kernel self protection
play

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) - PowerPoint PPT Presentation

Feb 12, 2023 •281 likes •494 views

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/

  1. Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (“Case”) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/ https://outflux.net/slides/2016/ks/kspp.pdf

  2. Agenda ● Goal review ● GCC plugins ● Probabilistic protections ● Deterministic protections 2/18

  3. Goal review ● When I talk about kernel security, I mean more than access control and fixing bugs ● This is “kernel self-protection” – Eliminate security bug classes lifetimes are long (5 years average), bugs are always present ● – Eliminate exploitation methods reduce attack surface, create hostile environment for attacks ● ● Choose where to focus based on real-world exploits and low- hanging fruit 3/18

  4. GCC plugins ● CONFIG_GCC_PLUGINS – tested on x86, arm, and arm64 – let's add more! ● Want to drop “depends on !COMPILE_TEST” – Needs gcc 4.5 or newer – Many many build systems need to add the gcc plugin headers... Debian/Ubuntu: gcc-$N-plugin-dev(-$arch-linux-$abi) ● Fedora: gcc-plugin-devel (not sure about cross compiler) ● – When is the “best” time to land this kind of change? 4/18

  5. Probabilistic protections ● Protections that derive their strength from some system state being unknown to an attacker ● Weaker than “deterministic” protections since information exposures can defeat them, though they still have real-world value ● Familiar examples: – stack protector (cookie value can be exposed) – Address Space Layout Randomization (offset can be exposed) 5/18

  6. Probabilistic: KASLR text base ● Randomly relocates start of kernel image at boot: CONFIG_RANDOMIZE_BASE ● x86 (v3.14), arm64 (v4.6), MIPS (v4.7) ● Lots of local exposures weaken KASLR ● Still valuable defense-in-depth ● Needs to be more than just randomized base offset ● Maybe randomize link order at boot? 6/18

  7. Probabilistic: KASLR memory base ● Even with text base KASLR, memory allocations for a given system may be deterministic at boot ● Randomize page table, vmap, etc areas: CONFIG_RANDOMIZE_MEMORY ● x86_64 (v4.8), arm64 (v4.6?) 7/18

  8. Probabilistic: freelist randomization ● Makes heap spraying attacks less deterministic: CONFIG_SLAB_FREELIST_RANDOM ● SLAB (v4.7), SLUB (v4.8) 8/18

  9. Probabilistic: struct randomization ● The most heavily targeted things in the kernel are structures containing function pointers ● “RANDSTRUCT” GCC plugin from grsecurity ● Automatically randomize structure layout for these structures and manually marked ones ● Can limit randomization within cachelines 9/18

  10. Deterministic protections ● Protections that derive their strength from organizational system state that always blocks attackers ● Familiar examples: – Read-only memory (writes will fail) – Bounds-checking (large accesses fail) 10/18

  11. Deterministic: Kernel memory protection ● Fundamental memory integrity protection ● Poorly named: CONFIG_DEBUG_RODATA – Not just a debug feature – Besides making .rodata read-only, ensures memory is either executable nor writable, never both ● Mandatory: – x86 (v4.6), arm64 (v4.9) – Almost: arm (v4.6 on-by-default, has corner cases) 11/18

  12. Deterministic: Privileged userspace access blocking ● The most common attack method is to redirect execution or data dereferences into userspace memory ● Block kernel from direct userspace execution or read/write by segregating userspace/kernel memory ● In hardware (years away from real-world penetration): – x86 (SMEP and SMAP) since Skylake … no Xeons! – arm64 (PXN and PAN) since ARMv8.1 … any manufactured? ● Emulation is fundamentally important: – arm (v4.3): CONFIG_CPU_SW_DOMAIN_PAN – arm64 (v4.10...): CONFIG_ARM64_SW_TTBR0_PAN – x86 needed! (Implemented in PaX with PCIDs) 12/18

  13. Deterministic: vmap stack & thread_info removal ● Common attack is intentional stack exhaustion to overwrite parts of thread_info, or reach into neighboring stacks ● vmap stack gains the vmap guard page: CONFIG_VMAP_STACK ● thread_info removal relocates attack targets to harder-to-find memory: CONFIG_THREAD_INFO_IN_TASK ● x86 (v4.9), arm64 (v4.10...), s390 (v4.10?) 13/18

