linux security overview
TRANSCRIPT
![Page 1: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/1.jpg)
Linux SecurityYEHONATAN BITTON
![Page 2: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/2.jpg)
outline
introduction Linux security modules = LSM Grsecurity Sandboxing in the kernel
![Page 3: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/3.jpg)
Who am I?
Yehonatan Bitton , Married +2 Security Researcher at BGU
![Page 4: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/4.jpg)
Introduction
What are we protecting? User apps? Kernel modules? The core kernel functionallity?
![Page 5: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/5.jpg)
Linux security modules
Kernel hooks Pluggable - kernel module style It is not intended as a general "hook" or "upcall" mechanism Examples: SElinux , AppArmor, Smack, Yama, … Least privileges
![Page 6: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/6.jpg)
SELinux
Mandatory access control Very complicated Learning mode Just access control Auditing In mainline
![Page 7: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/7.jpg)
GRsecurity
More than access control module RBAC Can be stacked with LSM (not an LSM module) Policy learning and analysis PaX (will be covered later) Improved ASLR Chroot hardening (using containers)
![Page 8: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/8.jpg)
PaX
Least privileges protections for memory pages Executable space protections
PAGEEXEC SEGMEXEC ...
ASLR
![Page 9: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/9.jpg)
PaX Executable space protections
Prevent shellcode/code injection attacks NX-bit (none executable bit, hardware base or emulated where
needed) Restrict mprotect syscall Don't work with java just in time compiler There are exceptions
![Page 10: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/10.jpg)
PaX cont'
![Page 11: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/11.jpg)
PaX - PAGEEXEC
Uses or emulates nx-bit on architectures without hardware support
On IA-32 - uses supervisor bit Using two different TLB's (ITLB, DTLB) we can determine which one
will cause protection fault and inform the kernel, it the fault is from the ITLB than PaX will kill the process otherwise everything will be fine
Pageexec patch overrides the fault handler and checks whether it's results from instruction fetch
Each fault is checked for the user address and if it's with write permissions PaX will terminate the process.
![Page 12: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/12.jpg)
SEGMEXEC
Reduce process VM size to 1.5G The process memory is mirrored Mapping in the upper and lower parts is the same Don't double RAM usage Each execution is checked against the mirror if code is not paged
there PaX will terminate the process
![Page 13: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/13.jpg)
Seccomp
Module for sandboxing in the kernel (no virtualization) Restrict process system calls All child processes inherit the parent restrictions Initially used for cloud computing
A user upload a program and it cannot abuse the server Seccomp v2 supports dynamic policies Each process defines the syscalls which he can use and then
enter seccomp mode On seccomp mode process can add more restrictions
![Page 14: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/14.jpg)
Namespaces
Create multiple processes trees Process from child tree cannot affect parent tree
Ptrace Kill
Each process has multiple PID's one for each nested tree
![Page 15: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/15.jpg)
Namespaces - network mounts
When using clone enter special network flag - CLONE_NEWNET Each process have different set of network interfaces
![Page 16: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/16.jpg)
![Page 17: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/17.jpg)
Result
![Page 18: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/18.jpg)
Communication
Using ssh daemon Create special uds device from the init process and pass it down
to the child trees Using TCP
![Page 19: Linux Security Overview](https://reader031.vdocuments.mx/reader031/viewer/2022021813/587960111a28ab1e388b617d/html5/thumbnails/19.jpg)
CGroups
Create separate groups for similar tasks Each group has restrictions
Resource limitation - memory usage Prioritization - cpu share Control - stop, restart,… a group
Each control group is in different namespace In 2007 “container”