using seccomp to limit the kernel attack surface
play

Using seccomp to limit the kernel attack surface Michael Kerrisk, - PowerPoint PPT Presentation

Mar 04, 2024 •257 likes •815 views

LPC 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 19 August 2015 Seattle, Washington, USA Outline 1 Introductions 2 Introduction and

  1. LPC 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c � 2015 man7.org Training and Consulting http://man7.org/training/ 19 August 2015 Seattle, Washington, USA

  2. Outline 1 Introductions 2 Introduction and history 3 Seccomp filtering and BPF 4 Constructing seccomp filters 5 BPF programs 6 Further details on seccomp filters 7 Applications, tools, and further information

  3. Outline 1 Introductions 2 Introduction and history 3 Seccomp filtering and BPF 4 Constructing seccomp filters 5 BPF programs 6 Further details on seccomp filters 7 Applications, tools, and further information

  4. Who am I? Maintainer of Linux man-pages (since 2004) Documents kernel-user-space + C library APIs ˜1000 manual pages http://www.kernel.org/doc/man-pages/ API review, testing, and documentation API design and design review Lots of testing, lots of bug reports, a few kernel patches “Day job”: programmer, trainer, writer LPC 2015 (C) 2015 Michael Kerrisk Introductions 4 / 54

  5. Outline 1 Introductions 2 Introduction and history 3 Seccomp filtering and BPF 4 Constructing seccomp filters 5 BPF programs 6 Further details on seccomp filters 7 Applications, tools, and further information

  6. Goals History of seccomp Basics of seccomp operation Creating and installing BPF filters (AKA “seccomp2”) Mostly: look at hand-coded BPF filter programs, to gain fundamental understanding of how seccomp works Briefly note some productivity aids for coding BPF programs LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 6 / 54

  7. Introduction and history Mechanism to restrict system calls that a process may make Reduces attack surface of kernel A key component for building application sandboxes First version in Linux 2.6.12 (2005) Filtering enabled via /proc/PID/seccomp Writing “1” to file places process (irreversibly) in “strict” seccomp mode Need CONFIG_SECCOMP LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 7 / 54

  8. Introduction and history Initially, just one filtering mode (“strict”) Only permitted system calls are read() , write() , _exit() , and sigreturn() Note: open() not included (must open files before entering strict mode) sigreturn() allows for signal handlers Other system calls ⇒ SIGKILL Designed to sandbox compute-bound programs that deal with untrusted byte code Code perhaps exchanged via pre-created pipe or socket LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 8 / 54

  9. Introduction and history Linux 2.6.23 (2007): /proc/PID/seccomp interface replaced by prctl() operations prctl(PR_SET_SECCOMP, arg) modifies caller’s seccomp mode SECCOMP_MODE_STRICT : limit syscalls as before prctl(PR_GET_SECCOMP) returns seccomp mode: 0 ⇒ process is not in seccomp mode Otherwise? SIGKILL (!) prctl() is not a permitted system call in “strict” mode Who says kernel developers don’t have a sense of humor? LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 9 / 54

  10. Introduction and history Linux 3.5 (2012) adds “filter” mode (AKA “seccomp2”) prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ...) Can control which system calls are permitted, Control based on system call number and argument values Choice is controlled by user-defined filter–a BPF “program” Berkeley Packet Filter (later) Requires CONFIG_SECCOMP_FILTER By now used in a range of tools E.g., Chrome browser, OpenSSH, vsftpd , Firefox OS, Docker LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 10 / 54

  11. Introduction and history Linux 3.8 (2013): The joke is getting old... New /proc/PID/status Seccomp field exposes process seccomp mode (as a number) 0 // SECCOMP_MODE_DISABLED 1 // SECCOMP_MODE_STRICT 2 // SECCOMP_MODE_FILTER Process can, without fear, read from this file to discover its own seccomp mode But, must have previously obtained a file descriptor... LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 11 / 54

  12. Introduction and history Linux 3.17 (2014): seccomp() system call added (Rather than further multiplexing of prctl() ) Provides superset of prctl(2) functionality Can synchronize all threads to same filter tree Useful, e.g., if some threads created by start-up code before application has a chance to install filter(s) LPC 2015 (C) 2015 Michael Kerrisk Introduction and history 12 / 54

  13. Outline 1 Introductions 2 Introduction and history 3 Seccomp filtering and BPF 4 Constructing seccomp filters 5 BPF programs 6 Further details on seccomp filters 7 Applications, tools, and further information

  14. Seccomp filtering and BPF Seccomp filtering available since Linux 3.5 Allows filtering based on system call number and argument (register) values Pointers are not dereferenced Filters expressed using BPF (Berkeley Packet Filter) syntax Filters installed using seccomp() or prctl() Construct and install BPF filter 1 exec() new program or invoke function inside dynamically 2 loaded shared library (plug-in) Once installed, every syscall triggers execution of filter Installed filters can’t be removed Filter == declaration that we don’t trust subsequently executed code LPC 2015 (C) 2015 Michael Kerrisk Seccomp filtering and BPF 14 / 54

