the state of kernel self protection
play

The State of Kernel Self Protection Linux Security Summit NA August - PowerPoint PPT Presentation

Apr 25, 2023 •274 likes •431 views

The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf Kernel Self Protection Project

  1. The State of Kernel Self Protection Linux Security Summit NA August 27, 2018 Vancouver, Canada Kees (“Case”) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss/kspp.pdf

  2. Kernel Self Protection Project https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project ● KSPP focuses on the kernel protecting the kernel from attack (e.g. ● refcount overflow) rather than the kernel protecting userspace from attack (e.g. brute force detection) but any area of related development is welcome Currently ~12 organizations and ~10 individuals working on about ● ~20 technologies Slow and steady ●

  3. Upstream Bug Lifetime ● In 2010 Jon Corbet researched security flaws, and found that the average time between introduction and fix was about 5 years. ● My analysis of Ubuntu CVE tracker for the kernel from 2011 through 2018 has now creeped up to 6 years: – Critical: 3 @ 5.3 years – High: 71 @ 5.9 years – Medium: 662 @ 5.9 years – Low: 313 @ 5.9 years

  4. critical & high CVE lifetimes

  5. A year's worth of kernel releases ...

  6. v4.14 ● 3 r conversions (bikeshedding stall) e f c o u n t _ t ● randstruct plugin (automatic mode) ● SLUB freelist pointer obfuscation ● structleak plugin (by-reference mode) ● V , arm64 M A P _ S T A C K ● s removal progress e t _ f s ( ) ● s balance detection, x86, arm64, arm e t _ f s ( )

  7. v4.15 ● 35 r conversions (32 remaining...) e f c o u n t _ t ● PTI, x86 ● retpoline ● s . field removal t r u c t t i m e r _ l i s t d a t a ● fast refcount overflow protection, x86 (also in v4.14 -stable) ● % hashing p

  8. v4.16 ● 12 r conversions (20 more?) e f c o u n t _ t ● PTI, arm64 ● hardened usercopy whitelisting ● C O N F I G _ C C _ S T A C K P R O T E C T O R _ A U T O

  9. v4.17 ● 51 VLAs removed (80 remaining...) ● Clear stack on fork ● More fixes to stack RLIMIT on exec ● M A P _ F I X E D _ N O R E P L A C E ● Unused register clearing on syscall entry, x86 ● Speculative Store Bypass Disable, x86

  10. v4.18 ● 38 VLAs removed (42 remaining...) ● Arithmetic overflow detection helpers ● Allocation overflow detection refactoring ● Speculative Store Bypass Disable, arm64

  11. Expected for v4.19 ● 33 VLAs removed (9 remaining: all in crypto API) ● Shift overflow helpers ● L1TF defenses ● Restrict O for existing files and pipes in / _ C R E A T t m p ● Unused register clearing on syscall entry, arm64 ● Speculative Store Bypass Disable, arm64

  12. Hopefully in v4.20 ● VLAs removed completely, - added W v l a ● stackleak gcc plugin (x86 and arm64)

  13. Various soon and not-so-soon features ● Link-Time Optimization ● Control Flow Integrity ● eXclusive Page Frame Owner ● integer overflow detection ● switch fallthrough marking ● per-task stack canary, non-x86 ● SMAP emulation, x86 ● per-CPU page tables ● brute force detection ● read-only page tables ● write-rarely memory ● {str,mem}cpy alloc size checks ● memory tagging ● hardened slab allocator ● KASLR, arm ● hypervisor magic :)

  14. Challenges Cultural : Conservatism, Responsibility, Sacrifice, Patience Technical : Complexity, Innovation, Collaboration Resources : Dedicated Developers, Reviewers, Testers, Backporters

  15. Thoughts? Kees (“Case”) Cook keescook@chromium.org keescook@google.com kees@outflux.net https://outflux.net/slides/2018/lss/kspp.pdf http://www.openwall.com/lists/kernel-hardening/ http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

1 CPU Events: Interrupts and Exceptions CPU Events: Interrupts and Exceptions Protecting Entry

Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data execution Processes, Protection and the Kernel: Processes, Protection and the Kernel: virtual contexts to address

540 views • 9 slides
The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook

The State of Kernel Self Protection Linux Conf AU, Sydney Jan 26, 2018 Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lca/kspp.pdf Agenda Background Why we need to change what were doing

695 views • 57 slides
Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and

Processes, Protection and the Kernel: Processes, Protection and the Kernel: Mode, Space, and Context Mode, Space, and Context Processes and the Kernel Processes and the Kernel The kernel sets processes up process in private data data

614 views • 50 slides
Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org

Kernel Self Protection Kernel Summit 2016, Santa Fe Kees (Case) Cook keescook@chromium.org @kees_cook http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project http://www.openwall.com/lists/kernel-hardening/

494 views • 21 slides
Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection

Linux Kernel Networking Raoul Rivas Kernel vs Application Programming No memory protection Memory Protection We share memory with Segmentation Fault devices, scheduler Preemption Sometimes no preemption Scheduling

