BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

Linux kernel and recent security protections

Djalal Harouni
tixxdz@opendz.org
@tixxdz
BsidesAlgiers 05-05-12


Why this lecture ?

 Talk about Linux kernel and Open-source.

 Talk about security.

2


What's not about ?

 A listing of security protections.

 Comparison between different Linux security
protections.

 Comparison against *BSD, Windows ...
3


What's about ?

 Introduction to Linux kernel source code.
 Some recent practical security protections (not
all of them) that were merged upstream.
 Examples of some recent kernel exploits and
mitigations.
 Talk will be simple with a special focus on
questions.
4


 Plan:
 Linux kernel source code
 Demo and Questions ?
 Recent security protections
 Recent exploits and mitigation techniques
 Conclusion
 Questions

5


Linux kernel source code

6



 Officiel mirror: http://www.kernel.org http://git.kernel.org/

 Mailing lists: http://vger.kernel.org/vger-lists.html
 Main development mailing list:
http://vger.kernel.org/vger-lists.html#linux-kernel
Archived at: http://lkml.org

 Download and untar or git clone:
cd linux-3.3.4

7



Linux source code demo

8



 Configuration and other Makefile options:
make help
make menuconfig
make defconfig
make mandocs
make cscope
 Compilation:
make -j $n
make path/single_file.o
make path/module.ko

More from Linux Kernel in a Nutshell [1]. 9


Linux memory space:

Figure 1: Virtual to Physical [2]

Figure 2: Virtual address space [3]
10



Linux file system and syscalls:

Figure 3: Linux File system [4]
11



Interactive map of Linux kernel [5]

12



Demo and Questions ?

13


 Plan:
 Conclusion
 Questions

14


Recent security protections

 Introduction to Linux capabilities:
 On UNIX a privileged process => euid 0 (root)
 From Linux 2.2 superuser privileges were divided into
distinct units called capabilities (old not new).
 Capabilities:
 CAP_NET_ADMIN : network-related operations.
 CAP_SETUID: arbitrary UIDs manipulations.
 CAP_SYS_ADMIN: a lot of system administration operations (syslog,
mount/unmount,...)
 CAP_SYS_MODULE: load/unload kernel modules.
 …

15
More from Linux capabilities man page [6].



Dmesg restrict sysctl:
 Restrict kernel syslog to users with CAP_SYS_ADMIN

 Based on GRKERNSEC_DMESG grsecurity [7]

 Commit eaf06b241b09135
# sysctl -w kernel.dmesg_restrict=1
or
# echo "1" > /proc/sys/kernel/dmesg_restrict

16



Kptr restrict sysctl:
 Hide kernel addresses from unprivileged users.
 If kptr_restrict == 0 no restrictions.
 If kptr_restrict == 1 and kernel pointers are printed using
the %pK format then only users with CAP_SYSLOG can
view them.
 If kptr_restrict == 2 all kernel pointers printed using the
%pK format will be replaced with 0's.
 Commit 455cd5ab305c90ffc4
# sysctl -w kernel.kptr_restrict=2

 Extra: make vmlinuz and System.map root read-only files. 17



Restrict access to /proc/<pid>/ directories:
 Procfs is a virtual file system.
 Procfs is an interface to kernel data structures.
$ cat /proc/cpuinfo

processor : 0

vendor_id : GenuineIntel

cpu family : 6

 /proc/<pid>/* contains information about a running process.
$ cat /proc/self/maps

00400000-0040b000 r-xp 00000000 08:0f 4456467 /bin/cat

0060a000-0060b000 r--p 0000a000 08:0f 4456467 /bin/cat

0060b000-0060c000 rw-p 0000b000 08:0f 4456467 /bin/cat

023ae000-023cf000 rw-p 00000000 00:00 0 [heap]
18
…



Restrict access to /proc/<pid>/ directories:
 Use the new hidepid= and gid= mount options to restrict
access to these directories.
 Origin of the patch is from -ow kernel patches [8] and
grsecurity [7].
 If hidepid==0 no restrictions, classic mode.
 If hidepid==1 users will access only their own pid directories.
 If hidepid==2 restrict access to all /proc/<pid>/ directories.
 Commit 97412950b10e64f347
 Commit 0499680a42141d8641
 Hint: use 'kill -0 $pid' to discover valid pids.
19



