Successfully reported this slideshow.

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

0

Share

May. 12, 2020
0 likes 135 views
Upcoming SlideShare
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
Loading in …3
×
1 of 25
1 of 25

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

May. 12, 2020
0 likes 135 views

0

Share

Download to read offline

Technology

Abstract
*********
SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …).
What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain?

About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

Abstract
*********
SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …).
What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain?

About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

Technology

Recommended

More Related Content

Similar to SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
Expand Your Control of Access to IBM i Systems and Data
Precisely
Windows attacks - AT is the new black
Chris Gates
Docker app armor_usecase
Kazuki Omo
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
Controlling Access to IBM i Systems and Data
Precisely
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
Breaking av software
Thomas Pollet
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
Linux Security Crash Course
UTD Computer Security Group
Securing your IBM MQ environment.
Robert Parker
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
MODERN TECHNIQUES TO DEOBFUSCATE AND UEFI/BIOS MALWARE -- HITB 2019 AMSTERDAM
Alexandre Borges
Malicious file upload attacks - a case study
Oktawian Powazka
Breaking av software
Joxean Koret
Jupyter Ascending: a practical hand guide to galactic scale, reproducible dat...
John Fonner
Container security
Anthony Chow
Kernel Mode Threats and Practical Defenses
Priyanka Aash
Windows Security Crash Course
UTD Computer Security Group

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
Secure development on Kubernetes by Andreas Falk
SBA Research
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
SBA Live Academy, What the heck is secure computing
SBA Research
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

  1. 1. Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
  2. 2. Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
  3. 3. Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
  4. 4. Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
  5. 5. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
  6. 6. Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  7. 7. Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
  8. 8. Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  9. 9. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
  10. 10. Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
  11. 11. Classification: Confidential 15SBA Research gGmbH, 2020
  12. 12. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
  13. 13. Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
  14. 14. Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
  15. 15. Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
  16. 16. Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
  17. 17. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
  18. 18. Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
  19. 19. Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
  20. 20. Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
  21. 21. Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
  22. 22. Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
  23. 23. Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org
  24. 24. Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
  25. 25. Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020

×