377 views • 25 slides
Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case)

Linux Kernel Self Protection Project Kernel Recipes, Paris September 28, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/kr/kspp.pdf Agenda Background Security in the context of this presentation

800 views • 59 slides
Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode,

Security While protection has been discussed throughout the class kernel vs. user mode, protected memory, file permissions these mechanisms have generally been focused on protection from accidental misuse (software bugs, novice

463 views • 13 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel

The Kernel (and Process) Abstraction Chapter 2-3 OSPP Part I Announcements Today: kernel Asynchrony Processes Protection Kernel The software component that controls the hardware directly and implements the core privileged OS

934 views • 62 slides
Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from

Protection Issues I/O protection Protection and System Calls Prevent users from performing illegal I/Os Memory protection Otto J. Anshus Prevent users from modifying kernel code and data (including slides from Kai Li,

350 views • 6 slides
Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged

Midterm Review OS Structure User mode/ kernel mode Memory protection, privileged instructions System call Definition, examples, how it works? Other concepts to know Monolithic kernel vs. Micro kernel 2 API - System Call -

830 views • 28 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
Kernel Methods Lei Tang Arizona State University Jul. 26th, 2007 Lei Tang Kernel Methods

Kernel Methods Lei Tang Arizona State University Jul. 26th, 2007 Lei Tang Kernel Methods

Kernel Methods Lei Tang Arizona State University Jul. 26th, 2007 Lei Tang Kernel Methods Introduction Linear parametric models for regression and classification. Memory-based methods: Parzen probability density estimation, k-nearest

1.01k views • 63 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee,

FUSE: Finding File Upload Bugs via Penetration Testing Taekjin Lee, Seongil Wi , Suyoung Lee, Sooel Son KAIST Upload Functionality Sharing user-provided content has become a de facto standard feature of modern web applications 2 File

995 views • 61 slides
OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna

OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna

OpenSMART: Single-cycle Multi-hop NoC Generator in BSV and Chisel Hyoukjun Kwon and Tushar Krishna Georgia Institute of Technology Synergy Lab (http://synergy.ece.gatech.edu) hyoukjun@gatech.edu April 25, 2017 Hardware Development Cost

494 views • 38 slides
Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions

Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions

Maternity Bundled Payment Workgroup January 8 th , 2019 Agenda Welcome and Introductions Bree Collaborative Overview Background Past Work Open Public Meetings Act Review Washington State Pregnancy and Perinatal Work

478 views • 22 slides
Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3

Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3

Wednesday, January 9, 2019 NOVEMBER 2018-2019 REVENUE VARIANCE $0.7 $1.2 -$0.1 $0.1 -$1.3 $2.0 $0.1 $2.7 % CHANGE 0.6% 3.5% -1.4% 3.2% -12.9% 250% 1.3% 1.6% $200.0 $174.9 $172.2 $150.0 $125.2 $124.5 FY 2018 $100.0 FY 2019

1.19k views • 93 slides
AHA 2016 David P Taggart MD(Hons),PhD,FRCS,FESC Professor of Cardiovascular Surgery University

AHA 2016 David P Taggart MD(Hons),PhD,FRCS,FESC Professor of Cardiovascular Surgery University

Arterial Revascularization Trial (ART) Randomiz ized comparis ison of f sin single le versus bila ilateral l in internal l mammary ry art rtery ry graft ftin ing in in 3102 patie ients: Effects on majo jor cardio iovascula lar

331 views • 18 slides
The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous

The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous

The SYNTAX E xtended S urvival Study Ten-Year Survival in Patients Randomized to Percutaneous Coronary Intervention versus Coronary Artery Bypass Grafting Daniel J.F.M. Thuijs , A. Pieter Kappetein, Patrick W. Serruys, Friedrich-Wilhelm Mohr,

610 views • 20 slides
CABG v. PCI: History and Trends CABG PCI Initial use 1967 1977 Use in MVD and LMD 50 years

CABG v. PCI: History and Trends CABG PCI Initial use 1967 1977 Use in MVD and LMD 50 years

12/8/19 The Role of PCI vs. CABG Surgery in the Management of Left Main and Multi-vessel CAD December 8, 2019 John S. MacGregor, M.D., Ph.D. Professor of Medicine University of California San Francisco 1 CABG v. PCI: History and Trends

360 views • 19 slides
SYNTAX E xtended S urvival study SYNTAXES Daniel J.F.M. Thuijs , Friedrich W. Mohr, Patrick

SYNTAX E xtended S urvival study SYNTAXES Daniel J.F.M. Thuijs , Friedrich W. Mohr, Patrick

10-Year Survival after Bypass Surgery versus Drug-Eluting Stents: Preliminary Results of the Randomized SYNTAX E xtended S urvival study SYNTAXES Daniel J.F.M. Thuijs , Friedrich W. Mohr, Patrick W. Serruys, Michael J. Mack, David R.

395 views • 16 slides

More recommend