System Integrity

Sartakov A. VasilySummer Systems School’12

Software Hardening Methods

Compile-time Run time

Process Virtualization

(Dalvik, Java VM)

System Virtualization

(KVM, Xen, L4)

OS (Linux Kernel Ench.)

HW support (MMU, Trust Zone)

Canaries

1. Compiler time sw hardening 2. Linux operating system extension

3. Process virtualization and sandboxing 4. System virtualization

1.1 Memory corruption mitigation methods

2.1 Container based os virtualization2.2 Linux security modules2.3 Gr security

3.1 Byte-code translation3.2 Sandboxing untrusted native code

4.1 Hardware recruitment4.2 VM and VMMs4.3 Use cases

1. Compile-time Software Hardening

Memory Corruption Mitigation Methods:

Code injectionArc injectionPointer Subterfuge Format String Attacks and Arithmetic Overflows

void f1a(void *arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* buffer overrun if len > 100 */ /* ... */ return;}

void f1b(void *arg, size_t len) { char *ptr = malloc(100); if (ptr == NULL) return; memcpy(ptr, arg, len); /* buffer overrun if len >100 */ /* ... */ return;}

Code Injection

Stackguard ProPolice

Pointer Subterfuge void SomeFunc() {

// do something

}

typedef void (*FUNC_PTR )(void);

int DangerousFunc(char *szString) {

char buf[32];

strcpy(buf,szString);

FUNC_PTR fp = (FUNC_PTR)(&SomeFunc);

// Other code

// Other code

(*fp)();

return 0;

}

void SomeFunc() {

// do something

}

typedef void (*FUNC_PTR )(void);

int DangerousFunc(char *szString) {

char buf[32];

strcpy(buf,szString);

FUNC_PTR fp = (FUNC_PTR)(&SomeFunc);

// Other code

// Other code

(*fp)();

return 0;

}

EncodePointer

DecodePointer

EncodeSystemPointer

DecodeSystemPointer

Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.Pointguardtm: protecting pointers from buffer overflowvulnerabilities. In Proceedings of the 12th conference on USENIXSecurity Symposium - Volume 12, pages 7–7, Berkeley, CA,USA, 2003. USENIX Association.

Jonathan Pincus and Brandon Baker. Beyond stack smashing:Recent advances in exploiting buffer overruns. IEEE Security andPrivacy, 2:20–27, July 2004.

Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. "Return-Oriented Programming: Exploits Without Code Injection". Retrieved 2009-08-12.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323c

Format String Attacks and Arithmetic Overflows

2. Linux operating system extension

2.1 Container based os virtualisationLinux-vserverVirtuozzo and openvzLinux containers

2.2 Linux security modulesSElinuxApparmorSmackTomoyo Linux

2.3 GrsecurityPaxRole based access control

Linux-VserverVirtuozzoOpenVZLXC (Linux Container Tools)

The core concept of container-based operating system virtualization is to run completely isolated virtual servers sharing the same kernel. Compared to system virtualization, this reduces the required memory for additional kernels on the one hand but at the same time it might increase the vulnerability of the system. If an attacker gains full access to the kernel all virtual servers are compromised. System Virtualization would offer an additional level of isolation and therefore more security in this case.

2.1 Container based os virtualisation

Linux-VServer

The system provides a Shared OS Image consisting of a root file system and a set of system libraries and executables. This Shared OS Image together with a privileged host VM builds the Hosting Platform.

• Security contexts• Segmented routing• Chroot• Extended quotas• Further standard tools

• High-performance computing (HPC) clusters• The Grid• Distributed hosting organizations like PlanetLab and Amazon EC2

The Host kernel should be patched

Start/Stop/Resume

Virtuozzo and OpenVZ

OpenVZ is operating system virtualization based on the Linux kernel. It is very similar to Linux-VServer. Like Linux-VServer it requires a patched Linux kernel. Here likewise Debian ships prebuilt kernel images. Unfortunately, the patches are not provided for each Linux kernel release. OpenVZ is the basis for Parallels Virtuozzo Containers, which is a commercial product by Parallels.Usage scenarios and evaluation are basically the same as for the Linux-VServer project.

Linux Containers (LXC) • Namespace isolation• Linux kernel control groups (cgroups)

• PID namespace• Network namespace• UTS namespace (hostname)• Mount namespace• IPC namespace

• Control (Restart, Freeze, etc.)• Resource limiting (Memory)• Priorization (CPU, I/O)• Accounting

The best solution for lightweight isolation of Linux processes without much inter-process communication.

