CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 ·...
Transcript of CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 ·...
![Page 1: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/1.jpg)
CLIP OS: Building a defense-in-depth OSaround Linux kernel security improvements
Timothée Ravier, Mickaël Salaün
Agence nationale de la sécurité des systèmes d’information (ANSSI)
September 26, 2018
![Page 2: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/2.jpg)
About the ANSSI
I Agence nationale de la sécurité des systèmes d’information
I French authority in the area of cyberdefence, network and informationsecurity
I We are not an intelligence agency
ANSSI CLIP OS: Building a defense-in-depth OS 2/27
![Page 3: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/3.jpg)
Overview
![Page 4: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/4.jpg)
CLIP OS ?
I Linux distribution developed by the ANSSI
I Initially only available internally
I Now open source, mostly under the LGPL v2.1+I Code and issue tracker hosted on GitHub:
I Version 4: available as reference and for upstream patch contribution1
I Version 5: currently developed version, alpha status2
1https://github.com/CLIPOS-Archive2https://github.com/CLIPOS
ANSSI CLIP OS: Building a defense-in-depth OS 4/27
![Page 5: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/5.jpg)
Hardened OS
I Hardened Linux kernel and userspace
I Confined services
I "Unprivileged" admin, audit and update roles:⇒ the root account is not usable
I Automatic updates using A/B partition model (similar to Android 7+)
ANSSI CLIP OS: Building a defense-in-depth OS 5/27
![Page 6: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/6.jpg)
Multilevel security OS
I Provide two isolated user environments: low and highI Interactions follow the Bell-LaPadula model:
I Write up: upload documents from low to highI Read down: high has read only access to untrusted USB devicesI Trusted write down: encrypt documents from high to write them in low
I Level high can only access network through a VPN
I Per level user device assignment
ANSSI CLIP OS: Building a defense-in-depth OS 6/27
![Page 7: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/7.jpg)
Multilevel from the end user point of view
ANSSI CLIP OS: Building a defense-in-depth OS 7/27
![Page 8: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/8.jpg)
Admin panel: devices assignment per level
ANSSI CLIP OS: Building a defense-in-depth OS 8/27
![Page 9: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/9.jpg)
Differences with Qubes OS
CLIP OS development began 5 years earlier than Qubes OS
Goal of CLIP OSI We target non-expert usersI Bell-LaPadula model with two levelsI We favor a defense-in-depth approach
Technical point of viewI Hypervisor vs. supervisor isolationI Limited access right, even for the administrator
ANSSI CLIP OS: Building a defense-in-depth OS 9/27
![Page 10: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/10.jpg)
Differences with Qubes OS
CLIP OS development began 5 years earlier than Qubes OS
Goal of CLIP OSI We target non-expert usersI Bell-LaPadula model with two levelsI We favor a defense-in-depth approach
Technical point of viewI Hypervisor vs. supervisor isolationI Limited access right, even for the administrator
ANSSI CLIP OS: Building a defense-in-depth OS 9/27
![Page 11: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/11.jpg)
Differences with Qubes OS
CLIP OS development began 5 years earlier than Qubes OS
Goal of CLIP OSI We target non-expert usersI Bell-LaPadula model with two levelsI We favor a defense-in-depth approach
Technical point of viewI Hypervisor vs. supervisor isolationI Limited access right, even for the administrator
ANSSI CLIP OS: Building a defense-in-depth OS 9/27
![Page 12: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/12.jpg)
Architecture
ANSSI CLIP OS: Building a defense-in-depth OS 10/27
![Page 13: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/13.jpg)
CLIP OS 4
![Page 14: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/14.jpg)
Hardening mechanisms
Gentoo HardenedI Hardened toolchainI Flexible patching
Linux-VServerI Linux namespaces with additional constraintsI Unique container and network IDs: XIDs and NIDs
grsecurity/PaXI Kernel self-protection (e.g., memory protection, CFI)I Multiple userspace hardening features (e.g., chroot, TPE)
CLIP LSMI Complement the Linux permission modelI Leverage Linux-VServer and grsecurity/PaX
ANSSI CLIP OS: Building a defense-in-depth OS 12/27
