Hardened kernels for everyone Yves-Alexis Perez Kernel Recipes 2015 corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 1 / 32 Introduction Who am I? Yves-Alexis Perez I Head of hardware and software security lab, ANSSI I platform security (x86 mainly, also ARM) I focus on operating systems and underlying layers (chipset/SoC, PCI Express bus, devices) I Debian developer I maintainer for Xfce desktop environment and strongSwan IKE daemon I security team member I maintainer of unofficial linux-grsec package corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 2 / 32 Introduction Context This talk is not I a detailed list of grsecurity benefits This talk is about I kernel security I kernel hardening I Debian distribution (and derivatives) And especially integration of all these in something suitable for end-users corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 3 / 32 Kernel security The need for kernel security I kernel knows everything (Michaël Kerrisk) I kernel runs CPU in ring0 (supervisor) mode I kernel handles security for userspace: DAC Discretionary access control MAC Mandatory access control Namespace process separation IPsec network traffic encryption dm-crypt disk encryption … corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 4 / 32 Kernel security Kernel security often limited to fixing security bugs Usually: kernel security bug => local privilege escalation I most of the time (see Android rooting) I not always the case Fixing security bugs I preferably before they’re exploited in the wild I sometimes after This is not enough! but still mandatory, obviously corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 5 / 32 Kernel security kernel hardening Active protection against attackers I new marketing term: kernel self protection I protect the kernel from outside (user processes) I reduce kernel attack surface corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 6 / 32 Kernel security Userland security features: Kernels already supports ”security features” I DAC I LSM I Namespaces They’re mostly targeted at userland: I process isolation I user isolation I resource isolation I policy enforcement corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 7 / 32 Kernel security grsecurity Quick reminder I a (large, 6.2M) patch against Linux kernel I security oriented (obviously) I started more than 14 years ago, pioneered multiple techniques I includes multiple parts: PaX protection against memory corruption bugs sometimes called an HIPS1 RBAC Role-based access control (not implemented as LSM) Other Generic hardening (memory, filesystem, network protections) 1Host Intrusion Prevention System corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 8 / 32 Kernel security PaX Major features NOEXEC segmentation or pagination-based implementation of NX bit (before it was available on CPUs) MPROTECT W⊕X at the page level: forbid memory pages available both for write and execute, and completes NOEXEC KERNEXEC kernel equivalent of NOEXEC+MPROTECT; prevents injection and execution of foreign code to the kernel ASLR predates the Linux version (actually predates all version), and still an improvement UDEREF prevents the kernel dereferencing userland pointers, like SMEP/SMAP or PXN/PAN on steroid CONSTIFY constify structure containing only function pointers, using a gcc plugin corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 9 / 32 Kernel security Debian distribution Not much to say here I guess I well known distribution I maintained by volunteers I community-driven I lot of users I lot of derivatives corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 10 / 32 What’s the point? Why? I external patch → hard for end users I not “secure by default” I but no interest from grsecurity in upstreaming things I independence I global approach corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 11 / 32 Attempts The Wheezy days: src:linux featureset Debian 7 Wheezy I kernel based on 3.2 I Ben Hutchings (Debian kernel maintainer) maintains LTS version on kernel.org I Bradley Spengler (grsecurity upstream) also chose 3.2 kernel for grsecurity stable corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 12 / 32 Attempts The Wheezy days: src:linux featureset How src:linux Debian package I maintained in svn I version 3.2, with on top: I stable kernel.org patches (patch-3.2.68) I bug fixes I security fixes I backports I Debian-specific integration I supports featuresets: openVZ, RT What’s a featureset? I additional set of patches I separate options (.config, dependencies etc.) I additional set of binary packages (-image, -headers etc.) corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 13 / 32 Attempts The Wheezy days: src:linux featureset Grsecurity featureset Why a featureset? I easy to include new patches I easy to set different options I easy to add build-dependencies (gcc plugins) I adds a new binary package, not installed by default How to add a grsecurity featureset