BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

1,463 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,463
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

  1. 1. Linux kernel and recent security protections Djalal Harouni tixxdz@opendz.org @tixxdz BsidesAlgiers 05-05-12
  2. 2. Linux kernel and recent security protections Why this lecture ? Talk about Linux kernel and Open-source. Talk about security. 2
  3. 3. Linux kernel and recent security protections Whats not about ? A listing of security protections. Comparison between different Linux security protections. Comparison against *BSD, Windows ... 3
  4. 4. Linux kernel and recent security protections Whats about ? Introduction to Linux kernel source code. Some recent practical security protections (not all of them) that were merged upstream. Examples of some recent kernel exploits and mitigations. Talk will be simple with a special focus on questions. 4
  5. 5. Linux kernel and recent security protections Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 5
  6. 6. Linux kernel and recent security protections Linux kernel source code 6
  7. 7. Linux kernel and recent security protectionsLinux kernel source code  Officiel mirror: http://www.kernel.org http://git.kernel.org/  Mailing lists: http://vger.kernel.org/vger-lists.html  Main development mailing list: http://vger.kernel.org/vger-lists.html#linux-kernel Archived at: http://lkml.org  Download and untar or git clone: cd linux-3.3.4 7
  8. 8. Linux kernel and recent security protectionsLinux kernel source code Linux source code demo 8
  9. 9. Linux kernel and recent security protectionsLinux kernel source code  Configuration and other Makefile options: make help make menuconfig make defconfig make mandocs make cscope  Compilation: make -j $n make path/single_file.o make path/module.koMore from Linux Kernel in a Nutshell [1]. 9
  10. 10. Linux kernel and recent security protectionsLinux kernel source codeLinux memory space: Figure 1: Virtual to Physical [2] Figure 2: Virtual address space [3] 10
  11. 11. Linux kernel and recent security protectionsLinux kernel source codeLinux file system and syscalls: Figure 3: Linux File system [4] 11
  12. 12. Linux kernel and recent security protectionsLinux kernel source code Interactive map of Linux kernel [5] 12
  13. 13. Linux kernel and recent security protectionsLinux kernel source code Demo and Questions ? 13
  14. 14. Linux kernel and recent security protections Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 14
  15. 15. Linux kernel and recent security protectionsRecent security protections  Introduction to Linux capabilities:  On UNIX a privileged process => euid 0 (root)  From Linux 2.2 superuser privileges were divided into distinct units called capabilities (old not new).  Capabilities:  CAP_NET_ADMIN : network-related operations.  CAP_SETUID: arbitrary UIDs manipulations.  CAP_SYS_ADMIN: a lot of system administration operations (syslog, mount/unmount,...)  CAP_SYS_MODULE: load/unload kernel modules.  … 15More from Linux capabilities man page [6].
  16. 16. Linux kernel and recent security protectionsRecent security protectionsDmesg restrict sysctl:  Restrict kernel syslog to users with CAP_SYS_ADMIN  Based on GRKERNSEC_DMESG grsecurity [7]  Commit eaf06b241b09135 # sysctl -w kernel.dmesg_restrict=1 or # echo "1" > /proc/sys/kernel/dmesg_restrict 16
  17. 17. Linux kernel and recent security protectionsRecent security protectionsKptr restrict sysctl:  Hide kernel addresses from unprivileged users.  If kptr_restrict == 0 no restrictions.  If kptr_restrict == 1 and kernel pointers are printed using the %pK format then only users with CAP_SYSLOG can view them.  If kptr_restrict == 2 all kernel pointers printed using the %pK format will be replaced with 0s.  Commit 455cd5ab305c90ffc4 # sysctl -w kernel.kptr_restrict=2  Extra: make vmlinuz and System.map root read-only files. 17
  18. 18. Linux kernel and recent security protectionsRecent security protectionsRestrict access to /proc/<pid>/ directories:  Procfs is a virtual file system.  Procfs is an interface to kernel data structures.$ cat /proc/cpuinfoprocessor : 0vendor_id : GenuineIntelcpu family : 6  /proc/<pid>/* contains information about a running process.$ cat /proc/self/maps00400000-0040b000 r-xp 00000000 08:0f 4456467 /bin/cat0060a000-0060b000 r--p 0000a000 08:0f 4456467 /bin/cat0060b000-0060c000 rw-p 0000b000 08:0f 4456467 /bin/cat023ae000-023cf000 rw-p 00000000 00:00 0 [heap] 18…
