firewalls, vulnerabilities and linux kernel modules. 1

Download Firewalls, vulnerabilities and Linux Kernel Modules. 1

Post on 10-Feb-2017

216 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Workshop in Information Security

    Building a Firewall within the Linux Kernel

    Firewalls, vulnerabilities and

    Linux Kernel Modules.

    Lecturer: Eran Tromer

    Teaching assistant: Coby Schmidt

    Advisor: Assaf Harel, Ariel Haviv

  • 2 .

    Firewalls, vulnerabilities and Linux Kernel Modules.

    1 Firewall Functionality

    Vulnerabilities 2

    Intro to Linux Kernel Modules 3

    A few words on the next assignment 4

  • 3 .

    Firewalls, vulnerabilities and Linux Kernel Modules.

    1 Firewall Functionality

    Vulnerabilities 2

    Intro to Linux Kernel Modules 3

    A few words on the next assignment 4

  • 4 .

    Firewall goals (reminder)

    A piece of soft/hardware intended to keep a certain

    network secure:

    Enforce protocol correctness.

    Enforce policy of the network administrator.

    Minimize chance of intrusion & attacks.

    Can operate in different levels of the OSI.

    First firewalls looked up to the TCP/IP level.

    Todays firewalls inspect all the way up to the application

    level.

  • 5 .

    Firewall requirements (reminder)

    A firewall needs to look into packets, so it must a have

    some communication with the kernel.

    Needs to decide fast, we want maximum throughput. Cant

    afford slowing down the traffic.

    Needs to be configurable.

    Needs to provide some way for the user to see whats

    going on inside.

  • 6 .

    Packet filtering (reminder)

    Each packet that is inspected waits for a verdict

    Accept

    Drop

    Actually, mainly connection filtering.

    We make certain connections legal, and the others illegal

    (rules).

    For example, we allow incoming connections to the host

    10.1.1.1 only on port 80.

    Another example disallow all connections from

    172.23.31.0/24 network.

  • 7 .

    Packet filtering (reminder cont.)

    We look into the IP header of the packet to identify the

    source and destination IP, and into the UDP/TCP header

    to identify the source and destination ports.

    When a new connection is established we check the

    connection against a set of rules.

    After a connection is accepted each packet is checked if it

    is a part of an existing connection.

  • 8 .

    Firewall Functionality

    A Firewall filter connections

    against a policy or a rulebase,

    rule by rule.

    Generally speaking as we go

    down there are more general

    rules.

    And as we go up there are more

    specific rules

    General

    Specific Rule

    Number

    SourceIP DestIP SourcePort DestPort verdict

    1 91.93.133.12

    0

    192.168.4.1

    22

    1550 3790 Accept

    2 0.0.0.0

    255.255.255.

    255

    192.168.4.1

    22

    Any Any Drop

    3 0.0.0.0

    255.255.255.

    255

    192.168.0.0

    192.168.255

    .255

    Any 22 Accept

    4 192.168.3.0

    192.168.3.25

    5

    0.0.0.0

    255.255.255

    .255

    Any Any Drop

    5 192.168.0.0-

    192.168.255.

    255

    0.0.0.0-

    255.255.255

    .255

    Any 80 Accept

    6

    255.255.255.

    255

    0.0.0.0 -

    255.255.255

    .255

    Any Any Drop

  • 9 .

    Firewall Functionality lets have a thought experiment.

    A possible organization

    topology

    192.168.1.0/24 intranet

    of the organization TOP

    SECRET.

    DMZ - Demilitarized

    Zone. What the

    organization willing to

    expose to the public.

  • 10 .

    Firewalls, vulnerabilities and Linux Kernel Modules.

    1 Firewall Functionality

    Vulnerabilities 2

    Intro to Linux Kernel Modules 3

    A few words on the next assignment 4

  • 11 .

    Vulnerabilities bad input

    A common mistake is to think that by writing the code, you

    know you will never get bad input from the other side of the

    conversation.

    Someone can send you a hand-crafted packet with bad

    input and BOOM.

    If you dont check the input, and its bad input:

    You might crash due to segmentation fault. Thats the better

    scenario.

    In a worse scenario, you dont crash:

    You mess up data in another part of your program.

    Someone can execute code on your machine.

    You unknowingly expose sensitive data.

  • 12 .

