Workshop in Information Security

Building a Firewall within the Linux Kernel

Firewalls, vulnerabilities and

Linux Kernel Modules.

Lecturer: Eran Tromer

Teaching assistant: Coby Schmidt

Advisor: Assaf Harel, Ariel Haviv

2 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

3 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

4 .

Firewall goals (reminder)

A piece of soft/hardware intended to keep a certain

network secure:

– Enforce protocol correctness.

– Enforce policy of the network administrator.

– Minimize chance of intrusion & attacks.

Can operate in different levels of the OSI.

– First firewalls looked up to the TCP/IP level.

– Today’s firewalls inspect all the way up to the application

level.

5 .

Firewall requirements (reminder)

A firewall needs to look into packets, so it must a have

some communication with the kernel.

Needs to decide fast, we want maximum throughput. Can’t

afford slowing down the traffic.

Needs to be configurable.

Needs to provide some way for the user to see what’s

going on inside.

6 .

Packet filtering (reminder)

Each packet that is inspected waits for a verdict

– Accept

– Drop

Actually, mainly connection filtering.

We make certain connections legal, and the others illegal

(rules).

For example, we allow incoming connections to the host

10.1.1.1 only on port 80.

Another example – disallow all connections from

172.23.31.0/24 network.

7 .

Packet filtering (reminder cont.)

We look into the IP header of the packet to identify the

source and destination IP, and into the UDP/TCP header

to identify the source and destination ports.

When a new connection is established we check the

connection against a set of rules.

After a connection is accepted each packet is checked if it

is a part of an existing connection.

8 .

Firewall Functionality

A Firewall filter connections

against a policy or a rulebase,

rule by rule.

Generally speaking as we go

down there are more general

rules.

And as we go up there are more

specific rules

General

Specific Rule

Number

SourceIP DestIP SourcePort DestPort verdict

1 91.93.133.12

0

192.168.4.1

22

1550 3790 Accept

2 0.0.0.0 –

255.255.255.

255

192.168.4.1

22

Any Any Drop

3 0.0.0.0 –

255.255.255.

255

192.168.0.0

–

192.168.255

.255

Any 22 Accept

4 192.168.3.0

–

192.168.3.25

5

0.0.0.0 –

255.255.255

.255

Any Any Drop

5 192.168.0.0-

192.168.255.

255

0.0.0.0-

255.255.255

.255

Any 80 Accept

6

255.255.255.

255

0.0.0.0 -

255.255.255

.255

Any Any Drop

9 .

Firewall Functionality – lets have a thought experiment.

A possible organization

topology

192.168.1.0/24 intranet

of the organization –TOP

SECRET.

DMZ - Demilitarized

Zone. What the

organization willing to

expose to the public.

10 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

11 .

Vulnerabilities – bad input

A common mistake is to think that by writing the code, you

know you will never get bad input from the other side of the

conversation.

Someone can send you a hand-crafted packet with bad

input – and BOOM.

If you don’t check the input, and it’s bad input:

– You might crash due to segmentation fault. That’s the better

scenario.

– In a worse scenario, you don’t crash:

– You mess up data in another part of your program.

– Someone can execute code on your machine.

– You unknowingly expose sensitive data.

12 .

Protocol Violation

Spoofing – forging source IP address.

An attacker can forge the IP address of a target inside a

protected network, and behave as if he/she is part of the

targeted network.

Can be protected simply by seeing an IP source address

coming from the wrong interface.

“Smurf attack”

13 .

Protocol Violation (cont)

“Ping of Death” sending a packet with size larger than

65536 bytes had crashed many OS

When a OS reassemble the packet it overruns memory

located next to the packet buffer and damages the system.

Not just ping but any protocol over IPv4.

A way to avoid is to patch the OS.

Let a Firewall make sure that the maximum packet size is no

larger than 65536 bytes.

14 .

SYN floods

SYN packets are the most expansive in term of CPU and

memory resources

An easy way to attack networks, gateway, servers and

more is to flood them with SYN packets (mostly with forged

source IP)

Sophisticated monitoring over SYN packets can prevent it

Let the firewall be the “man in the middle”, perform 3 way

handshake in front of the conversation initiator.

To prevent slowing down traffic, or even crashing the

firewall we should use it only after unresolved SYN

connections number passes some threshold.

15 .

The future (real near future)?

It becomes increasingly agreeable that attacks cannot be

completely blocked.

But what ever comes in, needs to come out.

By cultivating malwares, security analyst can construct a

list of bad reputations IP to block out going traffic to them.

16 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Software Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

17 .

What is a Kernel Module

What is a kernel module? (wiki definition)

– An object file that contains code to extend the running kernel,

or so-called base kernel, of an operating system.

What is a kernel module? (my definition)

– A modular piece of code and data structures, that can be

plugged in and out of kernel space.

Modules register new facilities (functions and data

structures) to the kernel

18 .

How kernel modules different from user-space programs

C library/header files are not available, so many familiar

functions will not be available

– Can’t include <stdio.h>, or any other glibc header.

– But <kernel.h> offers some nice utilities

– e.g. min_t(type, x, y), swap(a, b)

– And there are many more: kfifo.h, slab.h, kthread.h, wait.h

Kernel Modules are event driven

– It provides facilities that can be used by the kernel during

interrupts, system calls etc.

– The kernel can even start using registered facilities before all

of them had been registered.

19 .

Building the Module

The purpose – eliminate the need to re-compile the kernel

every time you need to add/remove a specific feature.

A Makefile that adapts itself to current kernel.

– Look it up!

insmod and rmmod the module in and out the kernel.

Initialization function that is called when the module enters

the kernel.

Cleanup function that is called when the module is

removed from the kernel.

20 .

Our Kernel Module – The Firewall!

What will we do with our kernel module? (spoilers ahead)

– Register a char device, to communicate with the user space

(AKA: the real world).

– Make sysfs virtual files to get and set module values.

– Use the mmap API to expose large chunks of data from kernel

space.

– Register our own functions (AKA: hooks) with the netfilter

API, to issue verdicts on packets going in/out/through our

linux box.

– Maybe juggle some kernel threads, that will help us complete

deferred or a-synchronic tasks.

When our module is removed, it will clean up all this mess,

as if it was never there.

21 .

References

Further reference:

– Linux Device Drivers, Third Edition

– An excellent free e-book, contains all you need and don’t need

to know about kernel modules.

– Written for kernel 2.6, but not a lot changed since.

– Kernel Headers and Documentation

– On your machine

– e.g. /usr/src/linux-headers-`uname -r`/include/linux/ip.h

– On the net

– LXR or any other cross-reference site.

– http://kernel.org/doc/Documentation/

– The hardest to read, but probably the most useful.

– Your favorite search engine.

22 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Software Vulnerabilities 2

A few words on the next assignment 4

Intro to Linux Kernel Modules 3

23 .

A few words on the next assignment

To the end of this workshop you will have a working

firewall on the kernel, even if not a commercial one…

The next assignment will be the first step toward that goal,

completely in userspace

You’ll receive a fictitious state protocol of a car

communicating with a satellite

24 .

The fictitious protocol

25 .

A few words on the next assignment

Create all structs, modules and function needed to

implement a firewall based on that protocol

In the next assignment after this Firewall is stable it will

move to the kernel.

26 .

Assignment -demands

Write a modular code where different functions and

features will be independent with each other.

Write a well documented code, make me happy.

Try to make the as compact as possible

Remember, a well written code will be a code that will

easily move to the kernel, minimal and specific changes

will be much easier to handle.

Try the best to enjoy you code writing…