SlideShare a Scribd company logo
1 of 33
Download to read offline
Linux kernel and recent security protections


                 Djalal Harouni
                tixxdz@opendz.org
                     @tixxdz
              BsidesAlgiers 05-05-12
Linux kernel and recent security protections


                  Why this lecture ?

   Talk about Linux kernel and Open-source.

   Talk about security.




                                               2
Linux kernel and recent security protections


                  What's not about ?

   A listing of security protections.

   Comparison between different Linux security
    protections.

   Comparison against *BSD, Windows ...
                                                  3
Linux kernel and recent security protections


                   What's about ?

   Introduction to Linux kernel source code.
   Some recent practical security protections (not
    all of them) that were merged upstream.
   Examples of some recent kernel exploits and
    mitigations.
   Talk will be simple with a special focus on
    questions.
                                                      4
Linux kernel and recent security protections


   Plan:
       Linux kernel source code
                   Demo and Questions ?
       Recent security protections
                   Demo and Questions ?
       Recent exploits and mitigation techniques
                   Demo and Questions ?
       Conclusion
       Questions

                                                    5
Linux kernel and recent security protections




           Linux kernel source code




                                               6
Linux kernel and recent security protections


Linux kernel source code

    Officiel mirror: http://www.kernel.org http://git.kernel.org/


    Mailing lists: http://vger.kernel.org/vger-lists.html
    Main development mailing list:
     http://vger.kernel.org/vger-lists.html#linux-kernel
     Archived at: http://lkml.org


    Download and untar or git clone:
     cd linux-3.3.4

                                                                     7
Linux kernel and recent security protections


Linux kernel source code




                   Linux source code demo




                                               8
Linux kernel and recent security protections


Linux kernel source code

    Configuration and other Makefile options:
        make help
        make menuconfig
        make defconfig
        make mandocs
        make cscope
    Compilation:
        make -j $n
        make path/single_file.o
        make path/module.ko

More from Linux Kernel in a Nutshell [1].        9
Linux kernel and recent security protections


Linux kernel source code
Linux memory space:




    Figure 1: Virtual to Physical [2]

                                          Figure 2: Virtual address space [3]
                                                                                10
Linux kernel and recent security protections


Linux kernel source code

Linux file system and syscalls:




                   Figure 3: Linux File system [4]
                                                     11
Linux kernel and recent security protections


Linux kernel source code




            Interactive map of Linux kernel [5]




                                                  12
Linux kernel and recent security protections


Linux kernel source code




                    Demo and Questions ?




                                               13
Linux kernel and recent security protections


   Plan:
       Linux kernel source code
                   Demo and Questions ?
       Recent security protections
                   Demo and Questions ?
       Recent exploits and mitigation techniques
                   Demo and Questions ?
       Conclusion
       Questions

                                                    14
Linux kernel and recent security protections


Recent security protections

    Introduction to Linux capabilities:
         On UNIX a privileged process => euid 0 (root)
         From Linux 2.2 superuser privileges were divided into
          distinct units called capabilities (old not new).
    Capabilities:
         CAP_NET_ADMIN : network-related operations.
         CAP_SETUID: arbitrary UIDs manipulations.
         CAP_SYS_ADMIN: a lot of system administration operations (syslog,
          mount/unmount,...)
         CAP_SYS_MODULE: load/unload kernel modules.
         …

                                                                              15
More from Linux capabilities man page [6].
Linux kernel and recent security protections


Recent security protections

Dmesg restrict sysctl:
        Restrict kernel syslog to users with CAP_SYS_ADMIN

        Based on GRKERNSEC_DMESG grsecurity [7]

        Commit eaf06b241b09135
         # sysctl -w kernel.dmesg_restrict=1
         or
         # echo "1" > /proc/sys/kernel/dmesg_restrict


                                                              16
Linux kernel and recent security protections


Recent security protections

Kptr restrict sysctl:
        Hide kernel addresses from unprivileged users.
        If kptr_restrict == 0 no restrictions.
        If kptr_restrict == 1 and kernel pointers are printed using
         the %pK format then only users with CAP_SYSLOG can
         view them.
        If kptr_restrict == 2 all kernel pointers printed using the
         %pK format will be replaced with 0's.
        Commit 455cd5ab305c90ffc4
         # sysctl -w kernel.kptr_restrict=2

