SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler
•
0 likes•140 views
Abstract ********* SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …). What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain? About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler
Similar to SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler (20)
More from SBA Research
More from SBA Research (20)
Recently uploaded
Recently uploaded (20)
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler
- 1. Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
- 2. Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
- 3. Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
- 4. Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
- 5. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
- 6. Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
- 7. Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
- 8. Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
- 9. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
- 10. Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
- 11. Classification: Confidential 15SBA Research gGmbH, 2020
- 12. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
- 13. Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
- 14. Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
- 15. Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
- 16. Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
- 17. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
- 18. Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
- 19. Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
- 20. Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
- 21. Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
- 22. Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
- 23. Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org
- 24. Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
- 25. Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020