james morris james.l.morris@oracle · 2017-12-14 · measurement & appraisal of ima policy...
TRANSCRIPT
![Page 2: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/2.jpg)
Introduction
Who am I?
● Kernel security subsystem maintainer– Started kernel development w/ FreeS/WAN in 1999
– which led to Netfilter, SELinux, LSM, Crypto…
– @xjamesmorris
● Linux since 1993– APANA public networking
– BBS’s prior to that
– Amateur radio (vk2txp)
● Mainline Linux kernel development @ Oracle
![Page 3: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/3.jpg)
Outline
● Overview of Linux kernel security
● Developments in 4.x kernel
● Current and future challenges
![Page 4: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/4.jpg)
Linux Kernel Security Overview
![Page 5: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/5.jpg)
Linux kernel core security model isDiscretionary Access Control (DAC)
![Page 6: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/6.jpg)
DAC was inherited from Unix,designed in late 1960s
![Page 7: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/7.jpg)
“The first fact to face is that UNIX was notdeveloped with security, in any realistic
sense, in mind; this fact alone guarantees avast number of holes.”
Dennis Ritchie, “On the Security of UNIX”, 1979
![Page 8: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/8.jpg)
DAC is insufficient for modern security threats:
![Page 9: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/9.jpg)
DAC does not protect against flawed or malicious code
![Page 10: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/10.jpg)
DAC does not cover all security critical functions
![Page 11: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/11.jpg)
DAC notion of superuser violates user security policy
![Page 12: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/12.jpg)
“It must be recognized that the mere notion of a super-user is a theoretical, and usually practical, blemish on any
protection scheme.”
(also from Ritchie 1979)
![Page 13: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/13.jpg)
Linux Kernel Security Extensions
![Page 14: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/14.jpg)
Posix ACLs
![Page 15: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/15.jpg)
Capabilities (privileges)
![Page 16: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/16.jpg)
Audit
![Page 17: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/17.jpg)
seccomp
![Page 18: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/18.jpg)
Namespaces
![Page 19: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/19.jpg)
Netfilter
● IPTables
![Page 20: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/20.jpg)
Cryptography API
● Disk encryption● IPSec
● Key Management (“keys”)
![Page 21: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/21.jpg)
Linux Security Modules (LSM)
● SELinux● Smack
● AppArmor
![Page 22: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/22.jpg)
SELinux, Smack, AppArmor provide Mandatory Access Control (MAC)
![Page 23: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/23.jpg)
Platform Security
●TPM, NX, SMEP, SGX, TrustZone etc.
![Page 24: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/24.jpg)
Kernel Self Protection (KSP):
![Page 25: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/25.jpg)
Harden kernel against attack
![Page 26: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/26.jpg)
Kill classes of bugs vs. individual bugs
![Page 27: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/27.jpg)
Kernel Self Protection Project:
![Page 28: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/28.jpg)
Current focus is upstreaming grsec/pax features
![Page 29: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/29.jpg)
Website:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
![Page 30: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/30.jpg)
Recent Changes
![Page 31: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/31.jpg)
● Linux v4.0 (April 2015) to v4.8 (current)
![Page 32: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/32.jpg)
Capabilities
● Ambient capabilities (v4.3)– Allows inheritance of capabilities from non-privileged
parent processes.● … instead of assigning fs capabilities to binary, which will
always run with them.● Do not need to give all capabilities to script interpreters.
![Page 33: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/33.jpg)
LSM API
● Generalized security module stacking (v4.2)– Simple manual stacking previously allowed
– Now: any number of smaller LSMs can be stacked on top of a major (“monolithic”) LSM
– e.g. SELinux + YAMA + Capabilities, but not SELinux + TOMOYO + AppArmor.
