BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

Linux kernel and recent security protections

Djalal Harouni

[email protected]

@tixxdz

BsidesAlgiers 05-05-12

mailto:[email protected]

2


Why this lecture ?

Talk about Linux kernel and Open-source.

Talk about security.

3


What's not about ?

A listing of security protections.

Comparison between different Linux security protections.

Comparison against *BSD, Windows ...

4


What's about ?

Introduction to Linux kernel source code. Some recent practical security protections (not

all of them) that were merged upstream. Examples of some recent kernel exploits and

mitigations. Talk will be simple with a special focus on

questions.

5


Plan: Linux kernel source code

Demo and Questions ? Recent security protections

Demo and Questions ? Recent exploits and mitigation techniques

Demo and Questions ? Conclusion Questions

6


Linux kernel source code

7



Officiel mirror: http://www.kernel.org http://git.kernel.org/

Mailing lists: http://vger.kernel.org/vger-lists.html

Main development mailing list:

http://vger.kernel.org/vger-lists.html#linux-kernel

Archived at: http://lkml.org

Download and untar or git clone:

cd linux-3.3.4

http://www.kernel.org/

http://git.kernel.org/

http://lkml.org/

8



Linux source code demo

9



Configuration and other Makefile options:

make help

make menuconfig

make defconfig

make mandocs

make cscope Compilation:

make -j $n

make path/single_file.o

make path/module.ko

More from Linux Kernel in a Nutshell [1].

10



Linux memory space:

Figure 1: Virtual to Physical [2]

Figure 2: Virtual address space [3]

11



Linux file system and syscalls:

Figure 3: Linux File system [4]

12



Interactive map of Linux kernel [5]

13



Demo and Questions ?

14






15


Recent security protections

Introduction to Linux capabilities:

On UNIX a privileged process => euid 0 (root) From Linux 2.2 superuser privileges were divided into

distinct units called capabilities (old not new). Capabilities:

CAP_NET_ADMIN : network-related operations.

CAP_SETUID: arbitrary UIDs manipulations.

CAP_SYS_ADMIN: a lot of system administration operations (syslog, mount/unmount,...)

CAP_SYS_MODULE: load/unload kernel modules.

…

More from Linux capabilities man page [6].

16



Dmesg restrict sysctl:

Restrict kernel syslog to users with CAP_SYS_ADMIN

Based on GRKERNSEC_DMESG grsecurity [7]

Commit eaf06b241b09135

# sysctl -w kernel.dmesg_restrict=1

or

# echo "1" > /proc/sys/kernel/dmesg_restrict

17



Kptr restrict sysctl:

Hide kernel addresses from unprivileged users. If kptr_restrict == 0 no restrictions. If kptr_restrict == 1 and kernel pointers are printed using

the %pK format then only users with CAP_SYSLOG can view them.

If kptr_restrict == 2 all kernel pointers printed using the %pK format will be replaced with 0's.

Commit 455cd5ab305c90ffc4

# sysctl -w kernel.kptr_restrict=2

Extra: make vmlinuz and System.map root read-only files.

18



Restrict access to /proc/<pid>/ directories:

Procfs is a virtual file system. Procfs is an interface to kernel data structures.

$ cat /proc/cpuinfo

processor : 0

vendor_id : GenuineIntel

cpu family : 6

/proc/<pid>/* contains information about a running process.$ cat /proc/self/maps

00400000-0040b000 r-xp 00000000 08:0f 4456467 /bin/cat

0060a000-0060b000 r--p 0000a000 08:0f 4456467 /bin/cat

0060b000-0060c000 rw-p 0000b000 08:0f 4456467 /bin/cat

023ae000-023cf000 rw-p 00000000 00:00 0 [heap]

…

19



Restrict access to /proc/<pid>/ directories:

Use the new hidepid= and gid= mount options to restrict access to these directories.

Origin of the patch is from -ow kernel patches [8] and grsecurity [7].

If hidepid==0 no restrictions, classic mode.

If hidepid==1 users will access only their own pid directories.

If hidepid==2 restrict access to all /proc/<pid>/ directories.