        Extra: make vmlinuz and System.map root read-only files. 17
Linux kernel and recent security protections


Recent security protections

Restrict access to /proc/<pid>/ directories:
          Procfs is a virtual file system.
          Procfs is an interface to kernel data structures.
$ cat /proc/cpuinfo

processor : 0

vendor_id : GenuineIntel

cpu family : 6

          /proc/<pid>/* contains information about a running process.
$ cat /proc/self/maps

00400000-0040b000 r-xp 00000000 08:0f 4456467   /bin/cat

0060a000-0060b000 r--p 0000a000 08:0f 4456467   /bin/cat

0060b000-0060c000 rw-p 0000b000 08:0f 4456467   /bin/cat

023ae000-023cf000 rw-p 00000000 00:00 0         [heap]
                                                                         18
…
Linux kernel and recent security protections


Recent security protections

Restrict access to /proc/<pid>/ directories:
         Use the new hidepid= and gid= mount options to restrict
          access to these directories.
         Origin of the patch is from -ow kernel patches [8] and
          grsecurity [7].
         If hidepid==0 no restrictions, classic mode.
         If hidepid==1 users will access only their own pid directories.
         If hidepid==2 restrict access to all /proc/<pid>/ directories.
         Commit 97412950b10e64f347
         Commit 0499680a42141d8641
    Hint: use 'kill -0 $pid' to discover valid pids.
                                                                            19
Linux kernel and recent security protections


Recent security protections

Yama LSM (Linux Security Module)
        Ptrace scope restriction: a debugging process and its inferior
        Origin of the patch -ow [8] and grsecurity [7]
        If ptrace_scope == 0 classic ptrace permissions.
        If ptrace_scope == 1 allow PTRACE_ATTACH only on its
         descendants by default. Inferior can change its relationship
         and choose its debugger with prctl(PR_SET_PTRACER,...)
        Commit 2d514487faf188938a

        Yama ptrace scope sysclt:
         # sysctl -w kernel.yama.ptrace_scope=1
                                                                        20
Linux kernel and recent security protections


Recent security protections




                    Demo and Questions ?




                                               21
Linux kernel and recent security protections


   Plan:
       Linux kernel source code
                   Demo and Questions ?
       Recent security protections
                   Demo and Questions ?
       Recent exploits and mitigation techniques
                   Demo and Questions ?
       Conclusion
       Questions

                                                    22
Linux kernel and recent security protections


Recent exploits and mitigation techniques

Null pointer dereferences:
        Userspace and kernelspace share the virtual address
         space.
        mmap() at 0x00 + Null pointer dereference bug in the
         kernel => potential null pointer vulnerability [9] [10] [11].
        Check git logs (if the information is available):
         git log -p –grep=”null.*pointer.*reference”


mmap_min_addr protection (old):
         $ cat /proc/sys/vm/mmap_min_addr
         65536
                                                                     23
Linux kernel and recent security protections


Recent exploits and mitigation techniques

Linux Local Privilege Escalation via SUID /proc/pid/mem
Write [12]
        /proc/<pid>/mem is used by debuggers.
        /proc/<pid>/mem is also a source of vulnerabilities.
        CVE-2012-0056

        Fixed by commits:
         e268337dfe26dfc7ef
         6d08f2c7139790c26
Exploit bonus.
                                                                24
Linux kernel and recent security protections


Recent exploits and mitigation techniques

Uninitialized stack [13]:
        Uninitialized contains data from before.
        Is still the old data available ?

        CVE-2010-2963
        Fixed by commit 3e645d6b485446c54c

        Protect with PaX [7]



                                                    25
Linux kernel and recent security protections


Recent exploits and mitigation techniques

Linux kernel modules:
    Modules are also used by rootkits.
    Modules autoloading abuses: CAP_NET_ADMIN can load
     modules, and not only Net modules [14]. Load other modules:
     # ifconfig ntfs
     # lsmod | grep ntfs
    Disable module autoloading:
        # echo ”/bin/false” > /proc/sys/kernel/modprobe
        # sysctl -w kernel.modprobe=”/bin/false”
    Disable module loading permanently (paranoid):
        # echo 1 > /proc/sys/kernel/modules_disabled               26
Linux kernel and recent security protections


Recent exploits and mitigation techniques




                    Demo and Questions ?




                                               27
Linux kernel and recent security protections


   Plan:
       Linux kernel source code
                   Demo and Questions ?
       Recent security protections
                   Demo and Questions ?
       Recent exploits and mitigation techniques
                   Demo and Questions ?
       Conclusion
       Questions

                                                    28
Linux kernel and recent security protections


Conclusion


    More proactive security features in the mainline kernel.


    The origin of some security protections presented here is
     from:
     Openwall [8]
     grsecurity/PaX [7]


    Openwall kernel hardening page [15].

                                                                 29
Linux kernel and recent security protections


Conclusion

Other protections:
    LSM: SELinux, AppArmor, TOMOYO, … [16].


    GCC plugins and code instrumentation as security protections:
     grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …
    grsecurity's RBAC [7].


    Seccomp (SECure COMPuting) with filters: filter system calls by
     syscall numbers and arguments with BPF (Berkeley Packet
     Filter) [17].

                                                                       30
Linux kernel and recent security protections


                      Thank you!



                     Questions ?




            Download this from: http://opendz.org/

                                                     31
Linux kernel and recent security protections

References:
[1] Greg KH, Linux Kernel in a Nutshell, O'Reilly.
[2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/
[3] http://www.acm.uiuc.edu/projects/RingCycle/
[4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/
[5] http://www.makelinux.net/kernel_map/
[6] http://linux.die.net/man/7/capabilities
[7] http://grsecurity.net/
[8] http://openwall.net/
[9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
[10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
[11] http://seclists.org/fulldisclosure/2009/Aug/190
                                                                              32
Linux kernel and recent security protections

References:
[12] http://blog.zx2c4.com/749
[13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel-
Exploitation.pdf
[14] https://lkml.org/lkml/2011/2/24/203
[15] http://openwall.info/wiki/Owl/kernel-hardening
[16] http://http://git.kernel.org/?
p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security
[17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-
precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt




                                                                                33

More Related Content

What's hot

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Using open source software to build an industrial grade embedded linux platfo...
Using open source software to build an industrial grade embedded linux platfo...Using open source software to build an industrial grade embedded linux platfo...
Using open source software to build an industrial grade embedded linux platfo...SZ Lin
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Featuresguest491c69
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsGratien D'haese
 
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyLinux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyNovell
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 

What's hot (20)

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Using open source software to build an industrial grade embedded linux platfo...
Using open source software to build an industrial grade embedded linux platfo...Using open source software to build an industrial grade embedded linux platfo...
Using open source software to build an industrial grade embedded linux platfo...
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Features
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
 
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyLinux Disaster Recovery Made Easy
Linux Disaster Recovery Made Easy
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel Developers
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
 
Linux IO
Linux IOLinux IO
Linux IO
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 

Viewers also liked

Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protectionsFrancesco Pira
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurityFrancesco Pira
 
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical ApplicationGrsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical ApplicationZero Science Lab
 
ARM Linux Embedded memory protection techniques
ARM Linux Embedded memory protection techniquesARM Linux Embedded memory protection techniques
ARM Linux Embedded memory protection techniquesPrabindh Sundareson
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Partners Healthcare Case Analysis
Partners Healthcare Case AnalysisPartners Healthcare Case Analysis
Partners Healthcare Case AnalysisSarang Ananda Rao
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXNullbyte Security Conference
 

Viewers also liked (8)

Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protections
 
Getting started with GrSecurity
Getting started with GrSecurityGetting started with GrSecurity
Getting started with GrSecurity
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
Grsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical ApplicationGrsecurity - Theoretical and Practical Application
Grsecurity - Theoretical and Practical Application
 
ARM Linux Embedded memory protection techniques
ARM Linux Embedded memory protection techniquesARM Linux Embedded memory protection techniques
ARM Linux Embedded memory protection techniques
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
Partners Healthcare Case Analysis
Partners Healthcare Case AnalysisPartners Healthcare Case Analysis
Partners Healthcare Case Analysis
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaX
 

Similar to BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017Kazuki Omo
 
Kernel maintainance in Linux distributions: Debian
Kernel maintainance in Linux distributions: DebianKernel maintainance in Linux distributions: Debian
Kernel maintainance in Linux distributions: DebianAnne Nicolas
 