  15. BPF origins BPF originally devised (in 1992) for tcpdump Monitoring tool to display packets passing over network http://www.tcpdump.org/papers/bpf-usenix93.pdf Volume of network traffic is enormous ⇒ must filter for packets of interest BPF allows in-kernel selection of packets Filtering based on fields in packet header Filtering in kernel more efficient than filtering in user space Unwanted packet are discarded early ⇒ Avoids passing every packet over kernel-user-space boundary LPC 2015 (C) 2015 Michael Kerrisk Seccomp filtering and BPF 15 / 54

  16. BPF virtual machine BPF defines a virtual machine (VM) that can be implemented inside kernel VM characteristics: Simple instruction set Small set of instructions All instructions are same size Implementation is simple and fast Only branch-forward instructions Programs are directed acyclic graphs (DAGs) Easy to verify validity/safety of programs Program completion is guaranteed (DAGs) Simple instruction set ⇒ can verify opcodes and arguments Can detect dead code Can verify that program completes via a “return” instruction BPF filter programs are limited to 4096 instructions LPC 2015 (C) 2015 Michael Kerrisk Seccomp filtering and BPF 16 / 54

  17. Generalizing BPF BPF originally designed to work with network packet headers Seccomp 2 developers realized BPF could be generalized to solve different problem: filtering of system calls Same basic task: test-and-branch processing based on content of a small set of memory locations Further generalization (“extended BPF”) is ongoing Linux 3.18: adding filters to kernel tracepoints Linux 3.19: adding filters to raw sockets In progress (July 2015): filtering of perf events LPC 2015 (C) 2015 Michael Kerrisk Seccomp filtering and BPF 17 / 54

  18. Outline 1 Introductions 2 Introduction and history 3 Seccomp filtering and BPF 4 Constructing seccomp filters 5 BPF programs 6 Further details on seccomp filters 7 Applications, tools, and further information

  19. Basic features of BPF virtual machine Accumulator register Data area (data to be operated on) In seccomp context: data area describes system call Implicit program counter (Recall: all instructions are same size) Instructions contained in structure of this form: struct sock_filter { /* Filter block */ __u16 code; /* Filter code (opcode)*/ __u8 jt; /* Jump true */ __u8 jf; /* Jump false */ __u32 k; /* Generic multiuse field */ }; See <linux/filter.h> and <linux/bpf_common.h> LPC 2015 (C) 2015 Michael Kerrisk Constructing seccomp filters 19 / 54

  20. BPF instruction set Instruction set includes: Load instructions Store instructions Jump instructions Arithmetic/logic instructions ADD, SUB, MUL, DIV, MOD, NEG OR, AND, XOR, LSH, RSH Return instructions Terminate filter processing Report a status telling kernel what to do with syscall LPC 2015 (C) 2015 Michael Kerrisk Constructing seccomp filters 20 / 54

  21. BPF jump instructions Conditional and unconditional jump instructions provided Conditional jump instructions consist of Opcode specifying condition to be tested Value to test against Two jump targets jt : target if condition is true jf : target if condition is false Conditional jump instructions: JEQ : jump if equal JGT : jump if greater JGE : jump if greater or equal JSET : bit-wise AND + jump if nonzero result jf target ⇒ no need for JNE , JLT , JLE , and JCLEAR LPC 2015 (C) 2015 Michael Kerrisk Constructing seccomp filters 21 / 54

  22. BPF jump instructions Targets are expressed as relative offsets in instruction list 0 == no jump (execute next instruction) jt and jf are 8 bits ⇒ 255 maximum offset for conditional jumps Unconditional JA (“jump always”) uses k as offset, allowing much larger jumps LPC 2015 (C) 2015 Michael Kerrisk Constructing seccomp filters 22 / 54

  23. Seccomp BPF data area Seccomp provides data describing syscall to filter program Buffer is read-only Format (expressed as C struct ): seccomp_data { struct nr; /* System call number */ int __u32 arch; /* AUDIT_ARCH_* value */ __u64 instruction_pointer ; /* CPU IP */ __u64 args [6]; /* System call arguments */ }; LPC 2015 (C) 2015 Michael Kerrisk Constructing seccomp filters 23 / 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org

LinuxCon.eu 2015 Using seccomp to limit the kernel attack surface Michael Kerrisk, man7.org c 2015 man7.org Training and Consulting http://man7.org/training/ 6 October 2015 Dublin, Ireland Outline 1 Introductions 2 Introduction and

1.1k views • 55 slides
Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training

Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training

ContainerCon Europe 2016 Using seccomp to limit the kernel attack surface c 2016 Michael Kerrisk man7.org Training and Consulting http://man7.org/training/ @mkerrisk mtk@man7.org 5 October 2016 Berlin, Germany Outline 1 Introduction

671 views • 53 slides
SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO

SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO

SECCOMP YOUR NEXT LAYER OF DEFENSE PHILIPP KRENN @XERAA UNTIL SOMETHING HAPPENS NO SILVER BULLET PRINCIPLE OF LEAST PRIVILEGE SECCOMP PREVENT EXECUTION OF CERTAIN SYSTEM CALLS BY AN APPLICATION SECCOMP INSTRUMENT KERNEL TO ABORT

