https://www.patreon.com/p_lkrg UNDER THE HOOD Adam “pi3” Zabrocki Private contact: http://www.openwall.com/lkrg http://pi3.com.pl Twitter: @Openwall [email protected] Twitter: @Adam_pi3 /USR/BIN/WHOAMI • Adam ‘pi3’ Zabrocki 2 /USR/BIN/WHOAMI • Adam ‘pi3’ Zabrocki • Microsoft (currently) • European Organization for Nuclear Research (CERN) • Hispasec Sistemas • Wroclaw Centre for Networking and Supercomputing • Cigital 3 /USR/BIN/WHOAMI • Adam ‘pi3’ Zabrocki • Microsoft (currently) • European Organization for Nuclear Research (CERN) • Hispasec Sistemas • Wroclaw Centre for Networking and Supercomputing • Cigital • Bughunting (Hyper-V, OpenSSH, gcc SSP/ProPolice, Apache, xpdf, more…) – CVE numbers • Phrack magazine (Scraps of notes on remote stack overflow exploitation) • The ERESI Reverse Engineering Software Interface 4 ACKNOWLEDGMENT Alexander Peslyak (Александр Песляк) a.k.a. Solar Designer 5 ACKNOWLEDGMENT Alexander Peslyak (Александр Песляк) a.k.a. Solar Designer Special thanks to the following people for the constructive criticism and brainstorming in the past stages of the project development: • Rafał “n3rgal” Wojtczuk • Brad “spender” Spengler • PaX Team… I mean “pipacs” 6 TABLE OF CONTENTS What is LKRG? Threat model Exploit Detection (ED) Limitations DEMO Runtime Code Integrity (CI) Communication channel Performance impact LKRG in ring -1 (why not – yet) ? Future Questions / Discussion… 7 WHAT IS LKRG? LKRG – Linux Kernel Runtime Guard (self-explanatory ;p) 8 WHAT IS LKRG? LKRG – Linux Kernel Runtime Guard (self-explanatory ;p) Open Source project under GPLv2 License 9 WHAT IS LKRG? LKRG – Linux Kernel Runtime Guard (self-explanatory ;p) Open Source project under GPLv2 License Ability to hide/limit access to the critical resources LKRG (like process / file / logs) from the unauthorized admin (root) account Experimental Main branch branch Runtime Exploit Detection Protected Features Code Integrity (CI) (ED) (PF) Detects (for now) Prevents kernel 10 unsupported modifications of exploitation process the (not only) Linux kernel THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain 2. Attacking kernel via kernel vulnerabilities 3. Persistence of the attack e.g. kernel backdoors 11 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities 3. Persistence of the attack e.g. kernel backdoors 12 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors 13 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 14 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 4. [*Experimental branch] Attacking user mode client: a. Attacking user mode process in running state b. Attacking user mode file on disk c. Attacking user mode process via raw memory access d. Attacking user mode file via raw disk access e. Intermediate attack for user mode process via attacking dependent code (e.g. shared libraries) 15 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 4. [*Experimental branch] Attacking user mode client: a. Attacking user mode process in running state <- Protected Process b. Attacking user mode file on disk c. Attacking user mode process via raw memory access d. Attacking user mode file via raw disk access e. Intermediate attack for user mode process via attacking dependent code (e.g. shared libraries) 16 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 4. [*Experimental branch] Attacking user mode client: a. Attacking user mode process in running state <- Protected Process b. Attacking user mode file on disk <- Protected File c. Attacking user mode process via raw memory access d. Attacking user mode file via raw disk access e. Intermediate attack for user mode process via attacking dependent code (e.g. shared libraries) 17 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 4. [*Experimental branch] Attacking user mode client: a. Attacking user mode process in running state <- Protected Process b. Attacking user mode file on disk <- Protected File c. Attacking user mode process via raw memory access Virtually extended d. Attacking user mode file via raw disk access CAP_SYS_RAWIO e. Intermediate attack for user mode process via attacking dependent code (e.g. shared libraries) 18 THREAT MODEL The following main attacking scenarios (buckets) can be described: 1. Attacking kernel from the boot chain <- currently out-of-scope 2. Attacking kernel via kernel vulnerabilities <- Exploit Detection 3. Persistence of the attack e.g. kernel backdoors <- Code Integrity 4. [*Experimental branch] Attacking user mode client: a. Attacking user mode process in running state <- Protected Process b. Attacking user mode file on disk <- Protected File c. Attacking user mode process via raw memory access Virtually extended d. Attacking user mode file via raw disk access CAP_SYS_RAWIO e. Intermediate attack for user mode process via attacking dependent code (e.g. shared libraries) <- static binary + Protected File 19 EXPLOIT DETECTION The aim of it is to detect kernel exploitation process by detecting specific data corruption in the kernel. 20 EXPLOIT DETECTION The aim of it is to detect kernel exploitation process by detecting specific data corruption in the kernel. Current version of the feature maintains its own task list in the system and independently tracks critical attributes, including: pointer value of the 'task_struct' itself pid value name of the process pointer value of the 'cred' structure pointer value of the 'real_cred' structure UID / GID / EUID / EGID / SUID / SGID / FSUID / FSGID SECCOMP: TIF_SECCOMP flag SECCOMP_FILTER_FLAG_TSYNC flag mode filters 21 EXPLOIT DETECTION The aim of it is to detect kernel exploitation process by detecting specific data corruption in the kernel. Current version of the feature maintains its own task list in the system and independently tracks critical attributes, including: pointer value of the 'task_struct' itself pid value name of the process pointer value of the 'cred' structure Token/pointer swap attacks pointer value of the 'real_cred' structure (illegal commit_creds()) UID / GID / EUID / EGID / SUID / SGID / FSUID / FSGID SECCOMP: TIF_SECCOMP flag SECCOMP_FILTER_FLAG_TSYNC flag mode filters 22 EXPLOIT DETECTION The aim of it is to detect kernel exploitation process by detecting specific data corruption in the kernel. Current version of the feature maintains its own task list in the system and independently tracks critical attributes, including: pointer value of the 'task_struct' itself pid value name of the process pointer value of the 'cred' structure Token/pointer swap attacks pointer value of the 'real_cred' structure (illegal commit_creds()) UID / GID / EUID / EGID / SUID / SGID / FSUID / FSGID Credential overwrite SECCOMP: TIF_SECCOMP flag SECCOMP_FILTER_FLAG_TSYNC flag mode filters 23 EXPLOIT DETECTION The aim of it is to detect kernel exploitation process by detecting specific data corruption in the kernel. Current version of the feature maintains its own task list in the system and independently tracks critical attributes, including: pointer value of the 'task_struct' itself pid value name of the process pointer value of the 'cred' structure Token/pointer swap attacks pointer value of the 'real_cred' structure (illegal commit_creds()) UID / GID / EUID / EGID / SUID / SGID / FSUID / FSGID Credential overwrite SECCOMP: TIF_SECCOMP flag SECCOMP_FILTER_FLAG_TSYNC flag Seccomp based mode sandbox escape filters 24 EXPLOIT DETECTION Additionally, LKRG is guarding the following SELinux variables: selinux_enabled selinux_enforcing 25 EXPLOIT DETECTION Additionally, LKRG is guarding the following SELinux variables: selinux_enabled selinux_enforcing The following values are also tracked but currently not used (but will be): securebits cap_inheritable cap_permitted cap_effective cap_bset cap_ambient pointer value of the real user ID subscription pointer value of the user namespace 26 EXPLOIT DETECTION Additionally, LKRG is guarding the following SELinux variables: selinux_enabled