Yama LSM (Linux Security Module)
 Ptrace scope restriction: a debugging process and its inferior
 Origin of the patch -ow [8] and grsecurity [7]
 If ptrace_scope == 0 classic ptrace permissions.
 If ptrace_scope == 1 allow PTRACE_ATTACH only on its
descendants by default. Inferior can change its relationship
and choose its debugger with prctl(PR_SET_PTRACER,...)
 Commit 2d514487faf188938a

 Yama ptrace scope sysclt:
# sysctl -w kernel.yama.ptrace_scope=1
20




21


 Plan:
 Conclusion
 Questions

22


Recent exploits and mitigation techniques

Null pointer dereferences:
 Userspace and kernelspace share the virtual address
space.
 mmap() at 0x00 + Null pointer dereference bug in the
kernel => potential null pointer vulnerability [9] [10] [11].
 Check git logs (if the information is available):
git log -p –grep=”null.*pointer.*reference”

mmap_min_addr protection (old):
$ cat /proc/sys/vm/mmap_min_addr
65536
23



Linux Local Privilege Escalation via SUID /proc/pid/mem
Write [12]
 /proc/<pid>/mem is used by debuggers.
 /proc/<pid>/mem is also a source of vulnerabilities.
 CVE-2012-0056

 Fixed by commits:
e268337dfe26dfc7ef
6d08f2c7139790c26
Exploit bonus.
24



Uninitialized stack [13]:
 Uninitialized contains data from before.
 Is still the old data available ?

 CVE-2010-2963
 Fixed by commit 3e645d6b485446c54c

 Protect with PaX [7]

25



Linux kernel modules:
 Modules are also used by rootkits.
 Modules autoloading abuses: CAP_NET_ADMIN can load
modules, and not only Net modules [14]. Load other modules:
# ifconfig ntfs
# lsmod | grep ntfs
 Disable module autoloading:
# echo ”/bin/false” > /proc/sys/kernel/modprobe
# sysctl -w kernel.modprobe=”/bin/false”
 Disable module loading permanently (paranoid):
# echo 1 > /proc/sys/kernel/modules_disabled 26




27


 Plan:
 Conclusion
 Questions

28


Conclusion

 More proactive security features in the mainline kernel.

 The origin of some security protections presented here is
from:
Openwall [8]
grsecurity/PaX [7]

 Openwall kernel hardening page [15].

29


Conclusion

Other protections:
 LSM: SELinux, AppArmor, TOMOYO, … [16].

 GCC plugins and code instrumentation as security protections:
grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …
 grsecurity's RBAC [7].

 Seccomp (SECure COMPuting) with filters: filter system calls by
syscall numbers and arguments with BPF (Berkeley Packet
Filter) [17].

30


Thank you!

Questions ?

Download this from: http://opendz.org/

31


References:
[1] Greg KH, Linux Kernel in a Nutshell, O'Reilly.
[2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/
[3] http://www.acm.uiuc.edu/projects/RingCycle/
[4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/
[5] http://www.makelinux.net/kernel_map/
[6] http://linux.die.net/man/7/capabilities
[7] http://grsecurity.net/
[8] http://openwall.net/
[9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
[10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
[11] http://seclists.org/fulldisclosure/2009/Aug/190
32


References:
[12] http://blog.zx2c4.com/749
[13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel-
Exploitation.pdf
[14] https://lkml.org/lkml/2011/2/24/203
[15] http://openwall.info/wiki/Owl/kernel-hardening
[16] http://http://git.kernel.org/?
p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security
[17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-
precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt

33

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

More Related Content

What's hot

Viewers also liked

Similar to BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

More from Shellmates

Recently uploaded

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni