pizer, PhD 1, 2 Melissa Garrido, PhD 1, 2 1. Department of Veterans Affairs

439 views • 26 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING ACADEMIC AND PROFESSIONAL

Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING ACADEMIC AND PROFESSIONAL

Improving Academic and Professional Education Capacity in Serbia in the Area of Safety & Security (by Means of Strategic Partnership with the EU) - IMPRESS EDUCONS UNIVERSITY Faculty of Applied Security Sremska Kamenica SERBIA IMPROVING

543 views • 11 slides
Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael James Silbersack The FreeBSD Project Introduction Over the years, many security problems have been found in the TCP and IP protocols. This is not

539 views • 17 slides
Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional

Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional

Virtualization && (and) || (or) ^^ (exor) Security Usual OS diagram Traditional kernel: Control HW access CPU (timesharing) (virtual) memory Disk (File system) Devices (net, console, video, audio etc) Kernel

614 views • 18 slides
The FLK project My first idea was to write a L4 kernel using the EIFFEL langage. But ... 2 Feb

The FLK project My first idea was to write a L4 kernel using the EIFFEL langage. But ... 2 Feb

The FLK project My first idea was to write a L4 kernel using the EIFFEL langage. But ... 2 Feb 2015 http://flhq.org 2 While reading references on the SECURITY topic, it became evident that handling security by the software was an

711 views • 29 slides
Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt

Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt

Improving Application Software Security in Linux Sebastian Neubauer Technische Universitt Mnchen Computer Science Department July 19, 2017 1 Improve C/C++ applications contain bugs Security Existing security mechanisms Still

367 views • 32 slides
Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2016/lss/kspp.pdf Agenda Background Security in the context of this

464 views • 42 slides
A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran , Martin Fong, Mabry Tyson (SRI International) Seungwon Shin, Guofei Gu (Texas A&M University) Classic Network Perimeter Defense Security

207 views • 20 slides
Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

906 views • 44 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook <keescook@google.com> (pronounced Case) Overview Anti-pattern awareness

254 views • 10 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides

More recommend