using seccomp to limit the kernel attack surface
play

Using seccomp to limit the kernel attack surface c 2016 Michael - PowerPoint PPT Presentation

May 28, 2023 •125 likes •671 views

ContainerCon Europe 2016 Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training and Consulting http://man7.org/training/ @mkerrisk mtk@man7.org 5 October 2016 Berlin, Germany Outline 1 Introduction

  1. ContainerCon Europe 2016 Using seccomp to limit the kernel attack surface c � 2016 Michael Kerrisk man7.org Training and Consulting http://man7.org/training/ @mkerrisk mtk@man7.org 5 October 2016 Berlin, Germany

  2. Outline 1 Introduction and history 2 Seccomp filtering and BPF 3 Constructing seccomp filters 4 BPF programs 5 Further details on seccomp filters 6 Applications, tools, and further information

  3. Who am I? Maintainer of Linux man-pages (since 2004) Documents kernel-user-space + C library APIs ˜1000 manual pages http://www.kernel.org/doc/man-pages/ API review, testing, and documentation API design and design review Lots of testing, lots of bug reports, a few kernel patches “Day job”: programmer, trainer, writer Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 3 / 53

  4. Outline 1 Introduction and history 2 Seccomp filtering and BPF 3 Constructing seccomp filters 4 BPF programs 5 Further details on seccomp filters 6 Applications, tools, and further information

  5. What is seccomp? Kernel provides large number of systems calls ≈ 400 system calls Each system call is a vector for attack against kernel Most programs use only small subset of available system calls Seccomp = mechanism to restrict system calls that a process may make Reduces attack surface of kernel A key component for building application sandboxes Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 5 / 53

  6. Outline History of seccomp Basics of seccomp operation Creating and installing BPF filters (AKA “seccomp2”) Mostly: look at hand-coded BPF filter programs, to gain fundamental understanding of how seccomp works Briefly note some productivity aids for coding BPF programs Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 6 / 53

  7. Introduction and history First version in Linux 2.6.12 (2005) Filtering enabled via /proc/PID/seccomp Writing “1” to file places process (irreversibly) in “strict” seccomp mode Need CONFIG_SECCOMP Strict mode : only permitted system calls are read() , write() , _exit() , and sigreturn() Note: open() not included (must open files before entering strict mode) sigreturn() allows for signal handlers Other system calls ⇒ SIGKILL Designed to sandbox compute-bound programs that deal with untrusted byte code Code perhaps exchanged via pre-created pipe or socket Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 7 / 53

  8. Introduction and history Linux 2.6.23 (2007): /proc/PID/seccomp interface replaced by prctl() operations prctl(PR_SET_SECCOMP, arg) modifies caller’s seccomp mode SECCOMP_MODE_STRICT : limit syscalls as before prctl(PR_GET_SECCOMP) returns seccomp mode: 0 ⇒ process is not in seccomp mode Otherwise? SIGKILL (!) prctl() is not a permitted system call in “strict” mode Who says kernel developers don’t have a sense of humor? Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 8 / 53

  9. Introduction and history Linux 3.5 (2012) adds “filter” mode (AKA “seccomp2”) prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) Can control which system calls are permitted, Control based on system call number and argument values Choice is controlled by user-defined filter–a BPF “program” Berkeley Packet Filter (later) Requires CONFIG_SECCOMP_FILTER By now used in a range of tools E.g., Chrome browser, OpenSSH, vsftpd , systemd , Firefox OS, Docker, LXC Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 9 / 53

  10. Introduction and history Linux 3.8 (2013): The joke is getting old... New /proc/PID/status Seccomp field exposes process seccomp mode (as a number) 0 // SECCOMP_MODE_DISABLED 1 // SECCOMP_MODE_STRICT 2 // SECCOMP_MODE_FILTER Process can, without fear, read from this file to discover its own seccomp mode But, must have previously obtained a file descriptor... Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 10 / 53

