linux kernel security & hardening · i pax/grsecurity i lots of linux security research...
TRANSCRIPT
![Page 1: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/1.jpg)
Linux Kernel Security & Hardening
Thomas Lamprecht
January 17, 2019
![Page 2: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/2.jpg)
Introduction
![Page 3: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/3.jpg)
The Linux Kernel
I WidespreadI Deployed on:
I powerful (high performance compute clusters)I sensitive (bank, gov. systems, ..)I safety critical (Rocket Engine Control System[1], Automotive)
... SystemsI → thus: attractive target
![Page 4: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/4.jpg)
Security Beyond Bugs
I Performance & Reliability 6= SecurityI Hardening seen as overhead in the pastI Critical security bug lifetime is huge (> 10 years possible)I Non-trivial software/hardware → never bug freeI Safety net needed (Kernel Self Protection (KSP) [2])
“Security needs to be more than just access control andattack-surface reduction.”
— Kees Cook, 2015 Kernel Summit
![Page 5: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/5.jpg)
Security For Others Wrongdoing
I Working around hardware vulnerabilitiesI Side channel attacks (Meltdown[3], Spectre [4] )I Firmware/µCode bugsI User space programs
![Page 6: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/6.jpg)
Kernel Self Protection vs. User Land Protection
Attack surface reduction:I SELinux/AppArmorI seccompI namespacing (mount, PID, net, ...)
Problems:I UsabilityI ComplexityI no protection against common Kernel bugs
![Page 7: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/7.jpg)
Out of Tree Security
I Earlier Hardening resentment → out-of-tree approaches [5]I PaX/grsecurityI Lots of Linux Security Research happened until they went
privateI Low effort to upstreamI But, work now taken up by the community
![Page 8: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/8.jpg)
Flaws & Mitigation Technologies
![Page 9: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/9.jpg)
Stack Overflow
Attack:I Overwrite saved instruction pointer → execution control
Mitigations:I Stack canaries [6] [7]I Guard Pages [6]I KASLR [8] [9]I Shadow StacksI Virtually mapped kernel stacks [10]
![Page 10: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/10.jpg)
Integer/Heap overflow
Caused by:I Integer overflow/Wrong Bound checkingI Overwrite adjacent kernel function pointerI refcount overflow → Use after free
Mitigations:I detect multiplication overflows with compiler instrumentationI PAX REFCOUNT [11]I (no access) guard pagesI Hardened usercopy 1
1https://lwn.net/Articles/695991/
![Page 11: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/11.jpg)
Out of Order and Speculative Execution
Caused by:I Hardware bugs design, problematic known since ’95[12]I exploiting race condition between memory access and privilege
checkI speculative execution should be side-effect free → isn’t
Mitigations:I Kernel page-table isolation (derived from KAISER)I Flush states, branch predictor, TLB, ... (slow)I ... and/or use modern CPU features (PCID, IBRS/PB,
STIBP)
![Page 12: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/12.jpg)
Uninitialized variables / Stack
Caused by:I “Stack memory is frequently and unpredictably reused by
other parts of code” [13]I Uninitialized = previous value
Mitigations:I clear/poison kernel stack between syscalls (STACKLEAK
plugin)I initialize all structs (compiler plugin) [13]
![Page 13: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/13.jpg)
Kernel Pointer Leakage
Renders KASLR useless. Caused by:I /procI kernel modulesI /sys
Mitigations:I restrict pointers visibility [14]I hashed pointer [14]
![Page 14: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/14.jpg)
Use After Free
Caused by:I Missing refcountingI Aforementioned Integer overflow (“wrong refcounting”) [15]
Mitigations:I abstract resource access (refcount t) [16]I avoid reference count overflow [11]I clearing memory on free [17]
![Page 15: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/15.jpg)
Race Conditions & Other Logic Flaws
Caused by:I Complex Protocol/Bad DesignI False Assumption about access
Mitigations:I Harder (often no statical analysis possible)I Fuzzing:
I Syszcaller [18]I trinity [19]I American Fuzzy Lop (AFL)
I code instrumentation
![Page 16: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/16.jpg)
Return Oriented Programming[22]
Attack:I arbitrary code injection not directly possible:
I execution disable (NX)I signed code
I chain existing (library) functions togetherI achieve goal
Mitigation:I Control Flow Integrity [20] through compilerI Return Address Protection (RAP) [21]
![Page 17: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/17.jpg)
Overwrite Kernel Image
Attack:I gain arbitrary code executionI replace (parts) of kernel imageI . . .