  14. Deterministic: usercopy sanity checking ● Common bug is broken bounds checking on copy_to/from_user() ● Best-effort during compile time via builtin_const checks (has existed in various forms, but most complete since v4.8) ● Runtime checks when not builtin_const (v4.8): CONFIG_HARDENED_USERCOPY ● Need to whitelist slab caches with “can be shared with userspace” flag, then create “exception” API with builtin_const bounds to bypass whitelist for known-good things like in-inode filenames, etc. 14/18

  15. Deterministic: memory wiping ● Stops many forms of information leaks, blocks a few use-after- free situations ● Page allocator can do zero-poisoning (v4.6) ● Slab allocator has poisoning but not zeroing ● Join us Wed in the mm break-out discussion Slab poisoning cache blacklisting for better performance – Too many CONFIGs and cmdline arguments to enable: – CONFIG_DEBUG_PAGEALLOC=n, CONFIG_PAGE_POISONING=y, ● CONFIG_PAGE_POISONING_NO_SANITY=y, CONFIG_PAGE_POISONING_ZERO=y, CONFIG_SLUB_DEBUG=y page_poison=on slub_debug=P ● 15/18

  16. Deterministic: constification ● Attack surface reduction: extend what is read-only in the kernel ● Like “RANDSTRUCT”, the “CONSTIFY” GCC plugin from grsecurity targets function pointer tables and manually marked variables ● Classes of data in the kernel: – read/write – read-only – read-only-after-init (v4.6, needs more users) – read-mostly (a performance distinction...) – write-rarely (need to make this NOT read-only precisely during updates) 16/18

  17. Deterministic: atomic wrap detection ● Recurring source of use-after-free flaws is wrapping atomic_t (and family) which are very commonly used as reference counters ● No measurable performance impact and an entire class of bugs goes away: CONFIG_HARDENED_ATOMIC Add atomic_wrap_t for statistical counters, or other things that don't – care Switch expected-to-wrap variables to atomic_wrap_t – Trap overflow/underflow of atomic_t – ● x86, arm, arm64 almost ready for review ● Other architectures can be similarly extracted from grsecurity 17/18

  18. Questions / Comments / Flames Kees (“Case”) Cook keescook@chromium.org keescook@google.com kees@outflux.net @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/ https://outflux.net/slides/2016/ks/kspp.pdf

  19. bonus slides ...

  20. CVE lifetimes

  21. critical & high CVE lifetimes

Recommend

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and Context Mode, Space, and Context Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data

614 views • 50 slides
Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection Memory Protection We share memory with Segmentation Fault devices, scheduler Preemption Sometimes no preemption Scheduling

377 views • 25 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from performing illegal I/Os Memory protection Otto J. Anshus Prevent users from modifying kernel code and data (including slides from Kai Li,

350 views • 6 slides
Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged instructions System call Definition, examples, how it works? Other concepts to know Monolithic kernel vs. Micro kernel 2 API - System Call -

830 views • 28 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lca/kspp.pdf Agenda Background Why we need to change what were doing

695 views • 57 slides
x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking

x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking

8/31/12 Logical Diagram Binary Memory Threads Formats Allocators x86 Memory Protection User System Calls Kernel and Translation RCU File System Networking Sync Todays Lecture Don Porter (focus on CSE 506 Memory Device

576 views • 9 slides
Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2016/lss/kspp.pdf Agenda Background Security in the context of this

464 views • 42 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Examples of OS Protection Memory protection Between user processes Between user and kernel File protection Prevent unauthorized

783 views • 39 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Today Protection Security 2 Examples of OS Protection Memory protection Between user processes Between user and kernel File

953 views • 51 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move

Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Cross ring data move 1. Segmentation based protection breaks 2. Kernel level actual data move facilities 3. Enhanced

359 views • 24 slides
Countering Kernel Rootkits with Lightweight Hook Protection Michal Sekletar College of

Countering Kernel Rootkits with Lightweight Hook Protection Michal Sekletar College of

Countering Kernel Rootkits with Lightweight Hook Protection Michal Sekletar College of Engineering and Computer Science Orlando, FL April 2, 2012 Michal Sekletar (University of Central Florida) April 2, 2012 1 / 14 Acknowledgment

177 views • 14 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton , Hari Kannan,

Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton , Hari Kannan,

Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton , Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http: / / raksha.stanford.edu Forum 1 Motivation Buffer overflows remain a

506 views • 22 slides

More recommend