The lecture by Sartakov A. Vasily for Summer Systems School'12. Brief introduction to System Integrity. SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security. 1. http://ksyslabs.org/

1. System Integrity
Sartakov A. Vasily
Summer Systems School’12

2. Software Hardening Methods
Compile-time Run time
Process
Canaries Virtualization
(Dalvik, Java VM)
System
Virtualization
(KVM, Xen, L4)
OS (Linux Kernel
Ench.)
HW support (MMU,
Trust Zone)

3. 1. Compiler time sw hardening 2. Linux operating system extension
1.1 Memory corruption 2.1 Container based os
mitigation methods virtualization
2.2 Linux security modules
2.3 Gr security
3. Process virtualization and sandboxing 4. System virtualization
3.1 Byte-code 4.1 Hardware
translation recruitment
3.2 Sandboxing 4.2 VM and VMMs
untrusted native code 4.3 Use cases

4. 1. Compile-time Software Hardening
Memory Corruption Mitigation Methods:
Code injection
Arc injection
Pointer Subterfuge
Format String Attacks and Arithmetic Overflows

5. Code Injection
void f1a(void *arg, size_t len) {
char buff[100];
memcpy(buff, arg, len); /* buffer overrun if
len > 100 */
/* ... */
return;
}
void f1b(void *arg, size_t len) {
char *ptr = malloc(100);
if (ptr == NULL) return;
memcpy(ptr, arg, len); /* buffer overrun if
len >100 */
/* ... */
return;
}

6. Stackguard ProPolice

7. Pointer Subterfuge
void SomeFunc() { void SomeFunc() {
// do something
EncodePointer // do something
} }
DecodePointer
typedef void (*FUNC_PTR )(void); EncodeSystemPointer typedef void (*FUNC_PTR )(void);
DecodeSystemPointer
int DangerousFunc(char *szString) { int DangerousFunc(char *szString) {
char buf[32]; char buf[32];
strcpy(buf,szString); strcpy(buf,szString);
FUNC_PTR fp = (FUNC_PTR)(&SomeFunc); FUNC_PTR fp = (FUNC_PTR)(&SomeFunc);
// Other code // Other code
// Other code // Other code
(*fp)(); (*fp)();
return 0; return 0;
} }

8. Format String Attacks and Arithmetic Overflows
Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.
Pointguardtm: protecting pointers from buffer overflow
vulnerabilities. In Proceedings of the 12th conference on USENIX
Security Symposium - Volume 12, pages 7–7, Berkeley, CA,
USA, 2003. USENIX Association.
Jonathan Pincus and Brandon Baker. Beyond stack smashing:
Recent advances in exploiting buffer overruns. IEEE Security and
Privacy, 2:20–27, July 2004.
Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan.
"Return-Oriented Programming: Exploits Without Code Injection".
Retrieved 2009-08-12.
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323c

9. 2. Linux operating system
extension
2.1 Container based os virtualisation
Linux-vserver
Virtuozzo and openvz
Linux containers
2.2 Linux security modules
SElinux
Apparmor
Smack
Tomoyo Linux
2.3 Grsecurity
Pax
Role based access control

10. 2.1 Container based os virtualisation
Linux-Vserver
Virtuozzo
OpenVZ
LXC (Linux Container Tools)
The core concept of container-based operating system virtualization is to run
completely isolated virtual servers sharing the same kernel. Compared to
system virtualization, this reduces the required memory for additional
kernels on the one hand but at the same time it might increase the
vulnerability of the system. If an attacker gains full access to the kernel all
virtual servers are compromised. System Virtualization would offer an
additional level of isolation and therefore more security in this case.

11. Linux-VServer
• Security contexts
• Segmented routing
• Chroot
• Extended quotas
• Further standard tools
• High-performance
computing (HPC) clusters
• The Grid
• Distributed hosting
organizations like PlanetLab
and Amazon EC2
The Host kernel should be patched
The system provides a Shared OS Image
consisting of a root file system and a set of
system libraries and executables. This Start/Stop/Resume
Shared OS Image together with a
privileged host VM builds the Hosting
Platform.

12. Virtuozzo and OpenVZ
OpenVZ is operating system virtualization based on the
Linux kernel. It is very similar to Linux-VServer. Like Linux-
VServer it requires a patched Linux kernel. Here likewise
Debian ships prebuilt kernel images. Unfortunately, the
patches are not provided for each Linux kernel release.
OpenVZ is the basis for Parallels Virtuozzo Containers, which
is a commercial product by Parallels.
Usage scenarios and evaluation are basically the same as
for the Linux-VServer project.

13. Linux Containers (LXC)
• Namespace isolation
• Linux kernel control groups (cgroups)
• PID namespace
• Network namespace
• UTS namespace (hostname)
• Mount namespace
• IPC namespace
• Control (Restart, Freeze, etc.)
• Resource limiting (Memory)
• Priorization (CPU, I/O)
• Accounting
The best solution for lightweight isolation of Linux processes without much inter-process
communication.

