2016-11-20 ../../

Hardening Linux Kernel + Android Framework

Table of Contents

Abstract: These notes describe hardening, as applicable to Android devices. In reading these notes, be aware of (i) knowing what it is versus (ii) understanding how it works versus (iii) how to design/build it. The scope of this course is limited to (i).

1 Hardening

  1. Exploit Mitigation: Keep the software footprint minimal
  2. Keep the kernel trimmed, and make it robust
  3. Replace Framework components with better ones

2 LKM (Linux Kernel Modules)

  1. Object code file, .ko extension;
    1. /lib/modules/
    2. /lib/modules/.../iptable_security.ko
    3. ls /lib/modules/4.8.0-27-generic/ -R | wc -l 7789
  2. LKMs modularize the kernel – at compile/static time, and also at run time
  3. Operations: insmod, rmmod Load and Unload into the kernel address space
  4. Can add system calls; can modify system call table
  5. Windows, OSX also have kernel modules.
  6. On my desktop Linux:
    1. # cat /etc/issue: Ubuntu 16.10 \n \l
    2. # uname -a: Linux Sutherland 4.8.0-27-generic Oct 20 21:03:13 UTC 2016 x8664 GNU/Linux
    3. # ls /lib/modules/4.8.0-27-generic/ -R | wc -l: 7789
    4. Advice: Reduce the number and usage of LKMs

3 LSM (Linux Security Modules)

  1. hooks := upcalls to a module's methods at security-critical points within the kernel
  2. LSM hooks are placed so that the Linux DAC checks are performed first, and only if they succeed, is LSM code invoked.
  3. https://en.wikipedia.org/wiki/Linux_Security_Modules
    1. AppArmor [Ubuntu default],
    2. SELinux [RedHat and Android default],
    3. Smack LSM was designed in response to the complexity of SELinux. Smack is now part of Tizen.
    4. Misc: TOMOYO, Yama, Capsicum

3.1 Access Control with LSM Module


Figure 1: Access Control with LSM Module

3.2 LSM #2

  1. https://www.kernel.org/doc/htmldocs/lsm/ General Security Hooks for Linux
  2. Despite the fact that LSM is being developed as a security API, LSM also provides hooks that could be used by rootkits. http://grsecurity.net/lsm.php

3.3 LSM #3

To implement LSM, the (original, 2001) Linux kernel was/is modified:

  1. Opaque Security Fields were added to objects
  2. Security Function Hooks were added in key accesses
  3. A security System Call was added
  4. Registering security modules
  5. Modify capabilities to reduce the capable call

3.4 LSM #4

Additional hooks were provided for

  1. working with tasks (nice, kill, setuid)
  2. program loading and controlling inheritance of state across program executions (such as file descriptors)
  3. IPC
  4. file ops (read, write, sockets)
  5. network ops (devices, syscalls, sk-buffs)
  6. module operations (create, register, delete)
  7. sytem operations (hostname, accessing I/O ports, process accounting)

4 Dynamic Freezing of SysCalls

  1. Linux has some 370+ system calls; Do we need them all?
  2. The production of a new system call is complicated
    1. Not intellectually
    2. In terms of Makefiles, what should be added where, …
    3. Details do change with kernel versions

4.1 Example: mount/umount

  1. mount: Do we need this through out the life of the OS?
    1. Only during certain "run-levels", e.g., "boot"
  2. umount: Need it during "shutdown"

4.2 system-call-table[]

  1. an array of ptrs to methods
  2. Initialized during kernel start
  3. Then onwards, in a read-only page
  4. There is a system-call-unimplemented() method
  5. All syscalls return a result/error code
  6. http://man7.org/linux/man-pages/man2/syscall.2.html

4.3 Freezing How To

  1. Using an LKM
  2. Change the system-call-table[] to read-and-write
  3. system-call-table[x] = system-call-unimplemented;
  4. Change the system-call-table[] back to read-only
  5. Unload the LKM

4.4 Issues

  1. Can this be used in an attack?
  2. Are LKMs dangerous?

5 Kernel Hardening with ASLR + ROP Prevention

6 Hardening the Android Framework

6.1 Zygote / ASLR / ROP

  1. https://copperhead.co/
    1. https://copperhead.co/2015/05/11/aslr-android-zygote
    2. https://copperhead.co/2015/06/11/android-pax
  2. Zygote to Morula to Zygote3
    1. Morula (see ref)
    2. Enhanced Morula ( Zygote3; see ref).

6.2 Binder

  1. Binder IPC improvements
    1. Man-in-the-Binder attack

6.3 Fine grained Permissions

  1. Finer grained than in Android Nougat
  2. Xposed Framework and XPrivacy; HowToGeek

7 Hardening the Linux within Android: SELinux

  1. Lecture Notes on SELinux/ SEAndroid by NSA open source
  2. Defcon 21 - Defeating SEAndroid 35 slides, 2013. Recommended Reading.

8 References

  1. Prabhaker Mateti, Proper Config, Fortification, Hardening, Lecture Notes 2014 Recommended Reading.
  2. Morula; From Zygote to Morula: Fortifying Weakened ASLR on Android 2014. "Morula is a secure replacement of Zygote to fortify weakened ASLR on Android" android-4.2.1. We renamed Morula to Zygote-2. Recommended Reading.
  3. Zygote-3; Priyanka Shetti, "Secure and Enhanced Replacement for Zygote of the Android", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015. Advisor: Prabhaker Mateti. Recommended Reading.
  4. Yadu Kaladharan, "Mitigation of Attacks on Android Binder Through Encryption", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015. Advisor: Prabhaker Mateti. Recommended Reading.
  5. Asish K Sahadevan, "Security Improvements to the Android Kernel", MTech Thesis, Amrita Vishwa Vidyapeetham, Ettimadai, Tamil Nadu 641112, India; July 2015. Advisor: Prabhaker Mateti.
  6. Sunil Gadi, Security Hardened Kernels for Linux Servers, