chrome os hardening
play

Chrome OS Hardening - PowerPoint PPT Presentation

Sep 14, 2022 •470 likes •974 views

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case") Overview Overview Identifying the threat model not the

  1. Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case")

  2. Overview

  3. Overview ● Identifying the threat model ○ not the authenticated physically local user ● Doing what others do ○ common hardening strategies ● Doing what others will be doing ○ filling the gaps in common strategies ● Doing what others haven't done ○ Chrome OS is unique and so are our opportunities ● Testing ourselves ○ make sure this stuff actually works ● Seeing the future ○ what's next

  4. Identifying the threat model

  5. Identifying the threat model ● Malware ○ do not allow persistent control ● Theft ○ encrypt user and enterprise data ● Evil coffee shop patron ○ impose minimum physically local attack time ● Not the authenticated physically local user ○ developer mode

  6. Doing what others do

  7. Doing what others do ● Linux ○ TPM, GPT partitions, software auto-update ● Encryption ○ eCryptfs, dm-crypt ● Compiler hardening ○ stack-protector, FORTIFY_SOURCE, relro, bind- now, PIE ● Userspace hardening ○ RO/NX, ASLR, glibc runtime checks, namespaces, ptrace restrictions, link restrictions ● Kernel hardening ○ stack-protector, memory restriction, RO/NX, kptr_restrict

  8. Linux: TPM ● Key storage ● Entropy source ● Data "sealing" localhost ~ # tpm_version TPM 1.2 Version Info: Chip Version: 1.2.3.18 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: IFX Vendor Specific data: 03120009 00 TPM Version: 01010000 Manufacturer Info: 49465800 localhost ~ # initctl stop tcsd tcsd stop/waiting localhost ~ # tpmc pcrread 0 865aedd337518e56f648440b81b4cbd9359fdff3

  9. Linux: GPT partitions STATE KERN-A KERN-B ROOT-A ROOT-B

  10. Linux: software auto-update ● Signed by Google ● Block-delta or full update STATE KERN-A KERN-B ROOT-A ROOT-B

  11. Encryption: eCryptfs ● Per-user, TPM-tied ● Mounted/unmounted at login/logout ● Overlay filesystem ● Need to share space between users localhost ~ # cryptohome-path user keescook@chromium.org /home/user/E1B39A9A13AA747E1F0D3EBD9708E21484616B1B localhost ~ # mount | grep -i E1B39A9A /home/.shadow/e1b.../vault on /home/.shadow/e1b.../mount type ecryptfs (rw,nosuid,nodev,noexec,relatime,ecryptfs_sig=be..., ecryptfs_fnek_sig=783...,ecryptfs_cipher=aes,ecryptfs_key_bytes=16, ecryptfs_unlink_sigs) /home/.shadow/e1b.../vault on /home/chronos/user ... /home/.shadow/e1b.../vault on /home/user/E1B... ... /home/.shadow/e1b.../vault on /home/root/E1B... ... localhost ~ # ls -l /home/.shadow/e1b.../vault/user/ -rw-r--r-- 1 chronos chronos 45056 Nov 7 14:35 ECRYPTFS_FNEK_ENCRYPTED.FXZtC.K15HueW-Sm351moE8t9.k00. MnaSXZ43fRjGZnz6WGBMm4AX-QyyWWIeq19OYaiISZGRooJqg- ...

  12. Encryption: dm-crypt ● Per-system, TPM-tied ● Mounted/unmounted at boot/shutdown ● Must share space: sparse backing file ○ discard (TRIM), hole-punching localhost ~ # mount | grep enc /dev/mapper/encstateful on /mnt/stateful_partition/encrypted type ext4 (rw, nosuid,nodev,noexec,relatime, discard ,commit=600,data=ordered) /dev/mapper/encstateful on /var type ext4 (rw,nosuid,nodev,noexec,... /dev/mapper/encstateful on /home/chronos type ext4 (rw,nosuid,nodev,... localhost ~ # dmsetup table --showkeys /dev/mapper/encstateful 0 6748024 crypt aes-cbc-essiv:sha256 e9aef... 0 7:0 0 1 allow_discards localhost ~ # dmsetup deps /dev/mapper/encstateful 1 dependencies : ( 7, 0 ) localhost ~ # ls -la /dev/loop0 brw-rw---- 1 root disk 7, 0 Nov 7 14:33 /dev/loop0 localhost ~ # losetup -a /dev/loop0: [2049]:12 (/mnt/stateful_partition/encrypted.block)

