Defcon 10 Presentation: lids_defconx
3850171ceee7bb12619a0b757fa3c82bf234b25a7d5956eacfedbd31c75ec940
%include "default.mgp"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%fore "red", size 8, back "darkblue", font "dixon", vgap 0, ccolor "gray"
%bgrad 0 0 128 0 1 "black" "black" "blue" "black" "black" "black" "black" "black"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%bgrad 0 0 128 0 1 "black" "black" "blue" "black" "black" "black" "black" "black"
#%pcache 1 1 1 100
%center
%xsystem "xclock -geometry %27x3+0+0 -digital -update 1 -bg black -fg cyan -padding 0" -1
%size 6, font "dixon"
Secure Linux Kernel with LIDS
%image "logo4_t.gif"
%size 5, fore "yellow", font "Tonite"
Huagang XIE
%size 4, font "dixon"
IntruVert Networks
%size 5, fore "red"
%fore "green", font "Diodos"
DEFCON X
%size 4, font "dixon"
08/02-08/05 Las Vegas
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
Outline
%fore "yellow", font "dixon"
Background
Architecture
Implementation
Attack and Defense
Secure the linux kernel
Summary
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
2. Background
%fore "yellow", font "dixon"
%center
%IMAGE "logo1a_t.gif"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
2.0 Problems and Current Solutions
%fore "yellow", font "dixon"
Problems
Host hacked/defaced
Information leaked/steeled
Virus/worm spread ed
Vulnerabilities found
Solutions
Upgrade the software ASAP
Use secure software : SSH, SSL, etc
Fireware/IDS
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
2.1 Reasons
%fore "yellow", font "dixon"
Application Softwares are not trustworthy
more and more complicate implementation
Kernel is not trustworthy
system call can be intercepted
Access Control is not perfect
Root(superuser) can do anything
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
2.2 LIDS: Trusted Kernel & MAC
%fore "yellow", font "dixon"
Trusted Kernel
Protect the kernel itself
Mandatory Access Control (MAC)
No one can change the MAC rules
Least privilege
Admin tools
Configure the MAC Acls
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
2.3 LIDS: History
%fore "yellow", font "dixon"
1999.10.15 release 0.1 to freshmeat.net
1999.12 core developer Philippe Biondi, FAQ maintainer Steve Bremer and Sander Klein
2000.1 Added capability rules , lightweight MAC
2002.3 LSM based version and new stable version
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
3. Architecture
%fore "yellow", font "dixon"
%center
%image "lids-mj.jpg"
%IMAGE "logo5.gif"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
3.1 Architecture
%fore "yellow", font "dixon"
%center
%IMAGE "lids_arch1.gif"
%left
Access Control Models
Process & resource (subject & object)
ACL database
Hooks (Decision Center)
Log Box
Administration Interface
Interact with the ACL database
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
3.2 Features
%fore "yellow", font "dixon"
Kernel Patch
A Trusted Kernel
Capability configuration
Seal the kernel
Lightweight MAC in the kernel
File protection
process protection
module protection
Admin tools
lidsadm & lidsconf
ipchains likely rules
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
3.3 Example
%font "typewriter", size 3
%fore "yellow"
[root@lids /root]# cat /etc/shadow
cat: /etc/shadow: Operation not permitted
-- log --
LIDS: cat (dev 3:2 inode 80939) pid 4711 ppid 4683 uid/gid (0/0) on (pts) : Attempt to read (dev 3:2, ino 50891)
[root@lids /bin]# touch abc
touch: abc: Operation not permitted
-- log --
LIDS: touch (dev 3:2 inode 80891) pid 4734 ppid 4636 uid/gid (0/0) on (pts) : Attempt to fchmod abc to mode 127440
[root@lids /root]# rmmod lids
lids: Operation not permitted
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
4 Implementation
%fore "yellow", font "dixon"
%center
%IMAGE "logo_t1.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
4.1 ACL database
%font "typewriter", size 3
%fore "yellow"
struct secure_ino {
unsigned long int ino; /* the inode number */
kdev_t dev; /* the dev number */
int type; /* the file type */
time_t from_time;
time_t to_time;
};
/* save all the system defined acl here */
struct lids_sys_acl {
unsigned long int ino; /* the subject node number */
unsigned long flags; /* capability flags */
struct lids_cap cap[32]; /* inheritable array*/
int forked; /* fork tags */
int port[LIDS_PORT_ITEM][2];
struct lids_acl *lids_acl; /* object acl */
struct lids_acl *lids_domain;
kdev_t dev; /* the subject dev number */
};
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
4.2 Data Structure : Process Label
%font "typewriter", size 3
%fore "yellow"
struct task_struct {
/*
* offsets of these are hardcoded elsewhere - touch with care
*/
volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
unsigned long flags; /* per process flags, defined below */
int sigpending;
....
#ifdef CONFIG_LIDS
/* LIDS refrence box */
%fore "red"
struct lids_sys_acl *lids_sys_acl;
....
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "black" "black" "black" "black" "black" "black" "blue"
4.3 Process ACLs attaching
%font "typewriter", size 3
%fore "yellow"
int do_fork(unsigned long clone_flags, unsigned long stack_start,
struct pt_regs *regs, unsigned long stack_size)
{
int retval;
.....
if (copy_mm(clone_flags, p))
goto bad_fork_cleanup_sighand;
#ifdef CONFIG_LIDS
%fore "red"
if(copy_lids_sys_acl(p))
goto bad_fork_cleanup_lids;
#endif
.....
%fore "yellow"
static inline int copy_lids_sys_acl(struct task_struct * tsk)
{
.........
if(parent->lids_sys_acl) {
struct lids_acl *p_acl,*this_acl;
........
/* 1 . copy lids_acl */
for(p_acl=parent->lids_sys_acl->lids_acl;p_acl;) {
this_acl = kmalloc(sizeof(struct lids_acl),GFP_KERNEL);
if(!this_acl) return -1;
%fore "red"
memcpy(this_acl,p_acl,sizeof(struct lids_acl));
%fore "yellow"
this_acl->next = tsk->lids_sys_acl->lids_acl;
tsk->lids_sys_acl->lids_acl = this_acl;
p_acl = p_acl->next;
}
/* 2. copy lids_domain */
for(p_acl=parent->lids_sys_acl->lids_domain;p_acl;) {
.....
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "black" "black" "black" "black" "black" "black" "blue"
4.4 ACL attacking 2, execve()
%font "typewriter", size 3
%fore "yellow"
#ifdef CONFIG_LIDS
int do_execve(char * filename, char ** argv, char ** envp, struct pt_regs * regs)
{
.....
if(dentry) if (dentry->d_inode) {
struct lids_sys_acl *this_sys_acl;
this_sys_acl = lids_search_acl(dentry->d_inode->i_ino,dentry->d_inode->i_dev,lids_current);
/* set the ACLs */
if( (retval=lids_set_acls(this_sys_acl)) < 0 )
goto out;
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
4.5 Checkpoint: checking the ACL
%font "typewriter", size 3
%fore "yellow"
asmlinkage long sys_chmod(const char * filename, mode_t mode)
{
....
ifdef CONFIG_LIDS
if( lids_load && (nd.dentry != NULL) && lids_local_load) {
%fore "red"
if (lids_check_base(nd.dentry,LIDS_WRITE)) {
%fore "yellow"
lids_security_alert("Attempt to chmod %.1024s to mode %o", filename,mode);
error=-EPERM;
goto dput_and_out;
}
.....
endif
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
4.6 Reference Box: Decision Center
%font "typewriter", size 3
%fore "yellow"
/* kernel/lids.c */
int lids_check_base(struct dentry *base, int flag)
{
......
/* check if the dentry is in the domain */
while(dentry) {
.......
}
/* check the ACL */
while (dentry) {
if((ino=dentry->d_inode)!=NULL)
%fore "white"
if((retval=lids_search_inode(ino->i_ino,ino->i_dev,
&lids_data[lids_curr&1])) >= 0) {
return (retval & flag) ? 0:
lids_check_acl(base,flag,lids_curr,0);
}
%fore "yellow"
if (dentry==dentry->d_parent)
return 0;
dentry=dentry->d_parent;
}
return 0;
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5 Attacks and Defenses
%fore "yellow", font "dixon"
%center
%IMAGE "Rambux.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5.1 LIDS admin password
%fore "yellow", font "dixon"
Attack
LIDS super super user
the same privilege as previous root
Password stored in the kernel
Defense
160Bits MD5
Restricted Login TTY
local/series port/remote
CAP_SYS_RAWIO
/dev/kmem, /dev/kcore unwritable
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5.2 Trojan, RootKit and Sensitive Information
%fore "yellow", font "dixon"
Attack
Trojan: /bin/login Log clean: /var/log/
Password: /etc/shadow Modules: insmod/rmmod
Kernel Root Kit
Defense
File system protection:
Implementation in VFS layer
MODE: Read Only, Append, Deny Access
Module operation
CAP_SYS_MODULES
Disable by default
Log:
%font "typewriter", size 3
%fore "yellow"
LIDS: insmod (dev 3:2 inode 84860) pid 21420 ppid 21414 uid/gid (0/0) on (ttyp)
: violated CAP_SYS_MODULE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5.3 ACL/Capability and LD_PRELOAD
%fore "yellow", font "dixon"
Attack
Discovered by Teso Team in Advisory 2002
LD_PRELOAD can insert malicious code
Defense