    Protocol Violation

    Spoofing forging source IP address.

    An attacker can forge the IP address of a target inside a

    protected network, and behave as if he/she is part of the

    targeted network.

    Can be protected simply by seeing an IP source address

    coming from the wrong interface.

    Smurf attack

  • 13 .

    Protocol Violation (cont)

    Ping of Death sending a packet with size larger than

    65536 bytes had crashed many OS

    When a OS reassemble the packet it overruns memory

    located next to the packet buffer and damages the system.

    Not just ping but any protocol over IPv4.

    A way to avoid is to patch the OS.

    Let a Firewall make sure that the maximum packet size is no

    larger than 65536 bytes.

  • 14 .

    SYN floods

    SYN packets are the most expansive in term of CPU and

    memory resources

    An easy way to attack networks, gateway, servers and

    more is to flood them with SYN packets (mostly with forged

    source IP)

    Sophisticated monitoring over SYN packets can prevent it

    Let the firewall be the man in the middle, perform 3 way

    handshake in front of the conversation initiator.

    To prevent slowing down traffic, or even crashing the

    firewall we should use it only after unresolved SYN

    connections number passes some threshold.

  • 15 .

    The future (real near future)?

    It becomes increasingly agreeable that attacks cannot be

    completely blocked.

    But what ever comes in, needs to come out.

    By cultivating malwares, security analyst can construct a

    list of bad reputations IP to block out going traffic to them.

  • 16 .

    Firewalls, vulnerabilities and Linux Kernel Modules.

    1 Firewall Functionality

    Software Vulnerabilities 2

    Intro to Linux Kernel Modules 3

    A few words on the next assignment 4

  • 17 .

    What is a Kernel Module

    What is a kernel module? (wiki definition)

    An object file that contains code to extend the running kernel,

    or so-called base kernel, of an operating system.

    What is a kernel module? (my definition)

    A modular piece of code and data structures, that can be

    plugged in and out of kernel space.

    Modules register new facilities (functions and data

    structures) to the kernel

  • 18 .

    How kernel modules different from user-space programs

    C library/header files are not available, so many familiar

    functions will not be available

    Cant include , or any other glibc header.

    But offers some nice utilities

    e.g. min_t(type, x, y), swap(a, b)

    And there are many more: kfifo.h, slab.h, kthread.h, wait.h

    Kernel Modules are event driven

    It provides facilities that can be used by the kernel during

    interrupts, system calls etc.

    The kernel can even start using registered facilities before all

    of them had been registered.

  • 19 .

    Building the Module

    The purpose eliminate the need to re-compile the kernel

    every time you need to add/remove a specific feature.

    A Makefile that adapts itself to current kernel.

    Look it up!

    insmod and rmmod the module in and out the kernel.

    Initialization function that is called when the module enters

    the kernel.

    Cleanup function that is called when the module is

    removed from the kernel.

  • 20 .

    Our Kernel Module The Firewall!

    What will we do with our kernel module? (spoilers ahead)

    Register a char device, to communicate with the user space

    (AKA: the real world).

    Make sysfs virtual files to get and set module values.

    Use the mmap API to expose large chunks of data from kernel

    space.

    Register our own functions (AKA: hooks) with the netfilter

    API, to issue verdicts on packets going in/out/through our

    linux box.

    Maybe juggle some kernel threads, that will help us complete

    deferred or a-synchronic tasks.

    When our module is removed, it will clean up all this mess,

    as if it was never there.

  • 21 .

    References

    Further reference:

    Linux Device Drivers, Third Edition

    An excellent free e-book, contains all you need and dont need

    to know about kernel modules.

    Written for kernel 2.6, but not a lot changed since.

    Kernel Headers and Documentation

    On your machine

    e.g. /usr/src/linux-headers-`uname -r`/include/linux/ip.h

    On the net

    LXR or any other cross-reference site.

    http://kernel.org/doc/Documentation/

    The hardest to read, but probably the most useful.

    Your favorite search engine.

    http://lwn.net/Kernel/LDD3/http://lwn.net/Kernel/LDD3/htpp://lxr.linux.no/http://kernel.org/doc/Documentation/http://kernel.org/doc/Documentation/

  • 22 .

    Firewalls, vulnerabilities and Linux Kernel Modules.

    1 Firewall Functionality

    Software Vulnerabilities 2