  13. Compiler: -fstack-protector ● Add canary BEFORE AFTER function arguments function arguments ● Reorder variables ... ... saved program counter saved program counter saved frame pointer saved frame pointer $ objdump -d -M intel exe... local variables random canary prologue char foo[...]; local variables int sensitive; mov rax,QWORD PTR fs:0x28 char foo[...]; char bar[...]; mov QWORD PTR [rbp-0x8],rax char bar[...]; ... ... int sensitive; ... epilogue mov rdx,QWORD PTR [rbp-0x8] xor rdx,QWORD PTR fs:0x28 je 400629 <func+0x5d> call 4004a0 <__stack_chk_fail@plt> ...

  14. Compiler: -D_FORTIFY_SOURCE=2 ● Compile-time checking ○ return value usage (system(), write(), etc) ○ specification of optional arguments (open() modes) ○ when size of target buffers known: swap in bounded functions (sprintf -> snprintf) ○ when size of target buffers unknown: swap in runtime checking (strcpy -> __strcpy_chk) ● Runtime checking ○ block "%n" in format strings ○ block format string parameter skipping localhost ~ # readelf -s /opt/google/chrome/chrome | grep _chk 17: ... FUNC GLOBAL DEFAULT UND __printf_chk@GLIBC_2.3.4 (3) 20: ... FUNC GLOBAL DEFAULT UND __vsnprintf_chk@GLIBC_2.3.4 (3) 22: ... FUNC GLOBAL DEFAULT UND __strcat_chk@GLIBC_2.3.4 (3) ...

  15. Userspace: RO/NX localhost ~ # cat boom.c #include <stdlib.h> unsigned int ret_insns = 0xc3c3c3c3; void main(int argc, char *argv[]) { void(*func)(void) = (void*)strtoul(argv[1], NULL, 16); func(); } localhost ~ # cc boom.c -o boom localhost ~ # readelf -l boom | egrep -A1 'LOAD|VirtAddr' Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align -- LOAD 0x0000000000000000 0x0000000000 400000 0x0000000000400000 0x00000000000006d4 0x00000000000006d4 R E 200000 LOAD 0x0000000000000e10 0x0000000000 600e10 0x0000000000600e10 0x000000000000022c 0x0000000000000230 RW 200000 localhost ~ # objdump -d boom | grep retq | head -n1 4003d5 : c3 retq localhost ~ # ./boom 0x 4003d5 localhost ~ # readelf -s boom | grep ret_insns 47: 00000000 601038 4 OBJECT GLOBAL DEFAULT 24 ret_insns localhost ~ # ./boom 0x 601038 Segmentation fault (core dumped)

  16. Compiler: -Wl,-z,relro void main(int argc, char * argv[]) { unsigned char *ptr = (void*)strtoul(argv[1], NULL, 16); char cmd[80]; sprintf(cmd, "cat /proc/%d/maps", getpid()); system(cmd); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); } localhost ~ # gcc -Wl,-z,norelro plt.c -o lazy localhost ~ # objdump lazy | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200662(%rip) # 600b88 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./lazy 600b88 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/lazy 00600000-00601000 rw-p 00000000 fc:00 159545 /tmp/lazy ... 0x26 0x05 0x40 0x00 0x00 0x40 0xb8 0x95 0x26 0x50 localhost ~ # gcc -Wl,-z,relro plt.c -o lazy localhost ~ # objdump lazy | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200aca(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./lazy 601030 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/lazy 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/lazy 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/lazy ... 0x66 0x05 0x40 0x00 0x00 0x40 0xa8 0x9e 0xa0 0xee