![Page 15: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/15.jpg)
Hardening mechanisms
Gentoo HardenedI Hardened toolchainI Flexible patching
Linux-VServerI Linux namespaces with additional constraintsI Unique container and network IDs: XIDs and NIDs
grsecurity/PaXI Kernel self-protection (e.g., memory protection, CFI)I Multiple userspace hardening features (e.g., chroot, TPE)
CLIP LSMI Complement the Linux permission modelI Leverage Linux-VServer and grsecurity/PaX
ANSSI CLIP OS: Building a defense-in-depth OS 12/27
![Page 16: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/16.jpg)
Hardening mechanisms
Gentoo HardenedI Hardened toolchainI Flexible patching
Linux-VServerI Linux namespaces with additional constraintsI Unique container and network IDs: XIDs and NIDs
grsecurity/PaXI Kernel self-protection (e.g., memory protection, CFI)I Multiple userspace hardening features (e.g., chroot, TPE)
CLIP LSMI Complement the Linux permission modelI Leverage Linux-VServer and grsecurity/PaX
ANSSI CLIP OS: Building a defense-in-depth OS 12/27
![Page 17: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/17.jpg)
Hardening mechanisms
Gentoo HardenedI Hardened toolchainI Flexible patching
Linux-VServerI Linux namespaces with additional constraintsI Unique container and network IDs: XIDs and NIDs
grsecurity/PaXI Kernel self-protection (e.g., memory protection, CFI)I Multiple userspace hardening features (e.g., chroot, TPE)
CLIP LSMI Complement the Linux permission modelI Leverage Linux-VServer and grsecurity/PaX
ANSSI CLIP OS: Building a defense-in-depth OS 12/27
![Page 18: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/18.jpg)
Write ⊕ Execute policy
Avoid arbitrary code execution and persistent attacks, improve multilevelisolation
Memory (PaX)Deny writable memory to be executable, throughout the system lifetime
DevctlEnforce and extend W ⊕ X from devices to mount points
Mount pointsEnforce W ⊕ X thanks to mount options: ro ⊕ noexec
The O_MAYEXEC flagEnforce and extend W ⊕ X from mount points to scripts (via interpreters)
ANSSI CLIP OS: Building a defense-in-depth OS 13/27
![Page 19: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/19.jpg)
Write ⊕ Execute policy
Avoid arbitrary code execution and persistent attacks, improve multilevelisolation
Memory (PaX)Deny writable memory to be executable, throughout the system lifetime
DevctlEnforce and extend W ⊕ X from devices to mount points
Mount pointsEnforce W ⊕ X thanks to mount options: ro ⊕ noexec
The O_MAYEXEC flagEnforce and extend W ⊕ X from mount points to scripts (via interpreters)
ANSSI CLIP OS: Building a defense-in-depth OS 13/27
![Page 20: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/20.jpg)
Write ⊕ Execute policy
Avoid arbitrary code execution and persistent attacks, improve multilevelisolation
Memory (PaX)Deny writable memory to be executable, throughout the system lifetime
DevctlEnforce and extend W ⊕ X from devices to mount points
Mount pointsEnforce W ⊕ X thanks to mount options: ro ⊕ noexec
The O_MAYEXEC flagEnforce and extend W ⊕ X from mount points to scripts (via interpreters)
ANSSI CLIP OS: Building a defense-in-depth OS 13/27
![Page 21: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/21.jpg)
Write ⊕ Execute policy
Avoid arbitrary code execution and persistent attacks, improve multilevelisolation
Memory (PaX)Deny writable memory to be executable, throughout the system lifetime
DevctlEnforce and extend W ⊕ X from devices to mount points
Mount pointsEnforce W ⊕ X thanks to mount options: ro ⊕ noexec
The O_MAYEXEC flagEnforce and extend W ⊕ X from mount points to scripts (via interpreters)
ANSSI CLIP OS: Building a defense-in-depth OS 13/27
![Page 22: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/22.jpg)
Write ⊕ Execute policy
Avoid arbitrary code execution and persistent attacks, improve multilevelisolation
Memory (PaX)Deny writable memory to be executable, throughout the system lifetime
DevctlEnforce and extend W ⊕ X from devices to mount points
Mount pointsEnforce W ⊕ X thanks to mount options: ro ⊕ noexec
The O_MAYEXEC flagEnforce and extend W ⊕ X from mount points to scripts (via interpreters)
ANSSI CLIP OS: Building a defense-in-depth OS 13/27
![Page 23: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/23.jpg)
O_MAYEXEC
ANSSI CLIP OS: Building a defense-in-depth OS 14/27
![Page 24: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/24.jpg)
Partitioning
Hardened containersI Leverage Linux-VServer admin and watch (audit) conceptsI New capability bounding sets: for root and per containerI Hardened chroot
Container content and interactionI Tailored filesystem layouts per serviceI Container management with vsctl and clip-libvserver (self-jailing)
ANSSI CLIP OS: Building a defense-in-depth OS 15/27
![Page 25: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/25.jpg)
Partitioning
Hardened containersI Leverage Linux-VServer admin and watch (audit) conceptsI New capability bounding sets: for root and per containerI Hardened chroot
Container content and interactionI Tailored filesystem layouts per serviceI Container management with vsctl and clip-libvserver (self-jailing)
ANSSI CLIP OS: Building a defense-in-depth OS 15/27
![Page 26: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/26.jpg)
Veriexec and permissions (CLIP-LSM)
GoalI Split Linux capabilities (e.g., Fuse, unshare)I Add new permissions (e.g., network, XFRM)I Can be tied to an XIDI Does not use xattr (thus independent from the filesystem)
Configuration example: /etc/verictl.d/chromium
/usr /.../ chrome - sandbox 1002 eSETUID | SETGID | SYS_CHROOT SETUID | SETGID | SYS_CHROOT -cUP sha256 45 bcbd1 ...
ANSSI CLIP OS: Building a defense-in-depth OS 16/27
![Page 27: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/27.jpg)
Veriexec and permissions (CLIP-LSM)
GoalI Split Linux capabilities (e.g., Fuse, unshare)I Add new permissions (e.g., network, XFRM)I Can be tied to an XIDI Does not use xattr (thus independent from the filesystem)
Configuration example: /etc/verictl.d/chromium
/usr /.../ chrome - sandbox 1002 eSETUID | SETGID | SYS_CHROOT SETUID | SETGID | SYS_CHROOT -cUP sha256 45 bcbd1 ...
ANSSI CLIP OS: Building a defense-in-depth OS 16/27
![Page 28: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/28.jpg)
Veriexec example
ANSSI CLIP OS: Building a defense-in-depth OS 17/27
![Page 29: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/29.jpg)
CLIP OS 5
![Page 30: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/30.jpg)
General Linux kernel hardening
I Strict whitelist of kernel options, but easily composable setsI Paranoid command line
I iommu=force, pti=on, spectre_v2=on, etc.
I Strict sysctl defaultsI kernel.kptr_restrict, kernel.yama.ptrace_scope, etc.
ANSSI CLIP OS: Building a defense-in-depth OS 19/27
![Page 31: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/31.jpg)
Enabling Linux kernel hardening
GoalsI Protecting the kernel from itself and from userspaceI Include additional features for userspaceI Being able to test kernel and userspace coordinated changes
Security may come firstI We can handle minor compatibility breakage in our userspaceI Will accept changes that upstream may reject
Interaction with upstream & KSPPI Include in-progress or ready-for-upstream patchesI Integrate and validate patches in a single treeI Maintain hardening patches for latest stable kernel
ANSSI CLIP OS: Building a defense-in-depth OS 20/27
![Page 32: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/32.jpg)
Enabling Linux kernel hardening
GoalsI Protecting the kernel from itself and from userspaceI Include additional features for userspaceI Being able to test kernel and userspace coordinated changes
Security may come firstI We can handle minor compatibility breakage in our userspaceI Will accept changes that upstream may reject
Interaction with upstream & KSPPI Include in-progress or ready-for-upstream patchesI Integrate and validate patches in a single treeI Maintain hardening patches for latest stable kernel
ANSSI CLIP OS: Building a defense-in-depth OS 20/27
![Page 33: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/33.jpg)
Enabling Linux kernel hardening
GoalsI Protecting the kernel from itself and from userspaceI Include additional features for userspaceI Being able to test kernel and userspace coordinated changes
Security may come firstI We can handle minor compatibility breakage in our userspaceI Will accept changes that upstream may reject
Interaction with upstream & KSPPI Include in-progress or ready-for-upstream patchesI Integrate and validate patches in a single treeI Maintain hardening patches for latest stable kernel
ANSSI CLIP OS: Building a defense-in-depth OS 20/27
![Page 34: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/34.jpg)
Patch series: linux-hardened
FeaturesI Memory hardening improvements, including:
I better userspace ASLRI slab allocators hardening (mostly SLUB)I simpler page sanitizing
I Various restrictions: TIOCSTI ioctl, perf subsystem, device timing sidechannels, etc.
I Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc.
I Development status: In progressI CLIP OS status: MergedI Upstream status: Most changes unlikely to be merged upstream
ANSSI CLIP OS: Building a defense-in-depth OS 21/27
![Page 35: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/35.jpg)
Patch series: linux-hardened
FeaturesI Memory hardening improvements, including:
I better userspace ASLRI slab allocators hardening (mostly SLUB)I simpler page sanitizing
I Various restrictions: TIOCSTI ioctl, perf subsystem, device timing sidechannels, etc.
I Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc.
I Development status: In progressI CLIP OS status: MergedI Upstream status: Most changes unlikely to be merged upstream
ANSSI CLIP OS: Building a defense-in-depth OS 21/27
![Page 36: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/36.jpg)
Upstream contribution integration: Lockdown
FeaturesI Reduce options for root to run untrusted code in kernel context
I Development status: Feature completeI CLIP OS status: MergedI Upstream status: Ready for upstream integration
ANSSI CLIP OS: Building a defense-in-depth OS 22/27
![Page 37: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/37.jpg)
Upstream contribution integration: Lockdown
FeaturesI Reduce options for root to run untrusted code in kernel context
I Development status: Feature completeI CLIP OS status: MergedI Upstream status: Ready for upstream integration
ANSSI CLIP OS: Building a defense-in-depth OS 22/27
![Page 38: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/38.jpg)
Upstream contribution integration: STACKLEAK
FeaturesI Reduce information leaks and block attacks using uninitialized kernel
stack variables:I Erase the stack before returning from system calls
I Improve runtime detection of kernel stack overflows (e.g. Stack Clash):I Instrument calls to alloca()
CLIP OS specific changesI Kept alloca()-related changes (dropped for upstream in v15)
I Development status: Feature completeI CLIP OS status: MergedI Upstream status: Ready for upstream integration
ANSSI CLIP OS: Building a defense-in-depth OS 23/27
![Page 39: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/39.jpg)
Upstream contribution integration: STACKLEAK
FeaturesI Reduce information leaks and block attacks using uninitialized kernel
stack variables:I Erase the stack before returning from system calls
I Improve runtime detection of kernel stack overflows (e.g. Stack Clash):I Instrument calls to alloca()
CLIP OS specific changesI Kept alloca()-related changes (dropped for upstream in v15)
I Development status: Feature completeI CLIP OS status: MergedI Upstream status: Ready for upstream integration
ANSSI CLIP OS: Building a defense-in-depth OS 23/27
![Page 40: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/40.jpg)
Upstream contribution integration: STACKLEAK
FeaturesI Reduce information leaks and block attacks using uninitialized kernel
stack variables:I Erase the stack before returning from system calls
I Improve runtime detection of kernel stack overflows (e.g. Stack Clash):I Instrument calls to alloca()
CLIP OS specific changesI Kept alloca()-related changes (dropped for upstream in v15)
I Development status: Feature completeI CLIP OS status: MergedI Upstream status: Ready for upstream integration
ANSSI CLIP OS: Building a defense-in-depth OS 23/27
![Page 41: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/41.jpg)
Upstream contribution: Landlock
FeaturesI Enables seccomp-bpf -like self-sandboxing for unprivileged processesI Stackable LSMI Powered by eBPFI Dynamic filesystem access control using whitelists & blacklistsI See landlock.io
I Development status: Initial feature set readyI CLIP OS status: PlannedI Upstream status: Work in progress
ANSSI CLIP OS: Building a defense-in-depth OS 24/27
![Page 42: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/42.jpg)
Upstream contribution: Landlock
FeaturesI Enables seccomp-bpf -like self-sandboxing for unprivileged processesI Stackable LSMI Powered by eBPFI Dynamic filesystem access control using whitelists & blacklistsI See landlock.io
I Development status: Initial feature set readyI CLIP OS status: PlannedI Upstream status: Work in progress
ANSSI CLIP OS: Building a defense-in-depth OS 24/27