I stack of quilt patches against src:linux svn tree I maintained in a git repository [1] corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 14 / 32 Attempts The Wheezy days: src:linux featureset grsec-patches repository content 02_force-hostcc-version force HOSTCC to CC gcc plugins have to be built using the host compiler, so we can build i386 on amd64 03_add-grsec-featureset define the grsecurity featureset 04_grsecurity grsecurity patch itself, ported to Debian kernel put into debian/patches/features/all/grsec/ series the quilt series file README explains how to build the packages corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 15 / 32 Attempts The Wheezy days: src:linux featureset Focus on 03_add-grsec-featureset I defines the featureset I adds the grsecurity specific kernel config I adds the grsecurity patch to the featureset series corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 16 / 32 Attempts The Wheezy days: src:linux featureset Build the kernel Procedure: 1. get the linux source package apt-get source linux 2. apply the patches QUILT_PATCHES=../grsec-patches QUILT_PC=.pc-grsec quilt push -a 3. regenerate control files python debian/bin/gencontrol.py 4. build the kernel dpkg-buildpackage -us -uc More details in the README corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 17 / 32 Attempts The Wheezy days: src:linux featureset Status bug report against src:linux package (#605090 [2]) I patches reviewed by Ben Hutchings and Bastian Blank (Debian kernel maintainers) I basically NACK’ed by Bastian Blank I git repository maintained (a bit sporadically) for Wheezy I amd64 and i386 packages available from my repository [3] corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 18 / 32 Attempts The Jessie days: make deb-pkg Debian 8 Jessie Jessie kernel I based on 3.16 I 3.16 EOL on kernel.org LTS work done by Canonical Kernel Team for Ubuntu I no grsecurity support for 3.16 (stable2 is 3.14) I porting to 3.16 not doable outside of grsecurity team Need for a new plan. corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 19 / 32 Attempts The Jessie days: make deb-pkg Mempo’s SameKernel [4] What is it? I part of Mempo project (main goal: Hardened Privacy) I attempt to build the kernel in a verifiable (deterministic and reproducible) way I also includes grsecurity by default Unfortunately I build system really complex I lot of wrappers I eventually calling the deprecated make-kpkg corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 20 / 32 Attempts The Jessie days: make deb-pkg Use kernel makefile make deb-pkg I simple target of linux Makefile I generates binary Debian packages from the current tree I exists for other distributions as well (rpm-pkg, binrpm-pkg, tar-pkg etc.) How can we use it? 1. get the kernel sources from git 2. patch them with grsecurity 3. add a .config 4. run make deb-pkg Easy enough to do a little shell script for that corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 21 / 32 Attempts The Jessie days: make deb-pkg New repository debian-grsec-config [5] I completely different work than the featureset I only based on upstream/kernel.org work I mostly distribution independent repository content bin/ various scripts configs/ reference configs patches/ additional patches to make my life easier README self-explanatory (read it!) corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 22 / 32 Attempts The Jessie days: make deb-pkg repository details bin/ get-grsec runs from a local linux git clone I gets the latest grsec patch I creates a local branch I applies patch to it kconfig I taken from Debian linux source package I used to merge to KConfig files I useful to keep grsecurity specific config separate corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 23 / 32 Attempts The Jessie days: make deb-pkg repository details configs/ Various config files: I Debian references config-3.14-2-686-pae, config-4.1.0-1-amd64 ... I generic hardening options I grsecurity specific options Merged with kconfig script to produce a config file for the build corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 24 / 32 Attempts The Jessie days: make deb-pkg repository details patches/ Various patches against linux source tree, Debian specific I only touch packaging I scripts/package/builddeb I scripts/package/Makefile I add support for generating a source package I add architecture name to the .changes filename I included in 4.3-rc1 Targeted at enterprise local distributors I easier integration into Debian-like infrastructures I easy upload to local mirrors corsac⊕corsac.net Hardened kernels Kernel Recipes 2015 25 / 32 Attempts The Jessie days: make deb-pkg Results Dead easy procedure 1. get the last patch and apply it get-grsec.sh stable2 2. (regenerate the config file) kconfig.py .config ../config-3.14-2-amd64 ../hardening ../grsec 3. build the kernel make deb-pkg 4.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages37 Page
-
File Size-