1. No category

Kurmus et al., Attack Surface Metrics and

Anil Kurmus
February 25th, 2013 – NDSS'13
Attack Surface Metrics
and
Automated Compile-Time Kernel Tailoring
Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg,
Andreas Ruprecht, Wolfgang Schröder-Preikschat, Daniel Lohmann and Rüdiger Kapitza
1
© 2013 IBM Corporation
Why (still) care about kernel security?
drivers
fs
security
...
Linux Kernel
2
© 2013 IBM Corporation
Why (still) care about kernel security?
SELinux, LXC,
...
drivers
fs
security
...
Linux Kernel
3
© 2013 IBM Corporation
Why (still) care about kernel security?
SELinux, LXC,
...
POSIX ACLs
drivers
fs
security
...
Linux Kernel
4
© 2013 IBM Corporation
Why (still) care about kernel security?
PTRACE_SETREGS
exploit (CVE-2013-0871)
SELinux, LXC,
...
POSIX ACLs
drivers
fs
security
...
Linux Kernel
5
© 2013 IBM Corporation
Why (still) care about kernel security?
PTRACE_SETREGS
exploit (CVE-2013-0871)
SELinux, LXC,
...
100+ CVEs in 2012
POSIX ACLs
drivers
fs
security
...
Linux Kernel
6
© 2013 IBM Corporation
Why (still) care about kernel security?
PTRACE_SETREGS
exploit (CVE-2013-0871)
SELinux, LXC,
...
100+ CVEs in 2012
POSIX ACLs
Linux 3.2: 14M LOC
drivers
fs
security
...
Linux Kernel
7
© 2013 IBM Corporation
Making the kernel smaller
~ 5000 features
(ubuntu 12.04)
8
© 2013 IBM Corporation
Making the kernel smaller
RDS
CVE-2010-3904
~ 5000 features
(ubuntu 12.04)
9
© 2013 IBM Corporation
Making the kernel smaller
~ 5000 features
(ubuntu 12.04)
10
~ 500 features
(realistic use case)
© 2013 IBM Corporation
Making the kernel smaller
~ 5000 features
(ubuntu 12.04)
~ 500 features
(realistic use case)
Remove unnecessary features from the kernel
by leveraging built-in configurability
11
© 2013 IBM Corporation
Make (menuconfig) your way to a smaller kernel
Now with
~5K features
to choose from!
(on x86)
12
© 2013 IBM Corporation
Don't take my word for it
13
© 2013 IBM Corporation
Don't take my word for it
“many of the support infrastructure questions are very
opaque, and I have no idea which of them any
particular distribution actually depends on.”
14
© 2013 IBM Corporation
Automatic Kernel-Configuration Tailoring
15
© 2013 IBM Corporation
Automatic Kernel-Configuration Tailoring
Distribution kernel
and use case
16
© 2013 IBM Corporation
Automatic Kernel-Configuration Tailoring
Distribution kernel
and use case
17
Tailored kernel
© 2013 IBM Corporation
Automatic Kernel-Configuration Tailoring
Distribution kernel
and use case
18
Tailored kernel
© 2013 IBM Corporation
Automatic Kernel-Configuration Tailoring
Distribution kernel
and use case
19
Tailored kernel
© 2013 IBM Corporation
Resulting kernel
20
© 2013 IBM Corporation
Resulting kernel
 Is there a performance difference?
 Is tracing sufficient?
 How much attack surface reduction?
21
© 2013 IBM Corporation
Resulting kernel
 Is there a performance difference?
 Is tracing sufficient?
 How much attack surface reduction?
22
© 2013 IBM Corporation
Obtaining the attack surface: an example
23
© 2013 IBM Corporation
Obtaining the attack surface: an example
Functions
24
© 2013 IBM Corporation
Obtaining the attack surface: an example
Functions
Calls
25
© 2013 IBM Corporation
Obtaining the attack surface: an example
26
© 2013 IBM Corporation
Obtaining the attack surface: an example
Entry
Functions
functions
27
© 2013 IBM Corporation
Obtaining the attack surface: an example
Entry
Functions
functions
Entry
Barrier
points
functions
28
© 2013 IBM Corporation
Obtaining the attack surface: an example
29
© 2013 IBM Corporation
Obtaining the attack surface: an example
30
© 2013 IBM Corporation
Code-quality metrics
10
20
50
20
200
31
20
50
© 2013 IBM Corporation
Attack surface metrics
 Example:
 Code-quality metrics used:
– source lines of code (SLOC),
– cyclomatic complexity,
– CVE-based metric
 See paper for formal definitions and an alternative attack surface metric (AS2)
32
© 2013 IBM Corporation
Attack surface metrics
 Example:
Attack surface
metric
 Code-quality metrics used:
– source lines of code (SLOC),
– cyclomatic complexity,
– CVE-based metric
 See paper for formal definitions and an alternative attack surface metric (AS2)
33
© 2013 IBM Corporation
Attack surface metrics
 Example:
Attack surface
metric
Code quality
metric
 Code-quality metrics used:
– source lines of code (SLOC),
– cyclomatic complexity,
– CVE-based metric
 See paper for formal definitions and an alternative attack surface metric (AS2)
34
© 2013 IBM Corporation
Attack surface metrics
 Example:
Attack surface
metric
Attack surface
Code quality
metric
 Code-quality metrics used:
– source lines of code (SLOC),
– cyclomatic complexity,
– CVE-based metric
 See paper for formal definitions and an alternative attack surface metric (AS2)
35
© 2013 IBM Corporation
Attack surface metrics
 Example:
Attack surface
metric
Attack surface
Code quality
metric
e.g., SLOC
of a function
 Code-quality metrics used:
– source lines of code (SLOC),
– cyclomatic complexity,
– CVE-based metric
 See paper for formal definitions and an alternative attack surface metric (AS2)
36
© 2013 IBM Corporation
Attack surface measurement: AS1
10
20
50
20
200
20
50
Σ = 370 SLOC
37
© 2013 IBM Corporation
Attack surface measurements: summary