  19. 19. Linux kernel and recent security protectionsRecent security protectionsRestrict access to /proc/<pid>/ directories:  Use the new hidepid= and gid= mount options to restrict access to these directories.  Origin of the patch is from -ow kernel patches [8] and grsecurity [7].  If hidepid==0 no restrictions, classic mode.  If hidepid==1 users will access only their own pid directories.  If hidepid==2 restrict access to all /proc/<pid>/ directories.  Commit 97412950b10e64f347  Commit 0499680a42141d8641  Hint: use kill -0 $pid to discover valid pids. 19
  20. 20. Linux kernel and recent security protectionsRecent security protectionsYama LSM (Linux Security Module)  Ptrace scope restriction: a debugging process and its inferior  Origin of the patch -ow [8] and grsecurity [7]  If ptrace_scope == 0 classic ptrace permissions.  If ptrace_scope == 1 allow PTRACE_ATTACH only on its descendants by default. Inferior can change its relationship and choose its debugger with prctl(PR_SET_PTRACER,...)  Commit 2d514487faf188938a  Yama ptrace scope sysclt: # sysctl -w kernel.yama.ptrace_scope=1 20
  21. 21. Linux kernel and recent security protectionsRecent security protections Demo and Questions ? 21
  22. 22. Linux kernel and recent security protections Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 22
  23. 23. Linux kernel and recent security protectionsRecent exploits and mitigation techniquesNull pointer dereferences:  Userspace and kernelspace share the virtual address space.  mmap() at 0x00 + Null pointer dereference bug in the kernel => potential null pointer vulnerability [9] [10] [11].  Check git logs (if the information is available): git log -p –grep=”null.*pointer.*reference”mmap_min_addr protection (old): $ cat /proc/sys/vm/mmap_min_addr 65536 23
  24. 24. Linux kernel and recent security protectionsRecent exploits and mitigation techniquesLinux Local Privilege Escalation via SUID /proc/pid/memWrite [12]  /proc/<pid>/mem is used by debuggers.  /proc/<pid>/mem is also a source of vulnerabilities.  CVE-2012-0056  Fixed by commits: e268337dfe26dfc7ef 6d08f2c7139790c26Exploit bonus. 24
  25. 25. Linux kernel and recent security protectionsRecent exploits and mitigation techniquesUninitialized stack [13]:  Uninitialized contains data from before.  Is still the old data available ?  CVE-2010-2963  Fixed by commit 3e645d6b485446c54c  Protect with PaX [7] 25
  26. 26. Linux kernel and recent security protectionsRecent exploits and mitigation techniquesLinux kernel modules:  Modules are also used by rootkits.  Modules autoloading abuses: CAP_NET_ADMIN can load modules, and not only Net modules [14]. Load other modules: # ifconfig ntfs # lsmod | grep ntfs  Disable module autoloading: # echo ”/bin/false” > /proc/sys/kernel/modprobe # sysctl -w kernel.modprobe=”/bin/false”  Disable module loading permanently (paranoid): # echo 1 > /proc/sys/kernel/modules_disabled 26
  27. 27. Linux kernel and recent security protectionsRecent exploits and mitigation techniques Demo and Questions ? 27
  28. 28. Linux kernel and recent security protections Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 28
  29. 29. Linux kernel and recent security protectionsConclusion  More proactive security features in the mainline kernel.  The origin of some security protections presented here is from: Openwall [8] grsecurity/PaX [7]  Openwall kernel hardening page [15]. 29
  30. 30. Linux kernel and recent security protectionsConclusionOther protections:  LSM: SELinux, AppArmor, TOMOYO, … [16].  GCC plugins and code instrumentation as security protections: grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …  grsecuritys RBAC [7].  Seccomp (SECure COMPuting) with filters: filter system calls by syscall numbers and arguments with BPF (Berkeley Packet Filter) [17]. 30
  31. 31. Linux kernel and recent security protections Thank you! Questions ? Download this from: http://opendz.org/ 31
  32. 32. Linux kernel and recent security protectionsReferences:[1] Greg KH, Linux Kernel in a Nutshell, OReilly.[2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/[3] http://www.acm.uiuc.edu/projects/RingCycle/[4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/[5] http://www.makelinux.net/kernel_map/[6] http://linux.die.net/man/7/capabilities[7] http://grsecurity.net/[8] http://openwall.net/[9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html[10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html[11] http://seclists.org/fulldisclosure/2009/Aug/190 32
  33. 33. Linux kernel and recent security protectionsReferences:[12] http://blog.zx2c4.com/749[13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf[14] https://lkml.org/lkml/2011/2/24/203[15] http://openwall.info/wiki/Owl/kernel-hardening[16] http://http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security[17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt 33

×