widely used but out of tree
play

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) - PowerPoint PPT Presentation

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) kees.cook@canonical.com Linux Security Summit Boston, Aug 2010 http://people.canonical.com/~kees/slides/out-of-tree.pdf Internal use only 1 Agenda Past


  1. Widely Used But Out-Of-Tree Kees Cook (that's pronounced “Case”) kees.cook@canonical.com Linux Security Summit Boston, Aug 2010 http://people.canonical.com/~kees/slides/out-of-tree.pdf Internal use only 1

  2. Agenda • Past successes/compromises • Current successes • Living outside of mainline • Why isn't it upstream? • Cultural shift for the Linux kernel community Internal use only 2

  3. Past successes/compromises (userspace) • SELinux • ASLR of stack, mmap, exec, brk (x86 mostly) • SECCOMP (x86 mostly) • TOMOYO • SMACK • AT_RANDOM Internal use only 3

  4. Past successes/compromises (kernel) • mmap_min_addr • /dev/mem restrictions (x86 mostly) • CC_STACKPROTECTOR (x86 mostly) Internal use only 4

  5. Current successes • AppArmor – In for 5 years on SUSE, 4 on Ubuntu • Yama Internal use only 5

  6. Living outside of mainline (part 1) symlink/hardlink restrictions, 15 years old • – OpenWall, grsecurity, Ubuntu partial NX emulation, 10 years old • – grsecurity, RedHat/Fedora, SUSE, Ubuntu ASCII-armored addresses, 6 years old • – RedHat/Fedora, SUSE, Ubuntu (partially) PTRACE restrictions, 4 years old? • – grsecurity, Ubuntu Internal use only 6

  7. Living outside of mainline (part 2) fifo, /proc, NPROC, SHM restrictions, 8 years old? • – OpenWall, grsecurity RSBAC, 5 years old? • – Mandriva • mprotect, and a giant list of other things, many via PaX – grsecurity Internal use only 7

  8. Why isn't it upstream? • No one has tried • (Unreasonable) objections Internal use only 8

  9. Objections (part 1) • “this is a hack” – yet majority/many/some distros use it? • “... but at the cost of speed” – why can't this be a choice? Internal use only 9

  10. Objections (part 2) “the perfect is the enemy of the good” • – defense against attack is, like biological systems, a matter of probability – better to have an imperfect heuristic than a missing perfect system – work around changes in userspace semantics (we are, after all, a Free Software community, right?) – “perfect” is absolutely impossible (kernel vulnerabilities frequently undermine all other defense systems) Internal use only 10

  11. Cultural shift for the Linux kernel community • Acknowledge that vulnerabilities are a way of life • Lose the prejudice against optional defense mechanisms • Take responsibility to create a pro-actively secure system Internal use only 11

  12. Thank you for your time kees.cook@canonical.com Internal use only 12

Recommend


More recommend