Abstract image of a woman sitting on books and studying on a laptop

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

SBA Research, profile picture
SBA Research

The document presents a talk focused on Linux self-defense techniques post-exploitation, emphasizing best practices to mitigate remote code execution attacks. Key strategies include reducing the attack surface, containing potential breaches, ensuring mandatory access control, and employing techniques like Seccomp BPF to limit system calls. The document also highlights various tools and resources for improving security within Linux environments.

Technology
Related topics:
IT Security
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
Classification: Confidential 15SBA Research gGmbH, 2020
Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org
Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien rkugler@sba-research.org SBA Research gGmbH, 2020

More Related Content

PDF
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Research
 
PDF
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
PDF
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Research
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
PDF
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
PPTX
Breaking the cyber kill chain!
Nahidul Kibria
 
PDF
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
PPTX
Detection Rules Coverage
Sunny Neo
 
SBA Live Academy - Angriffe auf Windows Domains und Delegation by Reinhard Ku...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - CRLite – Revocation for X.509 certificates in the browser ...
SBA Research
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Breaking the cyber kill chain!
Nahidul Kibria
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
Detection Rules Coverage
Sunny Neo
 

What's hot (20)

PPTX
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
PDF
Preventing XSS with Content Security Policy
Ksenia Peguero
 
PDF
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
PDF
"Giving the bad guys no sleep"
Christiaan Beek
 
PDF
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
PDF
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
PPTX
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
PPTX
【HITCON Hackathon 2017】 TrendMicro Datasets
Hacks in Taiwan (HITCON)
 
PDF
Offensive malware usage and defense
Christiaan Beek
 
PDF
Cryptography In The Browser Using JavaScript
barysteyn
 
PDF
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE - ATT&CKcon
 
PPTX
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat Security Conference
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
PDF
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PPTX
Database Firewall from Scratch
Denis Kolegov
 
PDF
Хакеро-машинный интерфейс
Positive Hack Days
 
ODP
Introduction to OWASP & Web Application Security
OWASPKerala
 
PDF
Introduction to Mod security session April 2016
Rahul
 
PPTX
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Preventing XSS with Content Security Policy
Ksenia Peguero
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
"Giving the bad guys no sleep"
Christiaan Beek
 
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
【HITCON Hackathon 2017】 TrendMicro Datasets
Hacks in Taiwan (HITCON)
 
Offensive malware usage and defense
Christiaan Beek
 
Cryptography In The Browser Using JavaScript
barysteyn
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE - ATT&CKcon
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat Security Conference
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Database Firewall from Scratch
Denis Kolegov
 
Хакеро-машинный интерфейс
Positive Hack Days
 
Introduction to OWASP & Web Application Security
OWASPKerala
 
Introduction to Mod security session April 2016
Rahul
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 

Similar to SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler (20)

PDF
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
PDF
Linux Security Crash Course
UTD Computer Security Group
 
PDF
CentOS Linux Server Hardening
MyOwn Telco
 
PDF
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
ODP
Linux Capabilities - eng - v2.1.5, compact
Alessandro Selli
 
PDF
Linux Hardening - nullhyd
n|u - The Open Security Community
 
PDF
CS 626 - March : Capsicum: Practical Capabilities for UNIX
ruchith
 
PPTX
Linux 开源操作系统发展新趋势
Anthony Wong
 
PDF
Linux security quick reference guide
Craig Cannon
 
PDF
Linux internet server security and configuration tutorial
annik147
 
PDF
Hardening Linux and introducing Securix Linux
Security Session
 
PPTX
Server hardening
Teja Babu
 
PDF
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
PDF
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
 
PPT
bh-us-02-murphey-freebsd
webuploader
 
PPTX
Creating "Secure" PHP applications, Part 2, Server Hardening
archwisp
 
PDF
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
Shellmates
 
TXT
Linuxserver harden
Gregory Hanis
 
PPTX
Your Inner Sysadmin - MidwestPHP 2015
Chris Tankersley
 
PPT
Unix Security
replay21
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
Linux Security Crash Course
UTD Computer Security Group
 
CentOS Linux Server Hardening
MyOwn Telco
 
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
Linux Capabilities - eng - v2.1.5, compact
Alessandro Selli
 
Linux Hardening - nullhyd
n|u - The Open Security Community
 
CS 626 - March : Capsicum: Practical Capabilities for UNIX
ruchith
 
Linux 开源操作系统发展新趋势
Anthony Wong
 
Linux security quick reference guide
Craig Cannon
 
Linux internet server security and configuration tutorial
annik147
 
Hardening Linux and introducing Securix Linux
Security Session
 
Server hardening
Teja Babu
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Hardening Linux, introducing Securix GNU/Linux
Martin Holovský
 
bh-us-02-murphey-freebsd
webuploader
 
Creating "Secure" PHP applications, Part 2, Server Hardening
archwisp
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
Shellmates
 
Linuxserver harden
Gregory Hanis
 
Your Inner Sysadmin - MidwestPHP 2015
Chris Tankersley
 
Unix Security
replay21
 

More from SBA Research (20)

