-
Be the first to like this
Upcoming SlideShare
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler
- 1. Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
- 2. Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
- 3. Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
- 4. Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
- 5. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
- 6. Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
- 7. Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
- 8. Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
- 9. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
- 10. Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
- 11. Classification: Confidential 15SBA Research gGmbH, 2020
- 12. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
- 13. Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
- 14. Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
- 15. Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
- 16. Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
- 17. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
- 18. Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
- 19. Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
- 20. Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
- 21. Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
- 22. Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
- 23. Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org
- 24. Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
- 25. Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020
Be the first to comment