● New LoadPin module, ensures kernel modules & fimware are loaded from trusted device (dm-verity) (v4.7)
![Page 34: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/34.jpg)
Networking
● CALIPSO IPv6 Labeling (v4.8)– RFC 5570
– Security labels in IP option
– IPv6 version of CIPSO
– Usable by label MAC (SELinux, Smack)
– Verified interop with Solaris TX
![Page 35: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/35.jpg)
AppArmor
● Kernel work focused on AA 3.0 cycle
● Upcoming (v4.10-v4.11)– Policy namespaces
– Policy stacking
– Integration with containers
![Page 36: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/36.jpg)
SELinux
● Android Binder IPC support (v4.0)● Full Netlink coverage (v4.1)● Performance improvements (v4.1)● Fine grained ioctl coverage (v4.3)● Export validatetrans decisions to userspace (v4.6)● Restrict kernel module loading (v4.7)● CALIPSO support (v4.8)● Upcoming: Overlayfs support (v4.9)
![Page 37: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/37.jpg)
Smack
● Netfilter secmark support (v4.0)● Allow unconfined label in bringup mode (v4.1)● Obtain security context of keys (v4.1)● Multiple label MAC bypass via onlycap (v4.2)● IPv6 host labeling (v4.3)● Limited dynamic process labels (v4.4)● Process-based permission checking for sockets
(v4.5)
![Page 38: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/38.jpg)
Integrity Subsystem
● Integration of TPM 2.0 authorization policies with kernel keys, allow hash algorithm selection (v4.5)
● EVM support for x.509 kernel certificates (v4.5)● Measurement & appraisal of IMA policy (v4.6)● Support for kernexec image & initramfs (v4.6)● Support for mknotat syscall (v4.7)● Per-rule specification of PCRs (v4.8)● Upcoming: extend measurment to command line,
BPF etc., fine grained signatures, directory measurement, namespacing.
![Page 39: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/39.jpg)
Platform Security
● TPM 2.0 chip support (v4.0)● Intel Memory Protection Keys (v4.6)
● Upcoming:– Sparc: SSM (Silicon Secured Memory)
– AMD: SME, SEV (memory encryption)
– Intel: CET (Control-flow Enforcement Technology)
![Page 40: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/40.jpg)
Audit
● Add support for auditing by executable file, rather than just PID (v4.3)
● Add ioctl device and command info to LSM audit data (v4.3)
● Add tty field to Login event (v4.7)
![Page 41: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/41.jpg)
Seccomp
● ptrace options for suspend/resume (v4.3)● powerpc and tile support (v4.3)● Dump seccomp filters via ptrace (v4.4)● um and parisc support (v4.5)● Remove 2-phase API (v4.8)● ptrace before seccomp (v4.8)● Maybe upcoming: deep argument inspection
![Page 42: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/42.jpg)
Keys● Support for kernel module signing (v4.3)
– Explicit file for x.509 trusted keys
– Sign modules with external key
● Support for TPM 2.0 (v4.5)● Userspace access to DH computation using stored
keys (v4.7)● Encrypt big keys saved to shm (v4.7)● Key blacklisting and rejection (v4.7)● Runtime addition of secondary system key (v4.7)● Upcoming: key revocation
![Page 43: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/43.jpg)
Crypto API Users
● ext4 filesystem encryption (v4.1)● Kernel module signing (v4.3)● MACsec/IEEE 802.1AE (v4.6)● Migrate ext4 to vfs crypto API (v4.8)● Upcoming: btrfs encryption
![Page 44: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/44.jpg)
Kernel Self Protection● Kernel Address Sanitizer (KASan) (v4.0)
– SLAB support (v4.6)
● Always enable RODATA checking (v4.6)● KASLR for ARM64 (v4.6), MIPS (v4.7)● Page zero-poisoning (v4.6)● X86 execute-only memory (v4.6)● SLAB freelist randomization (v4.7)● BPF JIT constant blinding (v4.7)
![Page 45: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/45.jpg)
KSP (cont.)
● Freelist randomization for SLUB (v4.8)● KASLR:
– Full physical memory on x86_64 (v4.8)
– Kernel memory base on x86_64 (v4.8)
● gcc plugin infrastructure (v4.8)● Hardened usercopy (v4.8)
![Page 46: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/46.jpg)
KSP (cont.)
● Predictions for v4.9 from Kees Cook– latent_entropy gcc plugin
– vmalloc stack on x86
– List hardening
– PAN emulation for arm64
● For more detail:– https://outflux.net/blog/ (Kees’ blog)
![Page 47: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/47.jpg)
Future Challenges
● IoT
● KSP arms race– Need more original research in mainline!
● Evolving threat models
● Security architecture vs. features
![Page 48: James Morris james.l.morris@oracle · 2017-12-14 · Measurement & appraisal of IMA policy (v4.6) Support for kernexec image & initramfs (v4.6) Support for mknotat syscall (v4.7)](https://reader030.vdocuments.site/reader030/viewer/2022040723/5e33b13d7081f252a337b25a/html5/thumbnails/48.jpg)
Resources
● Linux Security Module mailing list– http://vger.kernel.org/vger-lists.html#linux-security-module
● Linux Security Summit (Aug 2016, Toronto)– http://events.linuxfoundation.org/events/linux-security-summit/program/slides
● Kernel Self Protection Project– http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
● LWN Security– http://lwn.net/Security