Upload File

linux 4.6 and memory protections

8
Hardening Two June 13, 2016 Francesco Pira (fpira.com) Linux 4.6 and memory protections Kernel-level security enhancements at runtime

Upload: francesco-pira

Post on 15-Apr-2017

194 views

Category:

Software


0 download

Report

TRANSCRIPT

Page 1: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Linux 4.6 and memory protectionsKernel-level security enhancements at runtime

Page 2: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Linux is not that secure…

• today’s KASLR implementation is trivial

• backporting of patches is necessary

• people are scared of kernel updates…

• …servers are running old kernels

• it’s worst on mobile (Android?)

• remember: not updated = dead product / service

• so? we MUST design systems that update their kernels!

Page 3: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

So what?

• read security bulletins of software you use

• install latest updates

• update your kernel, no fears!

• Linux 4.6 has some nice features

• you should have a look…

Page 4: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Security enhancements in Linux 4.6

• EFI firmware context isolated from kernel

• kernel memory protections

• some features being cherry picked from grsecurity

• live kernel patches (since Linux 4.0)

• now shifting to live kernel updates

Page 5: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

About kernel memory protections

• most from GrSecurity and PaX

• default on ARMv7 and ARMv8, mandatory on x86

• RANDSTRUCT plugin

• write protection to all data structures (kernel only)

• __ro_after_init markings for write-once data

• __read_only from grsec and PaX

Page 6: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Future

• Linux 4.7+

• LoadPin LSM for trusted loading of kernel modules

• KASLR on MIPS

• improved text base address randomization on x86

• Core Infrastructure Initiative (https://www.coreinfrastructure.org/)

Page 7: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Sources

https://forums.grsecurity.net/viewtopic.php?f=7&t=4476

https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features

https://forums.freebsd.org/threads/56298/

http://www.wilderssecurity.com/threads/linux-kernel-4-6-new-self-protection-features.385840/

https://plus.google.com/u/0/+KeesCook/posts/adtf8msMKNL

https://www.youtube.com/watch?v=GGBlBIFAKmA

https://news.ycombinator.com/item?id=11698381

http://www.theregister.co.uk/2016/04/27/linux_security_bug_report_row/

http://www.linuxjournal.com/content/no-reboot-kernel-patching-and-why-you-should-care

https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.7-LoadPin-Restriction

http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=31b0b385f69d8d5491a4bca288e25e63f1d945d0

Page 8: Linux 4.6 and memory protections

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Questions?

Thank you!


The protections of God

Supra Surface Protections

Land Use Protections

Transformer Protections

Parallels Virtuozzo Containers 4.7 for Linux · run Parallels Virtuozzo Containers 4.0 or 4.6 and one of the following Linux distributions (both x86 and x64 versions): • Red Hat

PROTECTIONS COLLECTIVES - altradequipement.com · PROTECTIONS COLLECTIVES POUR CHARPENTE METALLIQUE pinces IPE rapides, platines à visser ou à cheviller, garde-corps PROTECTIONS

Surge Protections SOFREL

Flex 4.6 et Flash Builder 4.6

OpenNebula 4.6 Design and Installation Guidedocs.opennebula.org/pdf/4.6/...4.6_design_and_installation_guide.pdf · OpenNebula 4.6 Design and Installation Guide, Release 4.6 • Multiple

Protections antivirus windows

Catalogue Protections

SCR protections

Electrical safety and protections

Station Protections

BPF Observabilityvger.kernel.org/netconf2018_files/BrendanGregg_netconf...Linux Events & BPF Support Linux 4.3 Linux 4.7 Linux 4.9 Linux 4.9 Linux 4.1 BPF stacks Linux 4.6 BPF output

Transmission Line Protections 1

Verbatim 4.6 file · Web viewVerbatim 4.6

Micom Protections

Hands and arms protections

Legal Protections Jingle

IGO Protections - ICANN

protections tld 2013

OpenNebula 4.6 Release Notesdocs.opennebula.io/pdf/4.6/opennebula_4.6_release_notes.pdfOpenNebula 4.6 Release Notes, Release 4.6 Sunstone: Usability Enhancements • Updated UI Library

ALK13 PROTECTIONS - Catalogo

Generator Protections Basics

Metasploit InstallationGuide Linux 4.6

Sovereign Immunity Protections

BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni

Introduction Preparation Protections - Utility Technologyutilitytechnology.org › conference › 2017_Presentations... · Introduction Preparation Protections Detection and Analysis

Oracle Products€¦ · Oracle Enterprise Linux 4.6, 5.0 This section describes the requirements for Oracle Service Bus on Oracle Enterprise Linux 4.6, 5.0. zRequirements for Oracle

bellasartes.edu.co · EVELYN CATALINA PARRA LOAIZA - 20520131018 SEBASTIAN CHACON APONTE - 1067094 GRADO 1-3 1-3 1-4 1-4 PROMEDIO 4.9 4.5 4.7 4.6 4.5 4.6 4.6 4.6 4.5 4.6 0M DI 4.6

Compulsory Pooling & Landowner Protections

SWP- Fall Protections

Lender Protections in Purchase Agreements: Negotiating ...media.straffordpub.com/products/lender-protections-in-purchase... · Lender Protections in Purchase Agreements: Negotiating

WHISTLEBLOWER PROTECTIONS