linux kernel security hardening
play

Linux Kernel Security & Hardening Thomas Lamprecht January 17, - PowerPoint PPT Presentation

Jan 01, 2024 •683 likes •995 views

Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

  1. Linux Kernel Security & Hardening Thomas Lamprecht January 17, 2019

  2. Introduction

  3. The Linux Kernel ◮ Widespread ◮ Deployed on: ◮ powerful (high performance compute clusters) ◮ sensitive (bank, gov. systems, ..) ◮ safety critical (Rocket Engine Control System[1], Automotive) ... Systems ◮ → thus: attractive target

  4. Security Beyond Bugs ◮ Performance & Reliability � = Security ◮ Hardening seen as overhead in the past ◮ Critical security bug lifetime is huge ( > 10 years possible) ◮ Non-trivial software/hardware → never bug free ◮ Safety net needed (Kernel Self Protection (KSP) [2]) “Security needs to be more than just access control and attack-surface reduction.” — Kees Cook, 2015 Kernel Summit

  5. Security For Others Wrongdoing ◮ Working around hardware vulnerabilities ◮ Side channel attacks (Meltdown[3], Spectre [4] ) ◮ Firmware/ µ Code bugs ◮ User space programs

  6. Kernel Self Protection vs. User Land Protection Attack surface reduction: ◮ SELinux/AppArmor ◮ seccomp ◮ namespacing (mount, PID, net, ...) Problems: ◮ Usability ◮ Complexity ◮ no protection against common Kernel bugs

  7. Out of Tree Security ◮ Earlier Hardening resentment → out-of-tree approaches [5] ◮ PaX/grsecurity ◮ Lots of Linux Security Research happened until they went private ◮ Low effort to upstream ◮ But, work now taken up by the community

  8. Flaws & Mitigation Technologies

  9. Stack Overflow Attack: ◮ Overwrite saved instruction pointer → execution control Mitigations: ◮ Stack canaries [6] [7] ◮ Guard Pages [6] ◮ KASLR [8] [9] ◮ Shadow Stacks ◮ Virtually mapped kernel stacks [10]

  10. Integer/Heap overflow Caused by: ◮ Integer overflow/Wrong Bound checking ◮ Overwrite adjacent kernel function pointer ◮ refcount overflow → Use after free Mitigations: ◮ detect multiplication overflows with compiler instrumentation ◮ PAX REFCOUNT [11] ◮ (no access) guard pages ◮ Hardened usercopy 1 1 https://lwn.net/Articles/695991/

  11. Out of Order and Speculative Execution Caused by: ◮ Hardware bugs design, problematic known since ’95[12] ◮ exploiting race condition between memory access and privilege check ◮ speculative execution should be side-effect free → isn’t Mitigations: ◮ Kernel page-table isolation (derived from KAISER) ◮ Flush states, branch predictor, TLB, ... (slow) ◮ ... and/or use modern CPU features (PCID, IBRS/PB, STIBP)

  12. Uninitialized variables / Stack Caused by: ◮ “Stack memory is frequently and unpredictably reused by other parts of code” [13] ◮ Uninitialized = previous value Mitigations: ◮ clear/poison kernel stack between syscalls (STACKLEAK plugin) ◮ initialize all structs (compiler plugin) [13]

  13. Kernel Pointer Leakage Renders KASLR useless. Caused by: ◮ /proc ◮ kernel modules ◮ /sys Mitigations: ◮ restrict pointers visibility [14] ◮ hashed pointer [14]

  14. Use After Free Caused by: ◮ Missing refcounting ◮ Aforementioned Integer overflow (“wrong refcounting”) [15] Mitigations: ◮ abstract resource access (refcount t) [16] ◮ avoid reference count overflow [11] ◮ clearing memory on free [17]

  15. Race Conditions & Other Logic Flaws Caused by: ◮ Complex Protocol/Bad Design ◮ False Assumption about access Mitigations: ◮ Harder (often no statical analysis possible) ◮ Fuzzing: ◮ Syszcaller [18] ◮ trinity [19] ◮ American Fuzzy Lop (AFL) ◮ code instrumentation

  16. Return Oriented Programming[22] Attack: ◮ arbitrary code injection not directly possible: ◮ execution disable (NX) ◮ signed code ◮ chain existing (library) functions together ◮ achieve goal Mitigation: ◮ Control Flow Integrity [20] through compiler ◮ Return Address Protection (RAP) [21]

  17. Overwrite Kernel Image Attack: ◮ gain arbitrary code execution ◮ replace (parts) of kernel image ◮ . . . ◮ profit? Mitigation: ◮ Kernel image in read only memory ( ro after init) [23] ◮ “rare write” mechanism [24]

  18. Function pointer overwrite Attack: ◮ builds upon use-after-free ◮ replace function pointer (destructor) with own function ◮ own function gets called in kernel context Mitigation: ◮ read only function pointer tables [23] (compiler plugin)

  19. References

  20. A. Svitak, Dragon’s Radiation-Tolerant Design , https://web.archive.org/web/20131203204735/http: //www.aviationweek.com/Blogs.aspx?plckBlogId= Blog%3A04ce340e-4b63-4d23-9695- d49ab661f385&plckPostId=Blog%3A04ce340e-4b63- 4d23-9695-d49ab661f385Post%3Aa8b87703-93f9-4cdf- 885f-9429605e14df , [Online; accessed 10-January-2019], 2013. L. A. Kees Cook, Kernel Self-Protection , https://git.kernel.org/pub/scm/linux/kernel/git/ torvalds/linux.git/tree/Documentation/security/ self-protection.rst?h=v4.20 , [Online; accessed 10-December-2019], 2016-2019.