PDF
CyberResilienceAct_sec4devDialogues2025pdf
SBA Research
 
PDF
SBATop10 Vulnerabilities_sec4devDialogues2025
SBA Research
 
PDF
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
SBA Research
 
PDF
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
SBA Research
 
PDF
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
PDF
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
PDF
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
PDF
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
PPTX
Secure development on Kubernetes by Andreas Falk
SBA Research
 
PDF
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
PDF
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
PDF
SBA Live Academy, What the heck is secure computing
SBA Research
 
PDF
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
PDF
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
PDF
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
PDF
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
PDF
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
PDF
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
PDF
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
PDF
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
CyberResilienceAct_sec4devDialogues2025pdf
SBA Research
 
SBATop10 Vulnerabilities_sec4devDialogues2025
SBA Research
 
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
SBA Research
 
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Research
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 

Recently uploaded (20)

PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PPTX
How to use fields_get method in Odoo 18
Celine George
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PPTX
Blending method and technology for hydrogen.pptx
PradipChanda5
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PPTX
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PPTX
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
How to use fields_get method in Odoo 18
Celine George
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
Blending method and technology for hydrogen.pptx
PradipChanda5
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
substrate PowerPoint Presentation basic one
jwaite4
 
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel) by Reinhard Kugler

  • 1. Classification: Confidential 2 Willkommen zur SBA Live Academy #bleibdaheim #remotelearning After the Exploit – Linux Self-defense by Reinhard Kugler This talk will be recorded as soon as the presentation starts! Please be sure to turn off your video in your control panel.
  • 2. Classification: Confidential 4SBA Research gGmbH, 2020 https://www.martialtribes.com/defend-against-multiple-attackers/ CVE-2018-1260 CVE-2014-6271 CVE-2018-11776CVE-2019-11043 CVE-2020-?
  • 3. Classification: Confidential 5 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache /bin/sh php
  • 4. Classification: Confidential 7SBA Research gGmbH, 2020 SelfdefenseTip0: Don‘t breakyourownstuff.
  • 5. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip1: Reducetheattacksurface
  • 6. Classification: Confidential 9 Example: Apache HTTP Server SBA Research gGmbH, 2020 apache (root) Underlying operating system apache (www-data) tcp/80 tcp/443 Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  • 7. Classification: Confidential 10 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ [Service] ... AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE ... http://man7.org/linux/man-pages/man5/systemd.exec.5.html # setcap cap_net_bind_service+ep /usr/sbin/apache Systemd configuration Extended attribute
  • 8. Classification: Confidential 11 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system tcp/80 tcp/443 Rogue process apache (www-data) apache (www-data) Things we do not like ✓ Don‘t run as root ✓ Don‘t permit access to files of the operating system ✓ Don‘t run arbitrary programs
  • 9. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip2: ContaintheAttack https://commons.wikimedia.org/wiki/File:Strikeforce_cage_2011-01-07.jpg
  • 10. Classification: Confidential 13 Example: Apache HTTP Server SBA Research gGmbH, 2020 Underlying operating system Rogue process container (limited) container filesystem tcp/80 tcp/443 apache (www-data) apache (www-data)
  • 11. Classification: Confidential 15SBA Research gGmbH, 2020
  • 12. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip3: EnsureMandatoryAccess https://en.wikipedia.org/wiki/File:Goshin_jujitsu_head_arm_lock_med.JPG
  • 13. Classification: Confidential 18 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
  • 14. Classification: Confidential 19 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 /usr/sbin/apache2 { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W /etc/apparmor.d/usr.sbin.apache2 # aa-complain apache2 # docker run --rm -it --security-opt "apparmor=apache2" -p 8000:80 apache2 # aa-enforce apache2
  • 15. Classification: Confidential 22 Remote Code Exection Attacks SBA Research gGmbH, 2020 tcp/80 tcp/443 apache (www-data)
  • 16. Classification: Confidential 23 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
  • 17. Classification: ConfidentialSBA Research gGmbH, 2020 SelfdefenseTip4: ReducetheKernelSurface
  • 18. Classification: Confidential 25SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
  • 19. Classification: Confidential 26 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
  • 20. Classification: Confidential 29 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 [Service] ... SystemCallFilter =~ bind SystemCallFilter =~ chroot ... # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Systemd configurationDocker
  • 21. Classification: ConfidentialSBA Research gGmbH, 2020 “Ifyoutakeabus,youshouldknow whentogetoff!“ ― MasterIainArmstrong
  • 22. Classification: Confidential 32 Final Remarks SBA Research gGmbH, 2020 0)Don‘tbreakyourownstuff 1)Reduce theattacksurface 2)Contain theAttack 3)Ensure Mandatory Access 4) Reducethe Kernel Surface https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
  • 23. Classification: Confidential 33 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: [email protected] Reinhard Kugler [email protected]
  • 24. Classification: Confidential 34 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 13.05.2020, 13.00 Uhr, live: „Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen? Und was nicht? “ by „Niki Popper (CSO und Mitgründer der dwh GmbH)“ Treten Sie unserer MeetUp Gruppe bei! https://www.meetup.com/Security-Meetup-by-SBA- Research/
  • 25. Classification: Confidential 35 Reinhard Kugler SBA Research gGmbH Floragasse 7, 1040 Wien [email protected] SBA Research gGmbH, 2020