14. Terminology 1. Access control models
* Discretionary access control
* Mandatory access control
* Role-based access control
Subject -- Object

15. 2.2 Linux security modules
The Linux Security Modules (LSM)
framework is part of the Linux
Kernel. It provides lightweight,
general support for access
control by allowing modules to
define security hooks:
• Task Hooks
• Program Loading Hooks
• IPC Hooks
• Filesystem Hooks
• Network Hooks
• Module hooks (e.g. module
initialization)
• System hooks (e.g. hostname
setting)
• AppArmor
• SELinux
• Smack
• TOMOYO Linux

16. Security-Enhanced Linux
MAC
Part of Linux

17. Smack TOMOYO Linux
TOMOYO Linux is another pathname-based
Smack is the abbreviation for access control system for Linux. It also
Simplified Mandatory Access implements Mandatory Access Control, but
Control Kernel for Linux. It is part of additionally it is stated to be useful as a pure
the MeeGo Security Architecture, system analysis tool. Like e.g. AppArmor,
but not exclusively dedicated to it. TOMOYO Linux also provides tools for
automatic policy generation and it is designed
As the name already suggest,
to be easy to use with a simple syntax for
Smack provides Mandatory Access policies.
Control in a simpler way than e.g.
SELinux. The author states that
simplicity is the primary design goal AppArmor
of Smack.
AppArmor is an alternative to SELinux. It is a
Like AppArmor, Smack requires
pathname-based access control system and
extended file attributes. There it requires a file system with extended attributes
stores labels for files which must support. The originally goal was to provide a
match labels associated with SELinux like Mandatory Access Control
processes to grant access. mechanism, which is simpler to manage for
Additionally, special rules can be the typical user. Therefore, AppArmor
added for file labels and process implements a learning mode to create profiles
of the typical programs behavior.
labels that do not match.
While AppArmor is a simple and powerful
solution for end-users, it seems that SELinux is
more powerful to implement advanced
security concepts on top of it.

18. 2.3 Grsecurity
GrSecurity is a set of security related patches for
the Linux kernel. Some major security
enhancements are:
• Stack and Heap modification protection (PaX)
• Role-based Access Control (RBAC)
• Chroot restrictions
• Auditing
Pax
RBAC
PaX is a major component of GrSecurity.
Amongst other things, the patch adds three While PaX implements the principle
memory protection mechanisms: of least privileges for memory
• Data memory is flagged as non-executable (NX management, another component of
bit) GrSecurity (RBAC) implements it for
• Program memory is flagged as non-writable users and processes. This means
• Program memory is randomly arranged, known that users and processes get only
as address space layout randomization (ASLR) the privileges which are required to
Recent mainline kernel versions added some work correctly. It should be noted,
similar protection mechanisms for suitable that besides this implementation
memory regions on x86 systems. aspect, the RBAC concept can be
applied in very different fields of
applications.

19. 3. Process virtualization and
sandboxing
Skip

20. 4. System Virtualization
4.1 Hardware recruitment
4.2 VM and VMMs
Linux KVM Hypervisor
Xen Hypervisor
L4 Microkernel based
4.3 Use cases

21. 4.1 Hardware recruitment
* HW support:
Johannes Winter. Trusted computing building blocks for embedded
linux-based arm trustzone platforms. In Proceedings of the 3rd ACM
workshop on Scalable trusted computing, STC’08, pages 21–30, New
York, NY, USA, 2008. ACM.
* Intel VT-x
* AMD-V
* ARM TrustZone
* ARM Cortex-A15 including full hardware virtualization
* DMA and IOMMU

22. Terminology 2. Virtualization, Virtual machines
* System virtualization or hardware virtualization
allows to run multiple operating systems on one
physical machine.
* Guest and Host OS
* VMM / hypervisor
* Type 1 / Native – Bare Metal
* Type 2 / Hosted – on top of OS
* Paravirtualization – VMM doesn't provide an
interface that is identical to real hardware

23. Linux KVM Hypervisor
* Part of Linux kernel
* QEMU
* VT-x AMD-V extension
* Big trusted computing base (TCB)
* Low overhead

24. Xen hypervisor
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim
Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew
Warfield. Xen and the art of virtualization. In Proceedings of the
nineteenth ACM symposium on Operating systems principles,
SOSP ’03, pages 164–177, New York, NY, USA, 2003. ACM.
Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis,
Leendert Van Doorn, Asit Mallick, Jun Nakajima, and Elsie
Wahlig. Utilizing iommus for virtualization in linux and xen. In
Proceedings of the 2006 Ottawa Linux Symposium (OLS 2006),
2006.
Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon
Caceres, and Reiner Sailer. Shamon: A system for distributed
mandatory access control. In Proceedings of the 22nd Annual
Computer Security Applications Conference, pages 23–32,
Washington, DC, USA, 2006. IEEE Computer Society.

25. L4 microkenel
* User-level components
* Address spaces (tasks)
* Threads
* Scheduling
* Inter-process communication
* Reusing
* TCB
L4Linux L4Linux
app
Moe Mag Ned IO
Fiasco.OC

26. 4.3 Use Case
Crypto
L4Linux L4Linux
(eth0) (eth1)
app
Moe Mag Ned IO
Fiasco.OC