bsides algiers - linux kernel and recent security protections - djallal harouni

Linux kernel and recent security protections

Djalal Harouni

tixxdz@opendz.org

@tixxdz

BsidesAlgiers 05-05-12

Why this lecture ?

Talk about Linux kernel and Open-source.

Talk about security.

What's not about ?

A listing of security protections.

Comparison between different Linux security protections.

Comparison against *BSD, Windows ...

What's about ?

Introduction to Linux kernel source code. Some recent practical security protections (not

all of them) that were merged upstream. Examples of some recent kernel exploits and

mitigations. Talk will be simple with a special focus on

questions.

Plan: Linux kernel source code

Demo and Questions ? Recent security protections

Demo and Questions ? Recent exploits and mitigation techniques

Demo and Questions ? Conclusion Questions

Linux kernel source code

Officiel mirror: http://www.kernel.org http://git.kernel.org/

Mailing lists: http://vger.kernel.org/vger-lists.html

Main development mailing list:

http://vger.kernel.org/vger-lists.html#linux-kernel

Archived at: http://lkml.org

Download and untar or git clone:

cd linux-3.3.4

Linux source code demo

Configuration and other Makefile options:

make help

make menuconfig

make defconfig

make mandocs

make cscope Compilation:

make -j $n

make path/single_file.o

make path/module.ko

More from Linux Kernel in a Nutshell [1].

Linux memory space:

Figure 1: Virtual to Physical [2]

Figure 2: Virtual address space [3]

Linux file system and syscalls:

Figure 3: Linux File system [4]

Interactive map of Linux kernel [5]

Demo and Questions ?

Recent security protections

Introduction to Linux capabilities:

On UNIX a privileged process => euid 0 (root) From Linux 2.2 superuser privileges were divided into

distinct units called capabilities (old not new). Capabilities:

CAP_NET_ADMIN : network-related operations.

CAP_SETUID: arbitrary UIDs manipulations.

CAP_SYS_ADMIN: a lot of system administration operations (syslog, mount/unmount,...)

CAP_SYS_MODULE: load/unload kernel modules.

More from Linux capabilities man page [6].

Dmesg restrict sysctl:

Restrict kernel syslog to users with CAP_SYS_ADMIN

Based on GRKERNSEC_DMESG grsecurity [7]

Commit eaf06b241b09135

# sysctl -w kernel.dmesg_restrict=1

# echo "1" > /proc/sys/kernel/dmesg_restrict

Kptr restrict sysctl:

Hide kernel addresses from unprivileged users. If kptr_restrict == 0 no restrictions. If kptr_restrict == 1 and kernel pointers are printed using

the %pK format then only users with CAP_SYSLOG can view them.

If kptr_restrict == 2 all kernel pointers printed using the %pK format will be replaced with 0's.

Commit 455cd5ab305c90ffc4

# sysctl -w kernel.kptr_restrict=2

Extra: make vmlinuz and System.map root read-only files.

Restrict access to /proc/<pid>/ directories:

Procfs is a virtual file system. Procfs is an interface to kernel data structures.

$ cat /proc/cpuinfo

processor : 0

vendor_id : GenuineIntel

cpu family : 6

/proc/<pid>/* contains information about a running process.$ cat /proc/self/maps

00400000-0040b000 r-xp 00000000 08:0f 4456467 /bin/cat

0060a000-0060b000 r--p 0000a000 08:0f 4456467 /bin/cat

0060b000-0060c000 rw-p 0000b000 08:0f 4456467 /bin/cat

023ae000-023cf000 rw-p 00000000 00:00 0 [heap]

Restrict access to /proc/<pid>/ directories:

Use the new hidepid= and gid= mount options to restrict access to these directories.

Origin of the patch is from -ow kernel patches [8] and grsecurity [7].

If hidepid==0 no restrictions, classic mode.

If hidepid==1 users will access only their own pid directories.

If hidepid==2 restrict access to all /proc/<pid>/ directories.

