Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

Abstract
*********
SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …).
What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain?

About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

  • Be the first to comment

  • Be the first to like this

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

  1. 1. Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
  2. 2. Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
  3. 3. Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
  4. 4. Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
  5. 5. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
  6. 6. Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  7. 7. Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
  8. 8. Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  9. 9. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
  10. 10. Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
  11. 11. Classification: Confidential 15SBA Research gGmbH, 2020
  12. 12. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
  13. 13. Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
  14. 14. Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
  15. 15. Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
  16. 16. Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
  17. 17. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
  18. 18. Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
  19. 19. Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
  20. 20. Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
  21. 21. Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
  22. 22. Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
  23. 23. Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org
  24. 24. Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
  25. 25. Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020

×