Entry and barrier
functions
Attack surface
Attack surface
measurement
Program source
and configuration
38
Call graph:
functions and calls
Attack surface
metric
Σ = 370 SLOC
© 2013 IBM Corporation
Attack surface measurements: summary
Security
model
Entry and barrier
functions
Attack surface
Attack surface
measurement
Program source
and configuration
Call graph:
functions and calls
Attack surface
metric
Σ = 370 SLOC
What security model?
39
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
Hardware
partial a.s.
running kernel
40
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
Hardware
partial a.s.
running kernel
41
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
 Entry functions:
– system calls
 Barrier functions:
– Functions calling capable()
attacker entry
Hardware
partial a.s.
running kernel
42
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
Drivers and
non-ODL LKMs
are not considered
 Entry functions:
– system calls
 Barrier functions:
– Functions calling capable() attacker entry
Hardware
partial a.s.
running kernel
43
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
Hardware
Drivers and
non-ODL LKMs
are not considered
 Entry functions:
– system calls
 Barrier functions:
– Functions calling capable() – Drivers and “other” LKMs
partial a.s.
running kernel
44
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
Hardware
Drivers and
non-ODL LKMs
are not considered
 Entry functions:
– system calls
 Barrier functions:
– Functions calling capable() – Drivers and “other” LKMs
– (procfs, sysfs, debugfs)
partial a.s.
running kernel
45
© 2013 IBM Corporation
IsolSec Linux Kernel Security Model
Application
(privileged)
Attacker controls
unprivileged process
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
Hardware
partial a.s.
running kernel
46
Drivers and
non-ODL LKMs
are not considered
 Entry functions:
– system calls
 Barrier functions:
– Functions calling capable() – Drivers and “other” LKMs
– (procfs, sysfs, debugfs)
 Purpose: estimating the attack
surface from an untrusted,
unprivileged process
© 2013 IBM Corporation
GenSec Linux Kernel Security Model
Application
(privileged)
Application
(unprivileged)
System call interface
Core Kernel
LKM
Hardware interface
Hardware
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
attack surface
running kernel
47
© 2013 IBM Corporation
GenSec Linux Kernel Security Model
Application
(privileged)
Application
(unprivileged)
 Entry functions:
– all
 Barrier functions:
– none
System call interface
Core Kernel
LKM
Hardware interface
Hardware
LKM
(on-demand
loadable)
LKM
(driver)
LKM
(other)
attacker entry
attack surface
running kernel
48
© 2013 IBM Corporation
GenSec Linux Kernel Security Model
Application
(privileged)
Application
(unprivileged)
 Entry functions:
– all
 Barrier functions:
– none
System call interface
Core Kernel
LKM
Hardware interface
Hardware
LKM
(on-demand
loadable)
LKM
(driver)
 Overestimates attack surface
– attacker is privileged?
– not all LKMs can be loaded
 Purpose:
– upper bound
– TCB point of view
LKM
(other)
attacker entry
attack surface
running kernel
49
© 2013 IBM Corporation
Evaluation
 Questions to answer experimentally:
– Is there a performance difference?
– Is tracing sufficient?
– How much attack surface reduction?
 Popular and recent Linux distribution
 Typical server use case: LAMP
 There is also an NFS server use case in the paper.
50
© 2013 IBM Corporation
Results: performance
No significant performance difference
51
© 2013 IBM Corporation
Results: tracing
No new
features
 Httperf benchmark triggers new features
– Stabilizes at 495 features
 Skipfish: high coverage of the web application
– Goes beyond real-world workload
Tracing at feature-granularity stabilizes quickly
52
© 2013 IBM Corporation
Results: attack surface reduction
53
© 2013 IBM Corporation
Results: attack surface reduction
54
© 2013 IBM Corporation
Results: attack surface reduction
85%
55
© 2013 IBM Corporation
Results: attack surface reduction
85%
56
© 2013 IBM Corporation
Results: attack surface reduction
85%
57
© 2013 IBM Corporation
Results: attack surface reduction
85%
58
82%
© 2013 IBM Corporation
Results: attack surface reduction
85%
59
82%
© 2013 IBM Corporation
Conclusion
 We presented a framework for measuring attack surfaces
– Takes into account the security model, kernel configuration (e.g., unlike sloccount)
– Designed for the Linux kernel, but may be adapted to other programs
– Coherent results under different use cases, code-quality metrics, security models
 Kernel tailoring is a proactive approach reducing kernel attack surface
– Effective: 80-85% attack surface reduction (SLOC), 50-65% in terms of CVEs
– Assumes well-defined use cases (e.g., servers, embedded systems)
– Automated, no performance overhead
 Source code available at:
http://vamos.informatik.uni-erlangen.de/trac/undertaker/wiki/UndertakerTailor
 Future work:
– Android and KVM use cases.
– Implications in run-time attack surface reduction.
60
© 2013 IBM Corporation
Questions?
61
© 2013 IBM Corporation
Backup
62
© 2013 IBM Corporation
Comparison to kernel extension fault isolation
63
© 2013 IBM Corporation

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz