Workshop in Information Security Building a Firewall within the Linux Kernel Firewalls, vulnerabilities and Linux Kernel Modules. Lecturer: Eran Tromer Teaching assistant: Coby Schmidt Advisor: Assaf Harel, Ariel Haviv

Firewalls, vulnerabilities and Linux Kernel Modules. 1

  • Upload

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: Firewalls, vulnerabilities and Linux Kernel Modules. 1

Workshop in Information Security

Building a Firewall within the Linux Kernel

Firewalls, vulnerabilities and

Linux Kernel Modules.

Lecturer: Eran Tromer

Teaching assistant: Coby Schmidt

Advisor: Assaf Harel, Ariel Haviv

Page 2: Firewalls, vulnerabilities and Linux Kernel Modules. 1

2 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

Page 3: Firewalls, vulnerabilities and Linux Kernel Modules. 1

3 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

Page 4: Firewalls, vulnerabilities and Linux Kernel Modules. 1

4 .

Firewall goals (reminder)

A piece of soft/hardware intended to keep a certain

network secure:

– Enforce protocol correctness.

– Enforce policy of the network administrator.

– Minimize chance of intrusion & attacks.

Can operate in different levels of the OSI.

– First firewalls looked up to the TCP/IP level.

– Today’s firewalls inspect all the way up to the application


Page 5: Firewalls, vulnerabilities and Linux Kernel Modules. 1

5 .

Firewall requirements (reminder)

A firewall needs to look into packets, so it must a have

some communication with the kernel.

Needs to decide fast, we want maximum throughput. Can’t

afford slowing down the traffic.

Needs to be configurable.

Needs to provide some way for the user to see what’s

going on inside.

Page 6: Firewalls, vulnerabilities and Linux Kernel Modules. 1

6 .

Packet filtering (reminder)

Each packet that is inspected waits for a verdict

– Accept

– Drop

Actually, mainly connection filtering.

We make certain connections legal, and the others illegal


For example, we allow incoming connections to the host only on port 80.

Another example – disallow all connections from network.

Page 7: Firewalls, vulnerabilities and Linux Kernel Modules. 1

7 .

Packet filtering (reminder cont.)

We look into the IP header of the packet to identify the

source and destination IP, and into the UDP/TCP header

to identify the source and destination ports.

When a new connection is established we check the

connection against a set of rules.

After a connection is accepted each packet is checked if it

is a part of an existing connection.

Page 8: Firewalls, vulnerabilities and Linux Kernel Modules. 1

8 .

Firewall Functionality

A Firewall filter connections

against a policy or a rulebase,

rule by rule.

Generally speaking as we go

down there are more general


And as we go up there are more

specific rules


Specific Rule


SourceIP DestIP SourcePort DestPort verdict




1550 3790 Accept

2 –




Any Any Drop

3 –





Any 22 Accept


5 –



Any Any Drop






Any 80 Accept



255 -



Any Any Drop

Page 9: Firewalls, vulnerabilities and Linux Kernel Modules. 1

9 .

Firewall Functionality – lets have a thought experiment.

A possible organization

topology intranet

of the organization –TOP


DMZ - Demilitarized

Zone. What the

organization willing to

expose to the public.

Page 10: Firewalls, vulnerabilities and Linux Kernel Modules. 1

10 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

Page 11: Firewalls, vulnerabilities and Linux Kernel Modules. 1

11 .

Vulnerabilities – bad input

A common mistake is to think that by writing the code, you

know you will never get bad input from the other side of the


Someone can send you a hand-crafted packet with bad

input – and BOOM.

If you don’t check the input, and it’s bad input:

– You might crash due to segmentation fault. That’s the better


– In a worse scenario, you don’t crash:

– You mess up data in another part of your program.

– Someone can execute code on your machine.

– You unknowingly expose sensitive data.

Page 12: Firewalls, vulnerabilities and Linux Kernel Modules. 1

12 .

Protocol Violation

Spoofing – forging source IP address.

An attacker can forge the IP address of a target inside a

protected network, and behave as if he/she is part of the

targeted network.

Can be protected simply by seeing an IP source address

coming from the wrong interface.

“Smurf attack”

Page 13: Firewalls, vulnerabilities and Linux Kernel Modules. 1

13 .

Protocol Violation (cont)

“Ping of Death” sending a packet with size larger than

65536 bytes had crashed many OS

When a OS reassemble the packet it overruns memory

located next to the packet buffer and damages the system.

Not just ping but any protocol over IPv4.

A way to avoid is to patch the OS.

Let a Firewall make sure that the maximum packet size is no

larger than 65536 bytes.

Page 14: Firewalls, vulnerabilities and Linux Kernel Modules. 1

14 .

