Brad Spengler / Grsecurity
Brad Spengler / Grsecurity
Raise Aim
TCO
Create
o ASLR
o Infoleak removal
o No RWX in memory or on disk
Often,
Post-exploitation,
permanence Develop more complex exploit that plays along with published SELinux policies? Attack that new perf_counter system call completely unmonitored by SELinux?
an attacker wants
Aout Brk
loader
Mremap Pipe
ELF
loader
Etc
Lots of attention paid to hardening userland Nearly no mainline attention to the kernel What will attackers target? Enlightenment
LSMs o Grants full root, full capabilities, works in Xen o Upcoming LXC/OpenVZ support, since:
If you are inside a user_namespace your capabilities will only be good for manipulating other objects [] that you have created after you entered the user namespace
Only
public exploits produce a change in public perception of security Kernel security wasnt suddenly horrible in 2009, I simply showed how horrible its always been Unlike with Tavis v. Microsoft, I received no threats from Linux vendors
o Although
In
the end, stronger SELinux protections, stronger mmap_min_addr, much higher user awareness
Remove
infoleaks
o Symbol information
o Slabinfo o PAX_USERCOPY
Remove
o IDT/GDT/syscall table/etc
o Vsyscall shadow table (see sgrakkyus remote
SELinux-disabling exploit)
Protect
against invalid userland memory accesses in general Make refcount overflows unexploitable
o Currently equivalent to use-after-free
kmalloc(sizeof(somestruct)
* attacker_len)
Basically,
secure the kernel! Your super finegrained security systems will thank you
PAX_UDEREF
o Found likely oldest Linux bug ever (>= v0.01) o vgaarb direct userland dereference o NVIDIA direct userland dereference
PAX_KERNEXEC
o Enlightenment wont run (nor (all?) other memory-
PAX_USERCOPY
o Found heap-based ~64kb infoleak
PAX_MEMORY_SANITIZE
o Found use-after-free in CONFIG_NO_BOOTMEM
ASLR
Into