Linux Security Overview
-
Upload
kernel-tlv -
Category
Software
-
view
727 -
download
0
Transcript of Linux Security Overview
Linux SecurityYEHONATAN BITTON
outline
introduction Linux security modules = LSM Grsecurity Sandboxing in the kernel
Who am I?
Yehonatan Bitton , Married +2 Security Researcher at BGU
Introduction
What are we protecting? User apps? Kernel modules? The core kernel functionallity?
Linux security modules
Kernel hooks Pluggable - kernel module style It is not intended as a general "hook" or "upcall" mechanism Examples: SElinux , AppArmor, Smack, Yama, … Least privileges
SELinux
Mandatory access control Very complicated Learning mode Just access control Auditing In mainline
GRsecurity
More than access control module RBAC Can be stacked with LSM (not an LSM module) Policy learning and analysis PaX (will be covered later) Improved ASLR Chroot hardening (using containers)
PaX
Least privileges protections for memory pages Executable space protections
PAGEEXEC SEGMEXEC ...
ASLR
PaX Executable space protections
Prevent shellcode/code injection attacks NX-bit (none executable bit, hardware base or emulated where
needed) Restrict mprotect syscall Don't work with java just in time compiler There are exceptions
PaX cont'
PaX - PAGEEXEC
Uses or emulates nx-bit on architectures without hardware support
On IA-32 - uses supervisor bit Using two different TLB's (ITLB, DTLB) we can determine which one
will cause protection fault and inform the kernel, it the fault is from the ITLB than PaX will kill the process otherwise everything will be fine
Pageexec patch overrides the fault handler and checks whether it's results from instruction fetch
Each fault is checked for the user address and if it's with write permissions PaX will terminate the process.
SEGMEXEC
Reduce process VM size to 1.5G The process memory is mirrored Mapping in the upper and lower parts is the same Don't double RAM usage Each execution is checked against the mirror if code is not paged
there PaX will terminate the process
Seccomp
Module for sandboxing in the kernel (no virtualization) Restrict process system calls All child processes inherit the parent restrictions Initially used for cloud computing
A user upload a program and it cannot abuse the server Seccomp v2 supports dynamic policies Each process defines the syscalls which he can use and then
enter seccomp mode On seccomp mode process can add more restrictions
Namespaces
Create multiple processes trees Process from child tree cannot affect parent tree
Ptrace Kill
Each process has multiple PID's one for each nested tree
Namespaces - network mounts
When using clone enter special network flag - CLONE_NEWNET Each process have different set of network interfaces
Result
Communication
Using ssh daemon Create special uds device from the init process and pass it down
to the child trees Using TCP
CGroups
Create separate groups for similar tasks Each group has restrictions
Resource limitation - memory usage Prioritization - cpu share Control - stop, restart,… a group
Each control group is in different namespace In 2007 “container”