|
Message-ID: <20240304181941.GA14527@openwall.com> Date: Mon, 4 Mar 2024 19:19:42 +0100 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com Subject: "Linux kernel remote logging: approaches, challenges, implementation" BSidesZagreb 2024 talk slides Hi, I gave a talk entitled "Linux kernel remote logging: approaches, challenges, implementation" on March 1st at BSidesZagreb in Zagreb, Croatia. Here are the slides: https://www.openwall.com/presentations/BSidesZagreb2024-Linux-remote-logging/ The talk was recorded, but I think the video isn't online yet. I'll probably add a link from the above web page once the video is online. This talk is based on research conducted for our Linux Kernel Runtime Guard (LKRG) project, which is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel. Delivery, storage, and processing of LKRG security events to/on a remote system is a natural extension of LKRG's functionality. Remote logging is also valuable on its own, including for troubleshooting and post-mortem analyses of (non-)security incidents, where the system's local logs might be unavailable, incomplete, or tampered with. In this talk, I start by briefly examining pre-existing remote logging solutions and their suitability. Then I proceed to our own considerations and choices for transport and security protocols and software design, including many of the challenges and trade-offs encountered. Finally, I introduce and demonstrate the initial implementation in LKRG, released just in time for the talk, as well as its integration in Rocky Linux via the Security SIG package. For the live demo (not seen on the slides), I used Valentina Palmiotti's (@chompie1337) exploit of an old vulnerability in the eBPF subsystem: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490 running current LKRG on a deliberately out-of-date Ubuntu VPS in New York, delivering logs to a VPS in Amsterdam running AlmaLinux 8.9 with Rocky Linux 8.9's SIG/Security package of lkrg-logger installed. The attack was detected and blocked (process killed before it could spawn a root shell), and LKRG messages promptly delivered to and logged on the other continent. And yes, we encourage and provide instructions for reuse of Rocky SIG/Security packages on other Enterprise Linux distros: https://sig-security.rocky.page This research and initial implementation have been sponsored by Binarly software supply chain security platform, whereas the public release, Rocky Linux integration, and this talk are due to my work at CIQ, the primary corporate sponsor of Rocky Linux. I'd like to thank the organizers and sponsors of BSidesZagreb for making sure the event went smoothly and for caring about the speakers greatly. I'd also like to thank other speakers for their talks, which I enjoyed. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.