Design, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformDesign, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSBA Research
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Systemd for developers
Systemd for developersSystemd for developers
Systemd for developersAlison Chaiken
 
Hacking+linux+kernel
Hacking+linux+kernelHacking+linux+kernel
Hacking+linux+kernelrobertsong
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embeddedAlison Chaiken
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux KernelStryker King
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
Mobile Hacking using Linux Drivers
Mobile Hacking using Linux DriversMobile Hacking using Linux Drivers
Mobile Hacking using Linux DriversAnil Kumar Pugalia
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSAzure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSazuredayit
 

Similar to BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni (20)

Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017
 
Kernel maintainance in Linux distributions: Debian
Kernel maintainance in Linux distributions: DebianKernel maintainance in Linux distributions: Debian
Kernel maintainance in Linux distributions: Debian
 
Design, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux PlatformDesign, Build,and Maintain the Embedded Linux Platform
Design, Build,and Maintain the Embedded Linux Platform
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Systemd for developers
Systemd for developersSystemd for developers
Systemd for developers
 
Hacking+linux+kernel
Hacking+linux+kernelHacking+linux+kernel
Hacking+linux+kernel
 
netfilter programming
netfilter programmingnetfilter programming
netfilter programming
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embedded
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux Kernel
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
Mobile Hacking using Linux Drivers
Mobile Hacking using Linux DriversMobile Hacking using Linux Drivers
Mobile Hacking using Linux Drivers
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Linux scheduler
Linux schedulerLinux scheduler
Linux scheduler
 
The State of Linux Containers
The State of Linux ContainersThe State of Linux Containers
The State of Linux Containers
 
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSAzure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 

More from Shellmates

Cryptography basics
Cryptography basicsCryptography basics
Cryptography basicsShellmates
 
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15Shellmates
 
Atelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El HassaniAtelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El HassaniShellmates
 
JavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria SmahiJavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria SmahiShellmates
 
Introduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El HassaniIntroduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El HassaniShellmates
 
BSides Algiers - Stuxnet - Sofiane Talmat
BSides Algiers - Stuxnet - Sofiane TalmatBSides Algiers - Stuxnet - Sofiane Talmat
BSides Algiers - Stuxnet - Sofiane TalmatShellmates
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerShellmates
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine HebbalBSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine HebbalShellmates
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
BSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis RemliBSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis RemliShellmates
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarShellmates
 
BSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia OuniniBSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia OuniniShellmates
 
BSides algiers - Malware History - Sofiane Talmat
BSides algiers -  Malware History - Sofiane TalmatBSides algiers -  Malware History - Sofiane Talmat
BSides algiers - Malware History - Sofiane TalmatShellmates
 

More from Shellmates (15)

Cryptography basics
Cryptography basicsCryptography basics
Cryptography basics
 
HTML basics
HTML basics HTML basics
HTML basics
 
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
 
Atelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El HassaniAtelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El Hassani
 
JavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria SmahiJavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria Smahi
 
Introduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El HassaniIntroduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El Hassani
 
BSides Algiers - Stuxnet - Sofiane Talmat
BSides Algiers - Stuxnet - Sofiane TalmatBSides Algiers - Stuxnet - Sofiane Talmat
BSides Algiers - Stuxnet - Sofiane Talmat
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine HebbalBSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
 
BSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis RemliBSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis Remli
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
 
BSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia OuniniBSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia Ounini
 
BSides algiers - Malware History - Sofiane Talmat
BSides algiers -  Malware History - Sofiane TalmatBSides algiers -  Malware History - Sofiane Talmat
BSides algiers - Malware History - Sofiane Talmat
 

Recently uploaded

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 

Recently uploaded (20)