Terminology 1. Access control models

* Discretionary access control

* Mandatory access control

* Role-based access control

Subject -- Object

2.2 Linux security modules

The Linux Security Modules (LSM) framework is part of the Linux Kernel. It provides lightweight, general support for access control by allowing modules to define security hooks:

• Task Hooks• Program Loading Hooks• IPC Hooks• Filesystem Hooks• Network Hooks• Module hooks (e.g. module initialization)• System hooks (e.g. hostname setting)

• AppArmor• SELinux• Smack• TOMOYO Linux

Security-Enhanced Linux

MACMACPart of LinuxPart of Linux

SmackSmack is the abbreviation for Simplified Mandatory Access Control Kernel for Linux. It is part of the MeeGo Security Architecture, but not exclusively dedicated to it. As the name already suggest, Smack provides Mandatory Access Control in a simpler way than e.g. SELinux. The author states that simplicity is the primary design goal of Smack.Like AppArmor, Smack requires extended file attributes. There it stores labels for files which must match labels associated with processes to grant access. Additionally, special rules can be added for file labels and process labels that do not match.

TOMOYO Linux is another pathname-based access control system for Linux. It also implements Mandatory Access Control, but additionally it is stated to be useful as a pure system analysis tool. Like e.g. AppArmor, TOMOYO Linux also provides tools for automatic policy generation and it is designed to be easy to use with a simple syntax for policies.

TOMOYO Linux

AppArmor is an alternative to SELinux. It is a pathname-based access control system and requires a file system with extended attributes support. The originally goal was to provide a SELinux like Mandatory Access Control mechanism, which is simpler to manage for the typical user. Therefore, AppArmor implements a learning mode to create profiles of the typical programs behavior.While AppArmor is a simple and powerful solution for end-users, it seems that SELinux is more powerful to implement advanced security concepts on top of it.

AppArmor

2.3 GrsecurityGrSecurity is a set of security related patches for the Linux kernel. Some major security enhancements are:• Stack and Heap modification protection (PaX)• Role-based Access Control (RBAC)• Chroot restrictions• Auditing

PaX is a major component of GrSecurity. Amongst other things, the patch adds three memory protection mechanisms:• Data memory is flagged as non-executable (NX bit)• Program memory is flagged as non-writable• Program memory is randomly arranged, known as address space layout randomization (ASLR)Recent mainline kernel versions added some similar protection mechanisms for suitable memory regions on x86 systems.

While PaX implements the principle of least privileges for memory management, another component of GrSecurity (RBAC) implements it for users and processes. This means that users and processes get only the privileges which are required to work correctly. It should be noted, that besides this implementation aspect, the RBAC concept can be applied in very different fields of applications.

Pax RBAC

3. Process virtualization and sandboxing

Skip

4. System Virtualization

4.1 Hardware recruitment4.2 VM and VMMs

Linux KVM HypervisorXen HypervisorL4 Microkernel based

4.3 Use cases

4.1 Hardware recruitment

* HW support:Johannes Winter. Trusted computing building blocks for embedded linux-based arm trustzone platforms. In Proceedings of the 3rd ACM workshop on Scalable trusted computing, STC’08, pages 21–30, New York, NY, USA, 2008. ACM.

* Intel VT-x* AMD-V* ARM TrustZone* ARM Cortex-A15 including full hardware virtualization* DMA and IOMMU

Terminology 2. Virtualization, Virtual machines

* System virtualization or hardware virtualization allows to run multiple operating systems on one physical machine.* Guest and Host OS* VMM / hypervisor* Type 1 / Native – Bare Metal * Type 2 / Hosted – on top of OS* Paravirtualization – VMM doesn't provide an interface that is identical to real hardware

Linux KVM Hypervisor

* Part of Linux kernel* QEMU* VT-x AMD-V extension* Big trusted computing base (TCB)* Low overhead

Xen hypervisor

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, TimHarris, Alex Ho, Rolf Neugebauer, Ian Pratt, and AndrewWarfield. Xen and the art of virtualization. In Proceedings of thenineteenth ACM symposium on Operating systems principles,SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM.

Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis,Leendert Van Doorn, Asit Mallick, Jun Nakajima, and ElsieWahlig. Utilizing iommus for virtualization in linux and xen. InProceedings of the 2006 Ottawa Linux Symposium (OLS 2006),2006.

Jonathan M. McCune, Trent Jaeger, Stefan Berger, RamonCaceres, and Reiner Sailer. Shamon: A system for distributedmandatory access control. In Proceedings of the 22nd AnnualComputer Security Applications Conference, pages 23–32,Washington, DC, USA, 2006. IEEE Computer Society.

L4 microkenel

* User-level components

* Address spaces (tasks)* Threads* Scheduling* Inter-process communication

* Reusing* TCB

Fiasco.OC

Moe Mag Ned IO

L4LinuxL4Linuxapp

4.3 Use Case

Fiasco.OC

Moe Mag Ned IO

L4Linux (eth0)

CryptoL4Linux (eth1)

app