954 views • 72 slides
A Stepping Stone into your Kernel Moritz

A Stepping Stone into your Kernel Moritz

2009 A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns Agenda USB intro Motivation Attack surface Vulnerability identification Hardware-aided approach

615 views • 32 slides
The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice Director Global experts in cyber security &amp; risk mitigation Agenda Space attack surface overview Attacks against terrestrial assets

310 views • 30 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26,

Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26,

Overview and Recent Developments: seccomp and small LSMs Linux Security Summit EU October 26, 2018 Edinburgh, Scotland Kees (Case) Cook keescook@chromium.org @kees_cook https://outflux.net/slides/2018/lss-eu/seccomp.pdf Agenda

220 views • 21 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kiasondi Sponsored by http://iot.foi.hr Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness

725 views • 55 slides
Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy?

Web Application Security Assessment Policy John Hally John.hally@comcast.net Why This Policy? Limit attack surface of our web applications Web application flaws/vulnerabilities are a major attack vector Protect Company

195 views • 6 slides
~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface

~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface

~~~1}1 )A Animal Risk of Produced Water Barium Sulfate TDS (mg/L) (mg/L) (mg/L) Surface Discharges in Wyoming None Current 3,000 5,000 Limit: Penny Hunter Geomega 0.2 500 2,000 Proposed Limit: January 17, 2007 Note: Suffate Is

197 views • 5 slides
Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS&gt; whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of

On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of

On Nuttalls partition of a three-sheeted Riemann surface and limit zero distribution of HermitePad polynomials Sergey P. Suetin S M I R

851 views • 28 slides
Number Systems III MA1S1 Tristan McLoughlin December 4, 2013

Number Systems III MA1S1 Tristan McLoughlin December 4, 2013

Number Systems III MA1S1 Tristan McLoughlin December 4, 2013 http://en.wikipedia.org/wiki/Binary numeral system http://accu.org/index.php/articles/1558 http://www.binaryconvert.com http://en.wikipedia.org/wiki/ASCII Converting fractions to

672 views • 45 slides
String indexing in the Word RAM model, part 2 Pawe Gawrychowski University of Wrocaw &amp;

String indexing in the Word RAM model, part 2 Pawe Gawrychowski University of Wrocaw &amp;

String indexing in the Word RAM model, part 2 Pawe Gawrychowski University of Wrocaw &amp; Max-Planck-Institut fr Informatik Pawe Gawrychowski String indexing in the Word RAM model II 1 / 29 Even though we showed yesterday that storing

1.27k views • 84 slides
Warning CS 61A/CS 98-52 FYI: This lecture might get a little... intense... and math-y Mehrdad

Warning CS 61A/CS 98-52 FYI: This lecture might get a little... intense... and math-y Mehrdad

0.8 1.0 0.6 0.4 0.2 0.0 1.0 0.8 0.6 0.4 0.2 0.0 Warning CS 61A/CS 98-52 FYI: This lecture might get a little... intense... and math-y Mehrdad Niknami If its hard, dont panic! Its okpy! They wont all be like this! Just try

382 views • 4 slides
T r i e s , r a d i x t r e e s , s u ffjx t r e e s T r i e s A t

T r i e s , r a d i x t r e e s , s u ffjx t r e e s T r i e s A t

T r i e s , r a d i x t r e e s , s u ffjx t r e e s T r i e s A t r i e ( p r o n o u n c e d t r y ) i s a d a t a s t r u c t u r e f o r r e p r e s e n t i n g a

595 views • 27 slides
MA/CSSE 474 Theory of Computation Languages, prefixes, sets, cardinality, functions Your

MA/CSSE 474 Theory of Computation Languages, prefixes, sets, cardinality, functions Your

3/12/2020 MA/CSSE 474 Theory of Computation Languages, prefixes, sets, cardinality, functions Your Questions? Syllabus Tuesday's discussion Reading Assignments Must not HW1 or HW2 be a FSM Anything else 1 3/12/2020

253 views • 10 slides
Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to

Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to

Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to chop down a tree and I will spend the first four sharpening the axe. Abraham Lincoln, 1809-1865 3/5/19 Heiko Paulheim 2 Recap: The Data Mining

675 views • 54 slides
a case study By Chris Laidler Optimization cycle Assess Parallelise Test Optimise Profile

a case study By Chris Laidler Optimization cycle Assess Parallelise Test Optimise Profile

Accelerating the acceleration search a case study By Chris Laidler Optimization cycle Assess Parallelise Test Optimise Profile le Identify the function or functions in which the application is spending most of its execution time.

391 views • 37 slides
Semaphores Semaphores 1 Semaphores Semaphores A semaphore is an object that consists of a

Semaphores Semaphores 1 Semaphores Semaphores A semaphore is an object that consists of a

Semaphores Semaphores 1 Semaphores Semaphores A semaphore is an object that consists of a counter a waiting list of processes and two counter, a waiting list of processes, and two methods ( e.g ., functions): signal and wait . semaphore

611 views • 30 slides

More recommend