Commit 97412950b10e64f347 Commit 0499680a42141d8641

Hint: use 'kill -0 $pid' to discover valid pids.

Yama LSM (Linux Security Module)

Ptrace scope restriction: a debugging process and its inferior Origin of the patch -ow [8] and grsecurity [7] If ptrace_scope == 0 classic ptrace permissions. If ptrace_scope == 1 allow PTRACE_ATTACH only on its

descendants by default. Inferior can change its relationship and choose its debugger with prctl(PR_SET_PTRACER,...)

Commit 2d514487faf188938a

Yama ptrace scope sysclt:

# sysctl -w kernel.yama.ptrace_scope=1

Recent exploits and mitigation techniques

Null pointer dereferences:

Userspace and kernelspace share the virtual address space.

mmap() at 0x00 + Null pointer dereference bug in the kernel => potential null pointer vulnerability [9] [10] [11].

Check git logs (if the information is available): git log -p –grep=”null.*pointer.*reference”

mmap_min_addr protection (old):

$ cat /proc/sys/vm/mmap_min_addr

Linux Local Privilege Escalation via SUID /proc/pid/mem Write [12]

/proc/<pid>/mem is used by debuggers. /proc/<pid>/mem is also a source of vulnerabilities. CVE-2012-0056

Fixed by commits:

e268337dfe26dfc7ef

6d08f2c7139790c26

Exploit bonus.

Uninitialized stack [13]:

Uninitialized contains data from before. Is still the old data available ?

CVE-2010-2963 Fixed by commit 3e645d6b485446c54c

Protect with PaX [7]

Linux kernel modules:

Modules are also used by rootkits.

Modules autoloading abuses: CAP_NET_ADMIN can load modules, and not only Net modules [14]. Load other modules:

# ifconfig ntfs

# lsmod | grep ntfs

Disable module autoloading:

# echo ”/bin/false” > /proc/sys/kernel/modprobe

# sysctl -w kernel.modprobe=”/bin/false” Disable module loading permanently (paranoid):

# echo 1 > /proc/sys/kernel/modules_disabled

Conclusion

More proactive security features in the mainline kernel.

The origin of some security protections presented here is from:

Openwall [8]

grsecurity/PaX [7]

Openwall kernel hardening page [15].

Conclusion

Other protections:

LSM: SELinux, AppArmor, TOMOYO, … [16].

GCC plugins and code instrumentation as security protections: grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …

grsecurity's RBAC [7].

Seccomp (SECure COMPuting) with filters: filter system calls by syscall numbers and arguments with BPF (Berkeley Packet Filter) [17].

Thank you!

Questions ?

Download this from: http://opendz.org/

References:

[1] Greg KH, Linux Kernel in a Nutshell, O'Reilly.

[2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/

[3] http://www.acm.uiuc.edu/projects/RingCycle/

[4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/

[5] http://www.makelinux.net/kernel_map/

[6] http://linux.die.net/man/7/capabilities

[7] http://grsecurity.net/

[8] http://openwall.net/

[9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

[10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

[11] http://seclists.org/fulldisclosure/2009/Aug/190

References:

[12] http://blog.zx2c4.com/749

[13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf

[14] https://lkml.org/lkml/2011/2/24/203

[15] http://openwall.info/wiki/Owl/kernel-hardening

[16] http://http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security

[17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt

bsides algiers - linux kernel and recent security protections - djallal harouni

Technology

hacking food - bsides augusta 2017

bsides chicago 2013 honeypots

bsides algiers - certification electronique - lilia ounini

malware analysis par mohamed ali fathi - bsides algiers 2k15

faraday bsides latam 2016

bsides angler-evolution talk

digital booklet - algiers

bsides magazine_ march 2007

corbusier algiers project

splunk bsides

lta algiers

bsides algiers - reversing win32 applications - yacine...

bsides algiers - nmap scripting engine - hani benhabiles

bsides 2016 presentation

bsides algiers - metasploit framework - oussama elhamer

dox yourself bsides orlando

bsides nashville 2015

bsides set

bsides vienna 2015

bsides threat hunting