  11. Introduction and history Linux 3.17 (2014): seccomp() system call added (Rather than further multiplexing of prctl() ) Provides superset of prctl(2) functionality Can synchronize all threads to same filter tree Useful, e.g., if some threads created by start-up code before application has a chance to install filter(s) Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Introduction and history 11 / 53

  12. Outline 1 Introduction and history 2 Seccomp filtering and BPF 3 Constructing seccomp filters 4 BPF programs 5 Further details on seccomp filters 6 Applications, tools, and further information

  13. Seccomp filtering and BPF Seccomp filtering available since Linux 3.5 Allows filtering based on system call number and argument (register) values Pointers are not dereferenced Filters expressed using BPF (Berkeley Packet Filter) syntax Filters installed using seccomp() or prctl() Construct and install BPF filter 1 exec() new program or invoke function inside dynamically 2 loaded shared library (plug-in) Once installed, every syscall triggers execution of filter Installed filters can’t be removed Filter == declaration that we don’t trust subsequently executed code Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Seccomp filtering and BPF 13 / 53

  14. BPF origins BPF originally devised (in 1992) for tcpdump Monitoring tool to display packets passing over network http://www.tcpdump.org/papers/bpf-usenix93.pdf Volume of network traffic is enormous ⇒ must filter for packets of interest BPF allows in-kernel selection of packets Filtering based on fields in packet header Filtering in kernel more efficient than filtering in user space Unwanted packet are discarded early ⇒ Avoids passing every packet over kernel-user-space boundary Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Seccomp filtering and BPF 14 / 53

  15. BPF virtual machine BPF defines a virtual machine (VM) that can be implemented inside kernel VM characteristics: Simple instruction set Small set of instructions All instructions are same size Implementation is simple and fast Only branch-forward instructions Programs are directed acyclic graphs (DAGs) Easy to verify validity/safety of programs Program completion is guaranteed (DAGs) Simple instruction set ⇒ can verify opcodes and arguments Can detect dead code Can verify that program completes via a “return” instruction BPF filter programs are limited to 4096 instructions Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Seccomp filtering and BPF 15 / 53

  16. Generalizing BPF BPF originally designed to work with network packet headers Seccomp 2 developers realized BPF could be generalized to solve different problem: filtering of system calls Same basic task: test-and-branch processing based on content of a small set of memory locations Further generalization (“extended BPF”; see ebpf(2) ) is ongoing Linux 3.18: adding filters to kernel tracepoints Linux 3.19: adding filters to raw sockets Linux 4.4: filtering of perf events Linux 4.5: use cBPF or eBPF program to distribute packets to SO_REUSEPORT group of sockets Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Seccomp filtering and BPF 16 / 53

  17. Outline 1 Introduction and history 2 Seccomp filtering and BPF 3 Constructing seccomp filters 4 BPF programs 5 Further details on seccomp filters 6 Applications, tools, and further information

  18. Basic features of BPF virtual machine Accumulator register Data area (data to be operated on) In seccomp context: data area describes system call Implicit program counter (Recall: all instructions are same size) Instructions contained in structure of this form: struct sock_filter { /* Filter block */ __u16 code; /* Filter code (opcode)*/ __u8 jt; /* Jump true */ __u8 jf; /* Jump false */ __u32 k; /* Generic multiuse field (operand) */ }; See <linux/filter.h> and <linux/bpf_common.h> Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Constructing seccomp filters 18 / 53

  19. BPF instruction set Instruction set includes: Load instructions Store instructions Jump instructions Arithmetic/logic instructions ADD, SUB, MUL, DIV, MOD, NEG OR, AND, XOR, LSH, RSH Return instructions Terminate filter processing Report a status telling kernel what to do with syscall Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Constructing seccomp filters 19 / 53

  20. BPF jump instructions Conditional and unconditional jump instructions provided Conditional jump instructions consist of Opcode specifying condition to be tested Value to test against Two jump targets jt : target if condition is true jf : target if condition is false Conditional jump instructions: JEQ : jump if equal JGT : jump if greater JGE : jump if greater or equal JSET : bit-wise AND + jump if nonzero result jf target ⇒ no need for JNE , JLT , JLE , and JCLEAR Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Constructing seccomp filters 20 / 53