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

  • 1. Linux kernel and recent security protections Djalal Harouni tixxdz@opendz.org @tixxdz BsidesAlgiers 05-05-12
  • 2. Linux kernel and recent security protections Why this lecture ?  Talk about Linux kernel and Open-source.  Talk about security. 2
  • 3. Linux kernel and recent security protections What's not about ?  A listing of security protections.  Comparison between different Linux security protections.  Comparison against *BSD, Windows ... 3
  • 4. Linux kernel and recent security protections What's about ?  Introduction to Linux kernel source code.  Some recent practical security protections (not all of them) that were merged upstream.  Examples of some recent kernel exploits and mitigations.  Talk will be simple with a special focus on questions. 4
  • 5. Linux kernel and recent security protections  Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 5
  • 6. Linux kernel and recent security protections Linux kernel source code 6
  • 7. Linux kernel and recent security protections Linux kernel source code  Officiel mirror: http://www.kernel.org http://git.kernel.org/  Mailing lists: http://vger.kernel.org/vger-lists.html  Main development mailing list: http://vger.kernel.org/vger-lists.html#linux-kernel Archived at: http://lkml.org  Download and untar or git clone: cd linux-3.3.4 7
  • 8. Linux kernel and recent security protections Linux kernel source code Linux source code demo 8
  • 9. Linux kernel and recent security protections Linux kernel source code  Configuration and other Makefile options: make help make menuconfig make defconfig make mandocs make cscope  Compilation: make -j $n make path/single_file.o make path/module.ko More from Linux Kernel in a Nutshell [1]. 9
  • 10. Linux kernel and recent security protections Linux kernel source code Linux memory space: Figure 1: Virtual to Physical [2] Figure 2: Virtual address space [3] 10
  • 11. Linux kernel and recent security protections Linux kernel source code Linux file system and syscalls: Figure 3: Linux File system [4] 11
  • 12. Linux kernel and recent security protections Linux kernel source code Interactive map of Linux kernel [5] 12
  • 13. Linux kernel and recent security protections Linux kernel source code Demo and Questions ? 13
  • 14. Linux kernel and recent security protections  Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 14
  • 15. Linux kernel and recent security protections Recent security protections  Introduction to Linux capabilities:  On UNIX a privileged process => euid 0 (root)  From Linux 2.2 superuser privileges were divided into distinct units called capabilities (old not new).  Capabilities:  CAP_NET_ADMIN : network-related operations.  CAP_SETUID: arbitrary UIDs manipulations.  CAP_SYS_ADMIN: a lot of system administration operations (syslog, mount/unmount,...)  CAP_SYS_MODULE: load/unload kernel modules.  … 15 More from Linux capabilities man page [6].
  • 16. Linux kernel and recent security protections Recent security protections Dmesg restrict sysctl:  Restrict kernel syslog to users with CAP_SYS_ADMIN  Based on GRKERNSEC_DMESG grsecurity [7]  Commit eaf06b241b09135 # sysctl -w kernel.dmesg_restrict=1 or # echo "1" > /proc/sys/kernel/dmesg_restrict 16
  • 17. Linux kernel and recent security protections Recent security protections Kptr restrict sysctl:  Hide kernel addresses from unprivileged users.  If kptr_restrict == 0 no restrictions.  If kptr_restrict == 1 and kernel pointers are printed using the %pK format then only users with CAP_SYSLOG can view them.  If kptr_restrict == 2 all kernel pointers printed using the %pK format will be replaced with 0's.  Commit 455cd5ab305c90ffc4 # sysctl -w kernel.kptr_restrict=2  Extra: make vmlinuz and System.map root read-only files. 17
  • 18. Linux kernel and recent security protections Recent security protections Restrict access to /proc/<pid>/ directories:  Procfs is a virtual file system.  Procfs is an interface to kernel data structures. $ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6  /proc/<pid>/* contains information about a running process. $ cat /proc/self/maps 00400000-0040b000 r-xp 00000000 08:0f 4456467 /bin/cat 0060a000-0060b000 r--p 0000a000 08:0f 4456467 /bin/cat 0060b000-0060c000 rw-p 0000b000 08:0f 4456467 /bin/cat 023ae000-023cf000 rw-p 00000000 00:00 0 [heap] 18 …
  • 19. Linux kernel and recent security protections Recent security protections Restrict access to /proc/<pid>/ directories:  Use the new hidepid= and gid= mount options to restrict access to these directories.  Origin of the patch is from -ow kernel patches [8] and grsecurity [7].  If hidepid==0 no restrictions, classic mode.  If hidepid==1 users will access only their own pid directories.  If hidepid==2 restrict access to all /proc/<pid>/ directories.  Commit 97412950b10e64f347  Commit 0499680a42141d8641  Hint: use 'kill -0 $pid' to discover valid pids. 19
