Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAEQi4beJgmNfZ0NsWSHCok9-5H_qLze_sFJ_G=1j8CBz9qi2rQ@mail.gmail.com>
Date: Sun, 10 May 2020 10:16:25 +0800
From: wzt wzt <wzt.wzt@...il.com>
To: kernel-hardening@...ts.openwall.com
Subject: Open source a new kernel harden project

hi:
    This is a new kernel harden project called hksp(huawei kernel self
protection),  hope some of the mitigation ideas may help you, thanks.
    patch: https://github.com/cloudsec/hksp

=============================
Huawei kernel self protection
=============================

Cred guard
----------
- random cred's magic.
  most kernel exploit try to find some offsets in struct cred,
  but it depends on CONFIG_DEBUG_CREDENTIALS, then need to compute
  the right offset by that kernel config, so mostly the exploit code
  is something like that:
  if (tmp0 == 0x43736564 || tmp0 == 0x44656144)
        i += 4;
- detect shellcode like:
  commit_creds(prepare_kernel_cred(0));
  the common kernel code is never write like that.

Namespace Guard
---------------
This feature detects pid namespace escape via kernel exploits.
The current public method to bypass namespace is hijack init_nsproxy
to current process:
  switch_task_namespaces_p(current, init_nsproxy_p);
  commit_creds(prepare_kernel_cred(0));

Rop stack pivot
--------------
- user process stack can't be is mmap area.
- check kernel stack range at each system call ret.
  the rsp pointer can point below __PAGE_OFFSET.

Slub harden
-----------
- redzone/poison randomization.
- double free enhance.
  old slub can only detect continuous double free bugs.
  kfree(obj1)
  kfree(obj1)

  hksp can detect no continuous double/multi free bugs.
  kfree(obj1)
  kfree(obj2)
  kfree(obj1)

  or

  kfree(obj1)
  kfree(obj2)
  kfree(obj3)
  kfree(obj1)
- clear the next object address information when using kmalloc function.

Proc info leak
--------------
Protect important file with no read access for non root user.
set /proc/{modules,keys,key-users},
/proc/sys/kernel/{panic,panic_on_oops,dmesg_restrict,kptr_restrict,keys},
/proc/sys/vm/{mmap_min_addr} as 0640.

Aslr hardended
--------------
User stack aslr enhanced.
Old user process's stack is between 0-1G on 64bit.
the actually random range is 0-2^24.
we introduce STACK_RND_BITS to control the range dynamically.

echo "24" > /proc/sys/vm/stack_rnd_bits

we also randomize the space between elf_info and environ.
And randomize the space between stack and elf_info.

Ptrace hardened
---------------
Disallow attach to non child process.
This can prevent process memory inject via ptrace.

Sm*p hardened
-------------
Check smap&smep when return from kernel space via a syscall,
this can detect some kernel exploit code to bypass smap & smep
feature via rop attack technology.

Raw socket enhance
------------------
Enhance raw socket for ipv4 protocol.
- TCP data cannot be sent over raw sockets.
  echo 1 > /proc/sys/net/ipv4/raw_tcp_disabled
- UDP datagrams with an invalid source address cannot be sent
  over raw sockets. The IP source address for any outgoing UDP
  datagram must exist on a network interface or the datagram is
  dropped. This change was made to limit the ability of malicious
  code to create distributed denial-of-service attacks and limits
  the ability to send spoofed packets (TCP/IP packets with a forged
  source IP address).
  echo 1 > /proc/sys/net/ipv4/raw_udp_verify
- A call to the bind function with a raw socket for the IPPROTO_TCP
  protocol is not allowed.
  echo 1 > /proc/sys/net/ipv4/raw_bind_disabled

Kernel self guard
-----------------
Ksguard is an anti rootkit tool on kernel level.
Currently it can detect 4 types of kernel rootkits,
These are the most popluar rootkits type on unix world.

- keyboard notifer rootkits.
- netfilter hooks rootkits.
- tty sniffer rootkits and other DKOM(direct kernel object modify) rootkits.
- system call table hijack rootkits.

Install:
/sbin/insmod /lib/modules/5.6.7/kernel/security/ksguard/ksguard.ko

Feature:
Detect keyboard notifer rootkits:
echo "1" > /proc/ksguard/state

Detect netfilter hooks rootkits:
echo "2" > /proc/ksguard/state

Detect tty sniffer rootkits:
echo "3" > /proc/ksguard/state

Detect syscall table pointer:
echo "4" > /proc/ksguard/state

Arbitrary code guard
--------------------
we extended the libc personality() to support:
- mmap can't memory with PROT_WRITE|PROT_EXEC.
- mprtect can't change PROT_WRITE to PROT_EXEC.

Code integrity guard
--------------------
To support certificate for user process execve.
it can prevent some internet explorer to load
third party so librarys.

Hide symbol
-----------
Hide symbols from /proc/kallsyms.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.