check "LD_" in the envp
clear the inherited ACLs when found LD_XXXX
check process with Inherit
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5.4 Shellcode Detection
%fore "yellow", font "dixon"
Attack
Buffer Overflow with shellcode
Send shellcode to program parameters and envp
Defense
Check Shellcode in envp and argc
Prevent shellcode in the parameter/env
Log:
%font "typewriter", size 3
%fore "yellow"
LIDS: bash (dev 3:2 inode 80747) pid 21323 ppid 21318 uid/gid (500/500) on (ttyp
) : Found overlong parameters when exec /usr/X11R6/bin/xlock: length = 4095
LIDS: bash (dev 3:2 inode 80747) pid 21323 ppid 21318 uid/gid (500/500) on (ttyp
) : Shellcode detected when exec /usr/X11R6/bin/xlock, program terminated!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
5.5 Dynamic runtime kernel modification
%fore "yellow", font "dixon"
Attack
Phrack magazine, issue 58
Modify kernel code through /proc/kcore, /dev/kmem
Defense
CAP_SYS_RAWIO capability disable by default
LOG
%font "typewriter", size 3
%fore "yellow"
LIDS: bash (dev 3:2 inode 80747) pid 4830 ppid 4826 uid/gid (0/0) on (ttyp) : v
iolated CAP_SYS_RAWIO
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
6 Build a secure linux with LIDS
%fore "yellow", font "dixon"
%center
%IMAGE "Complete_control.jpg"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
6.1 Install and Build the kernel
%fore "yellow", font "dixon"
vanilla kernel from www.kernel.org and its mirrors
kernel patch and tools from www.lids.org and its mirror
LSM from lsm.immnux.org
Patching the kernel
$ cd kernel_source_dir
$ patch < lids-1.1.0r2-2.4.18.patch
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
6.2 Install the kernel and lidstools
%fore "yellow", font "dixon"
Reconfigure the kernel
$ make menuconfig/xconfig/config
Rebuild the kernel
$ make bzImage
Install the kernel
compile and install the lidstools
- lidsadm, lidsconf
- default ACLs
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
6.3 ACL and lidsconf
%fore "yellow", font "dixon"
/etc/lids
lids.conf lids.net lids.pw lids.cap
lidsconf
lidsconf -A -s program -o file/dir -j GRANT/Read/Write/Append
lidsconf -A -s program -o cap -i inherit_level -j GRANT
lidsadm
lidsadm -S -- -LIDS --> enable/disable LIDS
lidsadm -I --> seal the kernel
FAQ
http://www.lids.org/faq/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
6.4 testing
%font "typewriter", size 3
%fore "yellow"
Reboot & Seal the kernel
# modprobe lids
# lidsadm -I
-- log --
Linux Intrusion Detection System 2.0.1pre1 started
LIDS: Statistics: 10 objects, 21 source ACLS, 25 object ACLs,capability = 75d0cd1f
File protection
[root@lids /root]# cat /etc/shadow
cat: /etc/shadow: Operation not permitted
-- log --
LIDS: cat (dev 3:2 inode 80939) pid 4711 ppid 4683 uid/gid (0/0) on (pts) : Attempt to read (dev 3:2, ino 50891)
[root@lids /bin]# touch abc
touch: abc: Operation not permitted
-- log --
LIDS: touch (dev 3:2 inode 80891) pid 4734 ppid 4636 uid/gid (0/0) on (pts) : Attempt to fchmod abc to mode 127440
Modules protection
[root@lids /root]# rmmod lids
lids: Operation not permitted
-- log --
LIDS: insmod (dev 3:2 inode 84860) pid 4735 ppid 4636 uid/gid (0/0) on (pts) : violated CAP_SYS_MODULE
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
#%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
7. Summary
%fore "yellow", font "dixon"
Free software effort
LIDS implement a security model in the kernel
LIDS can enhance the linux kernel security
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
9. Acknowledgement
%fore "yellow", font "dixon"
%center
LIDS users and developers
The wonderful world of free software
IntruVert Networks
DEFCON
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%font "dixon"
%bgrad 25 25 128 45 1 "blue" "blue2" "black" "black" "black" "black" "blue"
%center
Any Question?
%IMAGE "Rambux.jpg"
%fore "orange", size 5
%center
Thanks
:-)
%fore "red",size 5
http://www.lids.org
xie@www.lids.org