Commit 97412950b10e64f347 Commit 0499680a42141d8641

Hint: use 'kill -0 $pid' to discover valid pids.

20



Yama LSM (Linux Security Module)

Ptrace scope restriction: a debugging process and its inferior Origin of the patch -ow [8] and grsecurity [7] If ptrace_scope == 0 classic ptrace permissions. If ptrace_scope == 1 allow PTRACE_ATTACH only on its

descendants by default. Inferior can change its relationship and choose its debugger with prctl(PR_SET_PTRACER,...)

Commit 2d514487faf188938a

Yama ptrace scope sysclt:

# sysctl -w kernel.yama.ptrace_scope=1

21




22






23


Recent exploits and mitigation techniques

Null pointer dereferences:

Userspace and kernelspace share the virtual address space.

mmap() at 0x00 + Null pointer dereference bug in the kernel => potential null pointer vulnerability [9] [10] [11].

Check git logs (if the information is available): git log -p –grep=”null.*pointer.*reference”

mmap_min_addr protection (old):

$ cat /proc/sys/vm/mmap_min_addr

65536

24



Linux Local Privilege Escalation via SUID /proc/pid/mem Write [12]

/proc/<pid>/mem is used by debuggers. /proc/<pid>/mem is also a source of vulnerabilities. CVE-2012-0056

Fixed by commits:

e268337dfe26dfc7ef

6d08f2c7139790c26

Exploit bonus.

25



Uninitialized stack [13]:

Uninitialized contains data from before. Is still the old data available ?

CVE-2010-2963 Fixed by commit 3e645d6b485446c54c

Protect with PaX [7]

26



Linux kernel modules:

Modules are also used by rootkits.

Modules autoloading abuses: CAP_NET_ADMIN can load modules, and not only Net modules [14]. Load other modules:

# ifconfig ntfs

# lsmod | grep ntfs

Disable module autoloading:

# echo ”/bin/false” > /proc/sys/kernel/modprobe

# sysctl -w kernel.modprobe=”/bin/false” Disable module loading permanently (paranoid):

# echo 1 > /proc/sys/kernel/modules_disabled

27




28






29


Conclusion

More proactive security features in the mainline kernel.

The origin of some security protections presented here is from:

Openwall [8]

grsecurity/PaX [7]

Openwall kernel hardening page [15].

30


Conclusion

Other protections:

LSM: SELinux, AppArmor, TOMOYO, … [16].

GCC plugins and code instrumentation as security protections: grsecurity/PaX gcc plugins [7]: constify pointers, stackleak, …

grsecurity's RBAC [7].

Seccomp (SECure COMPuting) with filters: filter system calls by syscall numbers and arguments with BPF (Berkeley Packet Filter) [17].

31


Thank you!

Questions ?

Download this from: http://opendz.org/

http://opendz.org/

32


References:

[1] Greg KH, Linux Kernel in a Nutshell, O'Reilly.

[2] http://www.ibm.com/developerworks/linux/library/l-kernel-memory-access/

[3] http://www.acm.uiuc.edu/projects/RingCycle/

[4] http://www.ibm.com/developerworks/linux/library/l-linux-filesystem/

[5] http://www.makelinux.net/kernel_map/

[6] http://linux.die.net/man/7/capabilities

[7] http://grsecurity.net/

[8] http://openwall.net/

[9] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

[10] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

[11] http://seclists.org/fulldisclosure/2009/Aug/190

http://www.makelinux.net/kernel_map/

http://grsecurity.net/

http://openwall.net/

http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

33


References:

[12] http://blog.zx2c4.com/749

[13] https://media.defcon.org/dc-19/presentations/Cook/DEFCON-19-Cook-Kernel-Exploitation.pdf

[14] https://lkml.org/lkml/2011/2/24/203

[15] http://openwall.info/wiki/Owl/kernel-hardening

[16] http://http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=tree;f=Documentation/security

[17] http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=blob;f=Documentation/prctl/seccomp_filter.txt

https://lkml.org/lkml/2011/2/24/203

Technology

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni