Linux SecurityYEHONATAN BITTON

outline

introduction Linux security modules = LSM Grsecurity Sandboxing in the kernel

Who am I?

Yehonatan Bitton , Married +2 Security Researcher at BGU

Introduction

What are we protecting? User apps? Kernel modules? The core kernel functionallity?

Linux security modules

Kernel hooks Pluggable - kernel module style It is not intended as a general "hook" or "upcall" mechanism Examples: SElinux , AppArmor, Smack, Yama, … Least privileges

SELinux

Mandatory access control Very complicated Learning mode Just access control Auditing In mainline

GRsecurity

More than access control module RBAC Can be stacked with LSM (not an LSM module) Policy learning and analysis PaX (will be covered later) Improved ASLR Chroot hardening (using containers)

PaX

Least privileges protections for memory pages Executable space protections

PAGEEXEC SEGMEXEC ...

ASLR

PaX Executable space protections

Prevent shellcode/code injection attacks NX-bit (none executable bit, hardware base or emulated where

needed) Restrict mprotect syscall Don't work with java just in time compiler There are exceptions

PaX cont'

PaX - PAGEEXEC

Uses or emulates nx-bit on architectures without hardware support

On IA-32 - uses supervisor bit Using two different TLB's (ITLB, DTLB) we can determine which one

will cause protection fault and inform the kernel, it the fault is from the ITLB than PaX will kill the process otherwise everything will be fine

Pageexec patch overrides the fault handler and checks whether it's results from instruction fetch

Each fault is checked for the user address and if it's with write permissions PaX will terminate the process.

SEGMEXEC

Reduce process VM size to 1.5G The process memory is mirrored Mapping in the upper and lower parts is the same Don't double RAM usage Each execution is checked against the mirror if code is not paged

there PaX will terminate the process

Seccomp

Module for sandboxing in the kernel (no virtualization) Restrict process system calls All child processes inherit the parent restrictions Initially used for cloud computing

A user upload a program and it cannot abuse the server Seccomp v2 supports dynamic policies Each process defines the syscalls which he can use and then

enter seccomp mode On seccomp mode process can add more restrictions

Namespaces

Create multiple processes trees Process from child tree cannot affect parent tree

Ptrace Kill

Each process has multiple PID's one for each nested tree

Namespaces - network mounts

When using clone enter special network flag - CLONE_NEWNET Each process have different set of network interfaces

Result

Communication

Using ssh daemon Create special uds device from the init process and pass it down

to the child trees Using TCP

CGroups

Create separate groups for similar tasks Each group has restrictions

Resource limitation - memory usage Prioritization - cpu share Control - stop, restart,… a group

Each control group is in different namespace In 2007 “container”