![Page 43: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/43.jpg)
Upstream contribution: VServer-like LSM
FeaturesI Adds a single kernel enforced indentifier for confined environmentsI Similar in principle to VServer XID or to "Container IDs"I Inspired by the VServer patchI Integrated as a stackable LSM
I Development status: Early development stageI CLIP OS status: Planned
ANSSI CLIP OS: Building a defense-in-depth OS 25/27
![Page 44: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/44.jpg)
Upstream contribution: VServer-like LSM
FeaturesI Adds a single kernel enforced indentifier for confined environmentsI Similar in principle to VServer XID or to "Container IDs"I Inspired by the VServer patchI Integrated as a stackable LSM
I Development status: Early development stageI CLIP OS status: Planned
ANSSI CLIP OS: Building a defense-in-depth OS 25/27
![Page 45: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/45.jpg)
Conclusion
Take awayI Hardened Linux distro and kernelI Coordinated userspace and kernelspaceI Support multilevel security
Ongoing projectI Contributions welcomeI Browse the doc and the sources to find more interesting features:
docs.clip-os.org
ANSSI CLIP OS: Building a defense-in-depth OS 26/27
![Page 46: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/46.jpg)
Conclusion
Take awayI Hardened Linux distro and kernelI Coordinated userspace and kernelspaceI Support multilevel security
Ongoing projectI Contributions welcomeI Browse the doc and the sources to find more interesting features:
docs.clip-os.org
ANSSI CLIP OS: Building a defense-in-depth OS 26/27
![Page 47: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/47.jpg)
Thanks!
� clip-os.org B [email protected]
� v4: github.com/CLIPOS-Archive
� v5: github.com/CLIPOS
We’re hiring! (but not directly for CLIP OS)
Linux system security experthttps://www.ssi.gouv.fr/emploi/expert-en-securite-des-systemes-linux/
![Page 48: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/48.jpg)
Boot chain and root partition integrity protection
1 UEFI Secure Boot support:I Custom keys (i.e. not signed by Microsoft)I Requires enrollment in hardware
2 Minimal bootloader (gummiboot/systemd-boot)3 EFI bundle:
I Linux kernelI initramfsI kernel command line
4 DM-Verity partition:
I DM-Verity root hash set in kernel command lineI Forward error correction support (FEC)I Read only uncompressed SquashFS root
filesystem
ANSSI CLIP OS: Building a defense-in-depth OS 28/27
![Page 49: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/49.jpg)
Boot chain and root partition integrity protection
1 UEFI Secure Boot support:I Custom keys (i.e. not signed by Microsoft)I Requires enrollment in hardware
2 Minimal bootloader (gummiboot/systemd-boot)
3 EFI bundle:
I Linux kernelI initramfsI kernel command line
4 DM-Verity partition:
I DM-Verity root hash set in kernel command lineI Forward error correction support (FEC)I Read only uncompressed SquashFS root
filesystem
ANSSI CLIP OS: Building a defense-in-depth OS 28/27
![Page 50: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/50.jpg)
Boot chain and root partition integrity protection
1 UEFI Secure Boot support:I Custom keys (i.e. not signed by Microsoft)I Requires enrollment in hardware
2 Minimal bootloader (gummiboot/systemd-boot)3 EFI bundle:
I Linux kernelI initramfsI kernel command line
4 DM-Verity partition:
I DM-Verity root hash set in kernel command lineI Forward error correction support (FEC)I Read only uncompressed SquashFS root
filesystem
ANSSI CLIP OS: Building a defense-in-depth OS 28/27
![Page 51: CLIP OS: Building a defense-in-depth OS around Linux kernel … · 2020-05-29 · CLIPOS:Buildingadefense-in-depthOS aroundLinuxkernelsecurityimprovements Timothée Ravier, Mickaël](https://reader033.fdocuments.in/reader033/viewer/2022060222/5f0789ca7e708231d41d7ac2/html5/thumbnails/51.jpg)
Boot chain and root partition integrity protection
1 UEFI Secure Boot support:I Custom keys (i.e. not signed by Microsoft)I Requires enrollment in hardware
2 Minimal bootloader (gummiboot/systemd-boot)3 EFI bundle:
I Linux kernelI initramfsI kernel command line
4 DM-Verity partition:I DM-Verity root hash set in kernel command lineI Forward error correction support (FEC)I Read only uncompressed SquashFS root
filesystem
ANSSI CLIP OS: Building a defense-in-depth OS 28/27