  21. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, et al. , “Meltdown: Reading kernel memory from user space,” in 27th { USENIX } Security Symposium ( { USENIX } Security 18) , 2018, pp. 973–990. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks: Exploiting speculative execution,” in 40th IEEE Symposium on Security and Privacy (SP’19) , 2019.

  22. J. Ribas, The kernel of the argument , http://www. washingtonpost.com/sf/business/2015/11/05/net- of-insecurity-the-kernel-of-the-argument/ , [Online; accessed 09-June-2017], 2015. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks.,” in Usenix Security , vol. 98, 1998, pp. 63–78.

  23. K. Cook, Introduce strong stackprotector , https://patchwork.kernel.org/patch/3387921/ , [Online; accessed 12-May-2017], 2013. g. PaX, Address Space Layout Randomisation , https://pax.grsecurity.net/docs/aslr.txt , [Online; accessed 10-May-2017], 2003. J. Edge, Kernel Address Space Layout Randomisation , https://lwn.net/Articles/569635/ , [Online; accessed 10-May-2017], 2013.

  24. J. Corbet, Virtually mapped kernel stacks , https://lwn.net/Articles/692208/ , [Online; accessed 29-May-2017], 2016. g. PaX, PAX REFCOUNT , https: //forums.grsecurity.net/viewtopic.php?f=7&t=4173 , [Online; accessed 09-May-2017], 2015. O. Sibert, P. A. Porras, and R. Lindell, “The intel 80/spl times/86 processor architecture: Pitfalls for secure systems,” in Security and Privacy, 1995. Proceedings., 1995 IEEE Symposium on , IEEE, 1995, pp. 211–222.

  25. K. Lu, M.-T. Walter, D. Pfaff, N. Stefan, W. Lee, and M. Backes, “Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying,” , NDSS, 2017. D. Rosenberg, kptr restrict for hiding kernel pointers , https://lwn.net/Articles/420403/ , [Online; accessed 09-June-2017], 2010. L. Song and Q. Xiao-Jun, “Parallelly refill slub objects freed in slow paths: An approach to exploit the use-after-free vulnerabilities in linux kernel,” in 2016 17th International Conference on Parallel and Distributed Computing,

  26. Applications and Technologies (PDCAT) , Dec. 2016, pp. 387–390. doi : 10.1109/PDCAT.2016.088 . D. Windsor, Kernel Protections/HARDENED ATOMIC , https://kernsec.org/wiki/index.php/Kernel_ Protections/HARDENED_ATOMIC , [Online; accessed 29-May-2017], 2017. J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum, “Shredding your garbage: Reducing data lifetime through secure deallocation,” in In USENIX Security , 2005.

  27. D. Drysdale, Coverage-guided kernel fuzzing with syzkaller , https://lwn.net/Articles/677764/ , [Online; accessed 09-June-2017], 2016. M. Kerrisk, The Trinity fuzz tester , https://lwn.net/Articles/536173/ , [Online; accessed 09-June-2017], 2013. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity,” in Proceedings of the 12th ACM conference on Computer and communications security , ACM, 2005, pp. 340–353.

  28. PaX/grsecurity, RAP: RIP ROP , https://pax.grsecurity.net/docs/PaXTeam-H2HC15- RAP-RIP-ROP.pdf , [Online; accessed 02-June-2017], 2015. R. Hund, T. Holz, and F. C. Freiling, “Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms.,” in USENIX Security Symposium , 2009, pp. 383–398. J. Corbet, Post-init read-only memory , https://lwn.net/Articles/666550/ , [Online; accessed 10-June-2017], 2015.

  29. N. H. Kees Cook, Introduce rare write() infrastructure , https://lwn.net/Articles/724319/ , [Online; accessed 10-June-2017], 2017.

Recommend

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

382 views • 37 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris

Linux Kernel Security Update LinuxCon Europe Berlin, 2016 James Morris james.l.morris@oracle.com Introduction Who am I? Kernel security subsystem maintainer Started kernel development w/ FreeS/WAN in 1999 which led to Netfilter,

798 views • 48 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

431 views • 15 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security Dinosaur Smack Linux Security Module Manager Tizen and Linux Kernel Security 2 Tizen Linux based operating system Project of the Linux

486 views • 23 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees

Status of the Kernel Self Protection Project Linux Security Summit 2016 Aug 25-26, Toronto Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2016/lss/kspp.pdf Agenda Background Security in the context of this

464 views • 42 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant Hernandez*, Joseph Choi*, Vanessa Frost*, Peter Johnson**, and Kevin Butler* *University of Florida, Gainesville, FL ^Purdue University, West Lafayette,

560 views • 38 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides

More recommend