the evolution of linux kernel module signing bx/code-signing/talks/shmoocon-2014-2.pdf · module...

Download The Evolution of Linux Kernel Module Signing bx/code-signing/talks/shmoocon-2014-2.pdf · Module signing

Post on 28-Apr-2019

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

TheEvolutionofLinuxKernelModuleSigning

Rebecca.bxShapiroShmooCon2014

.init.whoami

.init.whoami! I'mnotaLinuxdeveloper I'mnotahistorian ButIknowmywayaroundcoderepositoriesandmailing

listarchives

AndIamanELFmetadatawizard

Image:Tess27ondeviantart.com

Obligatorycodesigningslide

Images:Stickfigures xkcd.Matrix JamieZawinski

Withoutcodesigning Withcodesigning

hashfiledigitallysignhash

Codesigning:it'snotjustanalgorithm,

it'salifestyle.

ButI'mjustfocusingandafewtinyaspectsofcodesigning...

AfocusonELFmetadata

How/whereissignaturestored Whatissigned Whatisnotsigned Howsignatureisinterpreted Howsignaturemaybemisinterpreted

Parserdifferentials* Highlightingtheevolutionb/cotherimplementationsprobablymade

similarmistakes

ImagephotoshoppedbyKytheraofAnevern

ParserdifferentialsinplainEnglish

Theremainderofthistalk

ELFmetadataoverview TheevolutionofLinuxmodulesigning

Withcommentaryonimplementations

Whatdifferentdistributionsuse Critique,etc

WhatisinanELF

LinuxkernelmodulesareELFstoo!

MorethanonewaytoskinanELF

Image:SurueaCCBYSA3.0

Staticlinkingview

Load/runtimeview

*Note:Linuxmoduleloader(inkernel)loadsdirectlyfromthesectionheaders

Nowontomodulesigning...

Howmodulesigningevolved

2011:v2

2007:v1

2004:v0

2012:v32012:Linux3.7

UsedinFedora/Redhatvariants

2012:Linux3.72012:Linux3.7

Backin2004(v0)

GregKroahHarmanwroteapatch Becauseotherkernelssigntheirmodules

Linux2.5 Moduleloadinglogicmovedtokernel

EditedbyDavidHowells(Redhat)

Modulesigningv0 SignaturestoredinELFsection

Contentsof.textand.dataarehashed

'SignedKernelModules'LinuxJournal

for (i = 1; i < hdr->e_shnum; i++) if (strcmp(secstrings+sechdrs[i].sh_name, "module_sig") == 0) { sig_index = i; break;}

for (i = 1; i < hdr->e_shnum; i++) { name = secstrings+sechdrs[i].sh_name; // We only care about sections with "text" or "data" in their names if ((strstr(name, "text")==NULL) && (strstr(name, "data") == NULL)) continue; // avoid the ".rel.*" sections too. if (strstr(name, ".rel.") != NULL) continue;

// (add contents of section to signature) ...}

2007:v1 PatchbyDavidHowells AppearsinFedora/RedHat

// verify a module's integrity // - check the ELF is viable // - check the module's signature if it has oneint module_verify(const Elf_Ehdr *hdr, size_t size) {

struct module_verify_data mvdata;int ret;...ret = module_verify_elf(&mvdata);if (ret < 0) goto error;ret = module_verify_signature(&mvdata);

error:return ret;

}

Modulesigningv1 Inmodule_verify_signature {} SignaturestillinELFsection

Moremetadataishashed!(headersandmoresections)/* load data from each relevant section into the digest */for (i = 1; i < mvdata->nsects; i++) {

...if (i == mvdata->sig_index) // Do not sign signature

continue; /* it would be nice to include relocation sections, but the act of adding a signature to the module seems changes their contents, because the symtab gets changed when sections are added or removed */if (sh_type == SHT_REL || sh_type == SHT_RELA) {

// add relocation header information to hash// add individual relocation entries and symbols they use to hash...continue;

}// hash allocatable loadable sectionsif (sh_type != SHT_NOBITS && sh_flags & SHF_ALLOC)

goto include_section;continue;

include_section:// add section header and section data to signature...

}

2011:v2 2011,DavidHowells AppearsinRHEL6 Nowwithmoreindirection! Signaturestoredinnotesection(SHT_NOTE)

Imagefromdocs.oracle.com

module.sig

100

signature

2011:v2

Slightlymoremetadataishashed BSSheaders(loadedemptysections)

/*includetheheadersofBSSsections*/if(sh_type==SHT_NOBITS&&sh_flags&SHF_ALLOC){//addheadermetadatatohash

gotodigested;

}

2012:Linux3.7/v3

Decideditwasbesttohashentiremodule SignatureshouldnotbeinELFmetadata

2suggestedimplementations Storesignatureinxattrs

IntegrityMeasurementArchitecturedidthis(generically)since2010(DmitryKasatkin)

AppendsignaturetoendofELF v3implementedbyDavidHowells Redhat/Fedorahadtoreworkbuild/distributionprocesstoallowforthis

Linux3.7incorporatedHowell'sv3implementation

Linux3.7modulesigning

Checkforsignatureatendoffile#defineMODULE_SIG_STRING"~Modulesignatureappended~\n"constunsignedlongmarkerlen=sizeof(MODULE_SIG_STRING)1;constvoid*mod=info>hdr;

if(info>len>markerlen&&memcmp(mod+info>lenmarkerlen,MODULE_SIG_STRING,markerlen)==0){

/*Wetruncatethemoduletodiscardthesignature*/info>len=markerlen;err=mod_verify_sig(mod,&info>len);

}

Linux3.7modulesigning Hashallthethings!(butthesignature)/*Verifythesignatureonamodule.*/intmod_verify_sig(constvoid*mod,unsignedlong*_modlen){

//sanitychecks...//copybytesatendoffileintosignaturestructurememcpy(&ms,mod+(modlensizeof(ms)),sizeof(ms));//doworktocalculatelengthofmodule(modlen)...sig=mod+modlen;//addallmodulecontents(butsignature)tosignaturepks=mod_make_digest(ms.hash,mod,modlen);if(IS_ERR(pks)){

ret=PTR_ERR(pks);gotoerror;}...ret=verify_signature(key,pks);

error:returnret;

}

Whouseswhat

Redhat/Fedora/CentOS/Oracleusev12andmainlineimplementation

Gentoo/OpenSUSEusemainlineversion (listisincomplete)

Critiques,etc

Whyaren'tallthemetadatasigned? See:ELFEccentricities,CONFidence2013

WhenstoredinELFsection,howdoweknowallparsersusesamesection? RememberAndroid"MasterKey"bug?

Howdoweknowourshotgunsanitycheckswillfullyprotectus?

...Appendingsignaturetoendseemstohelp

.fini

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 24Slide 25