firewalls, vulnerabilities and linux kernel modules. 1
TRANSCRIPT
Workshop in Information Security
Building a Firewall within the Linux Kernel
Firewalls, vulnerabilities and
Linux Kernel Modules.
Lecturer: Eran Tromer
Teaching assistant: Coby Schmidt
Advisor: Assaf Harel, Ariel Haviv
2 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
3 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
4 .
Firewall goals (reminder)
A piece of soft/hardware intended to keep a certain
network secure:
– Enforce protocol correctness.
– Enforce policy of the network administrator.
– Minimize chance of intrusion & attacks.
Can operate in different levels of the OSI.
– First firewalls looked up to the TCP/IP level.
– Today’s firewalls inspect all the way up to the application
level.
5 .
Firewall requirements (reminder)
A firewall needs to look into packets, so it must a have
some communication with the kernel.
Needs to decide fast, we want maximum throughput. Can’t
afford slowing down the traffic.
Needs to be configurable.
Needs to provide some way for the user to see what’s
going on inside.
6 .
Packet filtering (reminder)
Each packet that is inspected waits for a verdict
– Accept
– Drop
Actually, mainly connection filtering.
We make certain connections legal, and the others illegal
(rules).
For example, we allow incoming connections to the host
10.1.1.1 only on port 80.
Another example – disallow all connections from
172.23.31.0/24 network.
7 .
Packet filtering (reminder cont.)
We look into the IP header of the packet to identify the
source and destination IP, and into the UDP/TCP header
to identify the source and destination ports.
When a new connection is established we check the
connection against a set of rules.
After a connection is accepted each packet is checked if it
is a part of an existing connection.
8 .
Firewall Functionality
A Firewall filter connections
against a policy or a rulebase,
rule by rule.
Generally speaking as we go
down there are more general
rules.
And as we go up there are more
specific rules
General
Specific Rule
Number
SourceIP DestIP SourcePort DestPort verdict
1 91.93.133.12
0
192.168.4.1
22
1550 3790 Accept
2 0.0.0.0 –
255.255.255.
255
192.168.4.1
22
Any Any Drop
3 0.0.0.0 –
255.255.255.
255
192.168.0.0
–
192.168.255
.255
Any 22 Accept
4 192.168.3.0
–
192.168.3.25
5
0.0.0.0 –
255.255.255
.255
Any Any Drop
5 192.168.0.0-
192.168.255.
255
0.0.0.0-
255.255.255
.255
Any 80 Accept
6
255.255.255.
255
0.0.0.0 -
255.255.255
.255
Any Any Drop
9 .
Firewall Functionality – lets have a thought experiment.
A possible organization
topology
192.168.1.0/24 intranet
of the organization –TOP
SECRET.
DMZ - Demilitarized
Zone. What the
organization willing to
expose to the public.
10 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
11 .
Vulnerabilities – bad input
A common mistake is to think that by writing the code, you
know you will never get bad input from the other side of the
conversation.
Someone can send you a hand-crafted packet with bad
input – and BOOM.
If you don’t check the input, and it’s bad input:
– You might crash due to segmentation fault. That’s the better
scenario.
– In a worse scenario, you don’t crash:
– You mess up data in another part of your program.
– Someone can execute code on your machine.
– You unknowingly expose sensitive data.
12 .
Protocol Violation
Spoofing – forging source IP address.
An attacker can forge the IP address of a target inside a
protected network, and behave as if he/she is part of the
targeted network.
Can be protected simply by seeing an IP source address
coming from the wrong interface.
“Smurf attack”
13 .
Protocol Violation (cont)
“Ping of Death” sending a packet with size larger than
65536 bytes had crashed many OS
When a OS reassemble the packet it overruns memory
located next to the packet buffer and damages the system.
Not just ping but any protocol over IPv4.
A way to avoid is to patch the OS.
Let a Firewall make sure that the maximum packet size is no
larger than 65536 bytes.
14 .
SYN floods
SYN packets are the most expansive in term of CPU and
memory resources
An easy way to attack networks, gateway, servers and
more is to flood them with SYN packets (mostly with forged
source IP)
Sophisticated monitoring over SYN packets can prevent it
Let the firewall be the “man in the middle”, perform 3 way
handshake in front of the conversation initiator.
To prevent slowing down traffic, or even crashing the
firewall we should use it only after unresolved SYN
connections number passes some threshold.
15 .
The future (real near future)?
It becomes increasingly agreeable that attacks cannot be
completely blocked.
But what ever comes in, needs to come out.
By cultivating malwares, security analyst can construct a
list of bad reputations IP to block out going traffic to them.
16 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Software Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
17 .
What is a Kernel Module
What is a kernel module? (wiki definition)
– An object file that contains code to extend the running kernel,
or so-called base kernel, of an operating system.
What is a kernel module? (my definition)
– A modular piece of code and data structures, that can be
plugged in and out of kernel space.
Modules register new facilities (functions and data
structures) to the kernel
18 .
How kernel modules different from user-space programs
C library/header files are not available, so many familiar
functions will not be available
– Can’t include <stdio.h>, or any other glibc header.
– But <kernel.h> offers some nice utilities
– e.g. min_t(type, x, y), swap(a, b)
– And there are many more: kfifo.h, slab.h, kthread.h, wait.h
Kernel Modules are event driven
– It provides facilities that can be used by the kernel during
interrupts, system calls etc.
– The kernel can even start using registered facilities before all
of them had been registered.
19 .
Building the Module
The purpose – eliminate the need to re-compile the kernel
every time you need to add/remove a specific feature.
A Makefile that adapts itself to current kernel.
– Look it up!
insmod and rmmod the module in and out the kernel.
Initialization function that is called when the module enters
the kernel.
Cleanup function that is called when the module is
removed from the kernel.
20 .
Our Kernel Module – The Firewall!
What will we do with our kernel module? (spoilers ahead)
– Register a char device, to communicate with the user space
(AKA: the real world).
– Make sysfs virtual files to get and set module values.
– Use the mmap API to expose large chunks of data from kernel
space.
– Register our own functions (AKA: hooks) with the netfilter
API, to issue verdicts on packets going in/out/through our
linux box.
– Maybe juggle some kernel threads, that will help us complete
deferred or a-synchronic tasks.
When our module is removed, it will clean up all this mess,
as if it was never there.
21 .
References
Further reference:
– Linux Device Drivers, Third Edition
– An excellent free e-book, contains all you need and don’t need
to know about kernel modules.
– Written for kernel 2.6, but not a lot changed since.
– Kernel Headers and Documentation
– On your machine
– e.g. /usr/src/linux-headers-`uname -r`/include/linux/ip.h
– On the net
– LXR or any other cross-reference site.
– http://kernel.org/doc/Documentation/
– The hardest to read, but probably the most useful.
– Your favorite search engine.
22 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Software Vulnerabilities 2
A few words on the next assignment 4
Intro to Linux Kernel Modules 3
23 .
A few words on the next assignment
To the end of this workshop you will have a working
firewall on the kernel, even if not a commercial one…
The next assignment will be the first step toward that goal,
completely in userspace
You’ll receive a fictitious state protocol of a car
communicating with a satellite
24 .
The fictitious protocol
25 .
A few words on the next assignment
Create all structs, modules and function needed to
implement a firewall based on that protocol
In the next assignment after this Firewall is stable it will
move to the kernel.
26 .
Assignment -demands
Write a modular code where different functions and
features will be independent with each other.
Write a well documented code, make me happy.
Try to make the as compact as possible
Remember, a well written code will be a code that will
easily move to the kernel, minimal and specific changes
will be much easier to handle.
Try the best to enjoy you code writing…