linux 4.6 and memory protections
Post on 15-Apr-2017
194 Views
Preview:
TRANSCRIPT
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Linux 4.6 and memory protectionsKernel-level security enhancements at runtime
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Linux is not that secure…
• today’s KASLR implementation is trivial
• backporting of patches is necessary
• people are scared of kernel updates…
• …servers are running old kernels
• it’s worst on mobile (Android?)
• remember: not updated = dead product / service
• so? we MUST design systems that update their kernels!
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
So what?
• read security bulletins of software you use
• install latest updates
• update your kernel, no fears!
• Linux 4.6 has some nice features
• you should have a look…
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Security enhancements in Linux 4.6
• EFI firmware context isolated from kernel
• kernel memory protections
• some features being cherry picked from grsecurity
• live kernel patches (since Linux 4.0)
• now shifting to live kernel updates
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
About kernel memory protections
• most from GrSecurity and PaX
• default on ARMv7 and ARMv8, mandatory on x86
• RANDSTRUCT plugin
• write protection to all data structures (kernel only)
• __ro_after_init markings for write-once data
• __read_only from grsec and PaX
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Future
• Linux 4.7+
• LoadPin LSM for trusted loading of kernel modules
• KASLR on MIPS
• improved text base address randomization on x86
• Core Infrastructure Initiative (https://www.coreinfrastructure.org/)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Sources
https://forums.grsecurity.net/viewtopic.php?f=7&t=4476
https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features
https://forums.freebsd.org/threads/56298/
http://www.wilderssecurity.com/threads/linux-kernel-4-6-new-self-protection-features.385840/
https://plus.google.com/u/0/+KeesCook/posts/adtf8msMKNL
https://www.youtube.com/watch?v=GGBlBIFAKmA
https://news.ycombinator.com/item?id=11698381
http://www.theregister.co.uk/2016/04/27/linux_security_bug_report_row/
http://www.linuxjournal.com/content/no-reboot-kernel-patching-and-why-you-should-care
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.7-LoadPin-Restriction
http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=31b0b385f69d8d5491a4bca288e25e63f1d945d0
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!
top related