  21. BPF jump instructions Targets are expressed as relative offsets in instruction list 0 == no jump (execute next instruction) jt and jf are 8 bits ⇒ 255 maximum offset for conditional jumps Unconditional JA (“jump always”) uses k as offset, allowing much larger jumps Seccomp: limiting the kernel attack surface ContainerCon.eu 2016 Constructing seccomp filters 21 / 53

Recommend

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

LinuxCon.eu 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 6 October 2015 Dublin, Ireland Outline 1 Introductions 2 Introduction and

1.1k views • 55 slides
Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

LPC 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 19 August 2015 Seattle, Washington, USA Outline 1 Introductions 2 Introduction and

815 views • 54 slides
SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO

SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO

SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO SILVER BULLET PRINCIPLE OF LEAST PRIVILEGE SECCOMP PREVENT EXECUTION OF CERTAIN SYSTEM CALLS BY AN APPLICATION SECCOMP INSTRUMENT KERNEL TO ABORT

954 views • 72 slides
A Stepping Stone into your Kernel Moritz

A Stepping Stone into your Kernel Moritz

2009 A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns Agenda USB intro Motivation Attack surface Vulnerability identification Hardware-aided approach

615 views • 32 slides
The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice Director Global experts in cyber security &amp; risk mitigation Agenda Space attack surface overview Attacks against terrestrial assets

310 views • 30 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26,

Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26,

Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26, 2018 Edinburgh, Scotland Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss-eu/seccomp.pdf Agenda

220 views • 21 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kiasondi Sponsored by http://iot.foi.hr Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness

725 views • 55 slides
Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy? Limit attack surface of our web applications Web application flaws/vulnerabilities are a major attack vector Protect Company

195 views • 6 slides
~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface

~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface

~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface Discharges in Wyoming None Current 3,000 5,000 Limit: Penny Hunter Geomega 0.2 500 2,000 Proposed Limit: January 17, 2007 Note: Suffate Is

197 views • 5 slides
Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS&gt; whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of

On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of

On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of HermitePad polynomials Sergey P. Suetin S M I R

851 views • 28 slides
Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

1.13k views • 80 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka &lt;gniibe@fsij.org&gt; FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
Agenda Proposed Surface Methane Limit Surface Monitoring Frequency and Spacing Streamlining

Agenda Proposed Surface Methane Limit Surface Monitoring Frequency and Spacing Streamlining

California Air Resources Board 5/9/2008 Landfill Technical Review Workgroup Meeting/Conference Call May 9, 2008 1 Agenda

590 views • 9 slides
NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast and compact Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal 29 June 2018 Bernstein, Chuengsatiansup,

1.18k views • 36 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25

Scaling up baseband attacks: More (unexpected) attack surface Black Hat USA 2012 2012-07-25 36.117038, -115.174562 Ralf-Philipp Weinmann SnT, University of Luxembourg &lt;ralf-philipp.weinmann@uni.lu&gt; Security issues with SUPL

769 views • 38 slides
Mean-field theory of two-layers neural networks: dimension-free bounds and kernel limit Song Mei,

Mean-field theory of two-layers neural networks: dimension-free bounds and kernel limit Song Mei,

Mean-field theory of two-layers neural networks: dimension-free bounds and kernel limit Song Mei, Theodor Misiakiewicz, and Andrea Montanari Stanford University June 26, 2019 COLT 2019 Song Mei (Stanford University) Mean Field Dynamics for

1.12k views • 29 slides
A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM,

A Year of Container Kernel work Past, Present, and Future of Container Kernel Features FOSDEM, 2019 Brussels, Belgium Christian Brauner christian@brauner.io christian.brauner@ubuntu.com @brau_ner https://brauner.io/ 4.15: Bump Limit of

810 views • 12 slides

More recommend