  17. Compiler: -Wl,-z,now void main(int argc, char * argv[]) { unsigned char *ptr = (void*)strtoul(argv[1], NULL, 16); char cmd[80]; sprintf(cmd, "cat /proc/%d/maps", getpid()); system(cmd); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); printf ("0x%02x 0x%02x 0x%02x 0x%02x 0x%02x\n", ptr[0], ptr[1], ptr[2], ptr[3], ptr[4]); } localhost ~ # gcc -Wl,-z,relro plt.c -o now localhost ~ # objdump now | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200aca(%rip) # 601030 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./now 601030 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/now 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/now 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/now ... 0x66 0x05 0x40 0x00 0x00 0x40 0xa8 0x9e 0xa0 0xee localhost ~ # gcc -Wl,-z,relro -Wl,-z,now plt.c -o now localhost ~ # objdump now | grep '< printf @plt>:' -A1 0000000000400520 <printf@plt>: 400520: ... jmpq *0x200a72(%rip) # 600fd8 <_GLOBAL_OFFSET_TABLE_+0x30> localhost ~ # ./now 600fd8 00400000-00401000 r-xp 00000000 fc:00 159545 /tmp/now 00600000-00601000 r--p 00000000 fc:00 159545 /tmp/now 00601000-00602000 rw-p 00001000 fc:00 159545 /tmp/now ... 0x40 0x28 0x6c 0xd0 0x8e 0x40 0x28 0x6c 0xd0 0x8e

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Chrome Extension Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome Extension Extension Small software programs that can modify and enhance the functionality of the Chrome browser. Written

576 views • 18 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides
Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett

Chrome OS Internals Josh Triplett josh@joshtriplett.org LinuxCon Europe 2014 Josh Triplett Chrome OS Internals LinuxCon Europe 2014 1 / 43 Overview Intro to Chrome OS Architecture of Chrome OS Verified boot and developer mode Security

1.39k views • 110 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila &amp; Boris Kpf IMDEA Software Institute About me Im Pepe @cgvwzq http://vwzq.net/ Some notes about Chrome Chrome was a blackbox for me. Its code base is immense.

622 views • 38 slides
a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

Oh the things you could do if you had a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer www.manichord.com So what are Chromebooks, ChromeOS And Chrome (Packaged) Apps? Chromebooks (and

612 views • 28 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2. Scroll down to Privacy and security and click on Clear browsing data 3. Select the time frame, then Clear data Google Meet Grid View Issues If you are

297 views • 10 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at)

Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at)

Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at) google.com GOTO Aarhus 2013 Outline Chromium Background Numbers Clang Background Error Messages Warnings Tools Conclusion Introducing

429 views • 27 slides
Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior Researcher Matasano Security

Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior Researcher Matasano Security

Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior Researcher Matasano Security stephen@sa7ori.org @s7ephen (Twitter) http://www.dontstuffbeansupyournose.com Monday, October 4, 2010 Who I am. Stephen A. Ridley Senior Security

896 views • 85 slides
Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019

Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019

Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019 Navid Zolghadr (nzolghadr@chromium.org) Chromium Input Dev Chromium input dev Goals Smooth user interaction and scrolling across the

295 views • 18 slides
QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020,

QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020,

Proprietary + Confidential QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020, Presented by Ian Swett Proprietary + Confidential What are QUIC and HTTP/3? Proprietary + Confidential QUIC is a transporu

923 views • 34 slides
Hacking WebKit &amp; Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer

Hacking WebKit &amp; Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer

Hacking WebKit &amp; Its JavaScript Engines Jarred Nicholls Work @ Sencha WebKit Committer Doing webkitty things... Our Mission if we choose to accept it Define: What is WebKit? Some Simple Ways to Leverage WebKit Little investment, Large

1k views • 82 slides
Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego

Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego

Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego University of UC San Diego Washington Vulnerable Control Flow Hijacking Lead Program to

706 views • 34 slides
Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu

Accurate, Low Cost and Instrumentation-Free Security Audit Logging for Windows Shiqing Ma , Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu Advanced Cyber Attacks (e.g. APTs): What can we do? Defense! Firewall

257 views • 21 slides
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan Sleevi, Rijad Muminovic, Devon OBrien, Eran Messeri, Adrienne Porter Felt, Brendan McMillion, Parisa Tabriz estark@chromium.org How

484 views • 31 slides

More recommend