I profit?Mitigation:
I Kernel image in read only memory ( ro after init) [23]I “rare write” mechanism [24]
![Page 18: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/18.jpg)
Function pointer overwrite
Attack:I builds upon use-after-freeI replace function pointer (destructor) with own functionI own function gets called in kernel context
Mitigation:I read only function pointer tables [23] (compiler plugin)
![Page 19: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/19.jpg)
References
![Page 20: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/20.jpg)
A. Svitak, Dragon’s Radiation-Tolerant Design,https://web.archive.org/web/20131203204735/http://www.aviationweek.com/Blogs.aspx?plckBlogId=Blog%3A04ce340e-4b63-4d23-9695-d49ab661f385&plckPostId=Blog%3A04ce340e-4b63-4d23-9695-d49ab661f385Post%3Aa8b87703-93f9-4cdf-885f-9429605e14df, [Online; accessed 10-January-2019],2013.L. A. Kees Cook, Kernel Self-Protection,https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/security/self-protection.rst?h=v4.20, [Online; accessed10-December-2019], 2016-2019.
![Page 21: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/21.jpg)
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas,A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, et al.,“Meltdown: Reading kernel memory from user space,” in27th {USENIX} Security Symposium ({USENIX} Security18), 2018, pp. 973–990.P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas,M. Hamburg, M. Lipp, S. Mangard, T. Prescher,M. Schwarz, and Y. Yarom, “Spectre attacks: Exploitingspeculative execution,” in 40th IEEE Symposium onSecurity and Privacy (SP’19), 2019.
![Page 22: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/22.jpg)
J. Ribas, The kernel of the argument, http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/,[Online; accessed 09-June-2017], 2015.C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke,S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton,“Stackguard: Automatic adaptive detection and preventionof buffer-overflow attacks.,” in Usenix Security, vol. 98,1998, pp. 63–78.
![Page 23: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/23.jpg)
K. Cook, Introduce strong stackprotector,https://patchwork.kernel.org/patch/3387921/,[Online; accessed 12-May-2017], 2013.g. PaX, Address Space Layout Randomisation,https://pax.grsecurity.net/docs/aslr.txt, [Online;accessed 10-May-2017], 2003.J. Edge, Kernel Address Space Layout Randomisation,https://lwn.net/Articles/569635/, [Online; accessed10-May-2017], 2013.
![Page 24: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/24.jpg)
J. Corbet, Virtually mapped kernel stacks,https://lwn.net/Articles/692208/, [Online; accessed29-May-2017], 2016.g. PaX, PAX REFCOUNT, https://forums.grsecurity.net/viewtopic.php?f=7&t=4173,[Online; accessed 09-May-2017], 2015.O. Sibert, P. A. Porras, and R. Lindell, “The intel 80/spltimes/86 processor architecture: Pitfalls for secure systems,”in Security and Privacy, 1995. Proceedings., 1995 IEEESymposium on, IEEE, 1995, pp. 211–222.
![Page 25: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/25.jpg)
K. Lu, M.-T. Walter, D. Pfaff, N. Stefan, W. Lee, andM. Backes, “Unleashing use-before-initializationvulnerabilities in the linux kernel using targeted stackspraying,” , NDSS, 2017.D. Rosenberg, kptr restrict for hiding kernel pointers,https://lwn.net/Articles/420403/, [Online; accessed09-June-2017], 2010.L. Song and Q. Xiao-Jun, “Parallelly refill slub objects freedin slow paths: An approach to exploit the use-after-freevulnerabilities in linux kernel,” in 2016 17th InternationalConference on Parallel and Distributed Computing,
![Page 26: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/26.jpg)
Applications and Technologies (PDCAT), Dec. 2016,pp. 387–390. doi: 10.1109/PDCAT.2016.088.D. Windsor, Kernel Protections/HARDENED ATOMIC,https://kernsec.org/wiki/index.php/Kernel_Protections/HARDENED_ATOMIC, [Online; accessed29-May-2017], 2017.J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum,“Shredding your garbage: Reducing data lifetime throughsecure deallocation,” in In USENIX Security, 2005.
![Page 27: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/27.jpg)
D. Drysdale, Coverage-guided kernel fuzzing with syzkaller,https://lwn.net/Articles/677764/, [Online; accessed09-June-2017], 2016.M. Kerrisk, The Trinity fuzz tester,https://lwn.net/Articles/536173/, [Online; accessed09-June-2017], 2013.M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti,“Control-flow integrity,” in Proceedings of the 12th ACMconference on Computer and communications security,ACM, 2005, pp. 340–353.
![Page 28: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/28.jpg)
PaX/grsecurity, RAP: RIP ROP,https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf, [Online; accessed 02-June-2017], 2015.R. Hund, T. Holz, and F. C. Freiling, “Return-orientedrootkits: Bypassing kernel code integrity protectionmechanisms.,” in USENIX Security Symposium, 2009,pp. 383–398.J. Corbet, Post-init read-only memory,https://lwn.net/Articles/666550/, [Online; accessed10-June-2017], 2015.
![Page 29: Linux Kernel Security & Hardening · I PaX/grsecurity I Lots of Linux Security Research happened until they went private I Low effort to upstream I But, work now taken up by the](https://reader033.vdocuments.net/reader033/viewer/2022060222/5f0789d07e708231d41d7adb/html5/thumbnails/29.jpg)
N. H. Kees Cook, Introduce rare write() infrastructure,https://lwn.net/Articles/724319/, [Online; accessed10-June-2017], 2017.