SYN floods

SYN packets are the most expansive in term of CPU and

memory resources

An easy way to attack networks, gateway, servers and

more is to flood them with SYN packets (mostly with forged

source IP)

Sophisticated monitoring over SYN packets can prevent it

Let the firewall be the “man in the middle”, perform 3 way

handshake in front of the conversation initiator.

To prevent slowing down traffic, or even crashing the

firewall we should use it only after unresolved SYN

connections number passes some threshold.

Page 15: Firewalls, vulnerabilities and Linux Kernel Modules. 1

15 .

The future (real near future)?

It becomes increasingly agreeable that attacks cannot be

completely blocked.

But what ever comes in, needs to come out.

By cultivating malwares, security analyst can construct a

list of bad reputations IP to block out going traffic to them.

Page 16: Firewalls, vulnerabilities and Linux Kernel Modules. 1

16 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Software Vulnerabilities 2

Intro to Linux Kernel Modules 3

A few words on the next assignment 4

Page 17: Firewalls, vulnerabilities and Linux Kernel Modules. 1

17 .

What is a Kernel Module

What is a kernel module? (wiki definition)

– An object file that contains code to extend the running kernel,

or so-called base kernel, of an operating system.

What is a kernel module? (my definition)

– A modular piece of code and data structures, that can be

plugged in and out of kernel space.

Modules register new facilities (functions and data

structures) to the kernel

Page 18: Firewalls, vulnerabilities and Linux Kernel Modules. 1

18 .

How kernel modules different from user-space programs

C library/header files are not available, so many familiar

functions will not be available

– Can’t include <stdio.h>, or any other glibc header.

– But <kernel.h> offers some nice utilities

– e.g. min_t(type, x, y), swap(a, b)

– And there are many more: kfifo.h, slab.h, kthread.h, wait.h

Kernel Modules are event driven

– It provides facilities that can be used by the kernel during

interrupts, system calls etc.

– The kernel can even start using registered facilities before all

of them had been registered.

Page 19: Firewalls, vulnerabilities and Linux Kernel Modules. 1

19 .

Building the Module

The purpose – eliminate the need to re-compile the kernel

every time you need to add/remove a specific feature.

A Makefile that adapts itself to current kernel.

– Look it up!

insmod and rmmod the module in and out the kernel.

Initialization function that is called when the module enters

the kernel.

Cleanup function that is called when the module is

removed from the kernel.

Page 20: Firewalls, vulnerabilities and Linux Kernel Modules. 1

20 .

Our Kernel Module – The Firewall!

What will we do with our kernel module? (spoilers ahead)

– Register a char device, to communicate with the user space

(AKA: the real world).

– Make sysfs virtual files to get and set module values.

– Use the mmap API to expose large chunks of data from kernel


– Register our own functions (AKA: hooks) with the netfilter

API, to issue verdicts on packets going in/out/through our

linux box.

– Maybe juggle some kernel threads, that will help us complete

deferred or a-synchronic tasks.

When our module is removed, it will clean up all this mess,

as if it was never there.

Page 21: Firewalls, vulnerabilities and Linux Kernel Modules. 1

21 .


Further reference:

– Linux Device Drivers, Third Edition

– An excellent free e-book, contains all you need and don’t need

to know about kernel modules.

– Written for kernel 2.6, but not a lot changed since.

– Kernel Headers and Documentation

– On your machine

– e.g. /usr/src/linux-headers-`uname -r`/include/linux/ip.h

– On the net

– LXR or any other cross-reference site.

– http://kernel.org/doc/Documentation/

– The hardest to read, but probably the most useful.

– Your favorite search engine.

Page 22: Firewalls, vulnerabilities and Linux Kernel Modules. 1

22 .

Firewalls, vulnerabilities and Linux Kernel Modules.

1 Firewall Functionality

Software Vulnerabilities 2

A few words on the next assignment 4

Intro to Linux Kernel Modules 3

Page 23: Firewalls, vulnerabilities and Linux Kernel Modules. 1

23 .

A few words on the next assignment

To the end of this workshop you will have a working

firewall on the kernel, even if not a commercial one…

The next assignment will be the first step toward that goal,

completely in userspace

You’ll receive a fictitious state protocol of a car

communicating with a satellite

Page 24: Firewalls, vulnerabilities and Linux Kernel Modules. 1

24 .

The fictitious protocol

Page 25: Firewalls, vulnerabilities and Linux Kernel Modules. 1

25 .

A few words on the next assignment

Create all structs, modules and function needed to

implement a firewall based on that protocol

In the next assignment after this Firewall is stable it will

move to the kernel.

Page 26: Firewalls, vulnerabilities and Linux Kernel Modules. 1

26 .

Assignment -demands

Write a modular code where different functions and

features will be independent with each other.

Write a well documented code, make me happy.

Try to make the as compact as possible

Remember, a well written code will be a code that will

easily move to the kernel, minimal and specific changes

will be much easier to handle.

Try the best to enjoy you code writing…