Kernel Runtime Security Instrumentation Process Is Executed

Kernel Runtime Security Instrumentation Process Is Executed

Kernel Runtime Security Instrumentation KP Singh Linux Plumbers Conference Motivation Security Signals Mitigation Audit SELinux, Apparmor (LSMs) Perf seccomp Correlation with It's bad, stop it! maliciousness but do not imply it Adding a new Signal Signals Mitigation Update Audit Audit (user/kernel) SELinux, Apparmor (LSMs) to log environment Perf variables seccomp Security Signals Mitigation Audit SELinux, Apparmor (LSMs) Perf seccomp Update the mitigation logic for a malicious actor with a known LD_PRELOAD signature Signals ● A process that executes and deletes its own executable. ● A Kernel module that loads and "hides" itself ● "Suspicious" environment variables. Mitigations ● Prevent mounting of USB drives on servers. ● Dynamic whitelist of known Kernel modules. ● Prevent known vulnerable binaries from running. How does it work? Why LSM? ● Mapping to security behaviours rather than the API. ● Easy to miss if instrumenting using syscalls (eg. execve, execveat) ● Benefit the LSM ecosystem by incorporating feedback from the security community. Run my code when a Kernel Runtime Security Instrumentation process is executed /sys/kernel/security/krsi/process_execution my_bpf_prog.o (bprm_check_security) bpf [BPF_PROG_LOAD] open [O_RDWR] securityfs_fd prog_fd bpf [BPF_PROG_ATTACH] LSM:bprm_check_security (when a process is executed) KRSI's Hook Other LSM Hooks Tying it all Together Reads events from the buffer and processes them Userspace further Daemon/Agent User Space Buffer Kernel Space eBPF programs output to a buffer process_execution Loads eBPF programs and attaches them to mount KRSI Security the LSM hooks hooks socket_creation Key Design Principles Keep the helpers precise and granular No access to kernel data structures in eBPF, maintain backward compatibility Usage of the Perf Ring Buffer Fast, and eBPF can already Userspace use it KRSI eBPF bpf_perf_event_output Per CPU Buffers and memory usage Perf Ring Buffer eBPF Helper Design Choices krsi_get_env_vars() krsi_get_env_var(const char*) Returns all the environment Returns the value a single environment variables. variable. Higher coverage at the expense Carefully, choose the variables to be of significant overhead audited, less overhead. Can cause the code to sleep (as a result of a page fault) Precomputation in the LSM hook But eBPF programs cannot sleep! (yet...) Pin the pages in the Selectively precompute LSM hook and make only when an attached them available to program calls the the helper's context dependent helper. Not needed if the eBPF programs are allowed to sleep (discussions are on..).

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us