  • 20. Linux kernel and recent security protections Recent security protections Yama LSM (Linux Security Module)  Ptrace scope restriction: a debugging process and its inferior  Origin of the patch -ow [8] and grsecurity [7]  If ptrace_scope == 0 classic ptrace permissions.  If ptrace_scope == 1 allow PTRACE_ATTACH only on its descendants by default. Inferior can change its relationship and choose its debugger with prctl(PR_SET_PTRACER,...)  Commit 2d514487faf188938a  Yama ptrace scope sysclt: # sysctl -w kernel.yama.ptrace_scope=1 20
  • 21. Linux kernel and recent security protections Recent security protections Demo and Questions ? 21
  • 22. Linux kernel and recent security protections  Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 22
  • 23. Linux kernel and recent security protections Recent exploits and mitigation techniques Null pointer dereferences:  Userspace and kernelspace share the virtual address space.  mmap() at 0x00 + Null pointer dereference bug in the kernel => potential null pointer vulnerability [9] [10] [11].  Check git logs (if the information is available): git log -p –grep=”null.*pointer.*reference” mmap_min_addr protection (old): $ cat /proc/sys/vm/mmap_min_addr 65536 23
  • 24. Linux kernel and recent security protections Recent exploits and mitigation techniques Linux Local Privilege Escalation via SUID /proc/pid/mem Write [12]  /proc/<pid>/mem is used by debuggers.  /proc/<pid>/mem is also a source of vulnerabilities.  CVE-2012-0056  Fixed by commits: e268337dfe26dfc7ef 6d08f2c7139790c26 Exploit bonus. 24
  • 25. Linux kernel and recent security protections Recent exploits and mitigation techniques Uninitialized stack [13]:  Uninitialized contains data from before.  Is still the old data available ?  CVE-2010-2963  Fixed by commit 3e645d6b485446c54c  Protect with PaX [7] 25
  • 26. Linux kernel and recent security protections Recent exploits and mitigation techniques Linux kernel modules:  Modules are also used by rootkits.  Modules autoloading abuses: CAP_NET_ADMIN can load modules, and not only Net modules [14]. Load other modules: # ifconfig ntfs # lsmod | grep ntfs  Disable module autoloading: # echo ”/bin/false” > /proc/sys/kernel/modprobe # sysctl -w kernel.modprobe=”/bin/false”  Disable module loading permanently (paranoid): # echo 1 > /proc/sys/kernel/modules_disabled 26
  • 27. Linux kernel and recent security protections Recent exploits and mitigation techniques Demo and Questions ? 27
  • 28. Linux kernel and recent security protections  Plan:  Linux kernel source code  Demo and Questions ?  Recent security protections  Demo and Questions ?  Recent exploits and mitigation techniques  Demo and Questions ?  Conclusion  Questions 28
  • 29. Linux kernel and recent security protections Conclusion  More proactive security features in the mainline kernel.  The origin of some security protections presented here is from: Openwall [8] grsecurity/PaX [7]  Openwall kernel hardening page [15]. 29
  • 30. Linux kernel and recent security protections Conclusion Other protections:  LSM: SELinux, AppArmor, TOMOYO, … [16].  GCC plugins and code instrumentation as security protections: grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …  grsecurity's RBAC [7].  Seccomp (SECure COMPuting) with filters: filter system calls by syscall numbers and arguments with BPF (Berkeley Packet Filter) [17]. 30
  • 31. Linux kernel and recent security protections Thank you! Questions ? Download this from: http://opendz.org/ 31
  • 32. Linux kernel and recent security protections References: [1] Greg KH, Linux Kernel in a Nutshell, O'Reilly. [2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/ [3] http://www.acm.uiuc.edu/projects/RingCycle/ [4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/ [5] http://www.makelinux.net/kernel_map/ [6] http://linux.die.net/man/7/capabilities [7] http://grsecurity.net/ [8] http://openwall.net/ [9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html [10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html [11] http://seclists.org/fulldisclosure/2009/Aug/190 32
  • 33. Linux kernel and recent security protections References: [12] http://blog.zx2c4.com/749 [13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel- Exploitation.pdf [14] https://lkml.org/lkml/2011/2/24/203 [15] http://openwall.info/wiki/Owl/kernel-hardening [16] http://http://git.kernel.org/? p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security [17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu- precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt 33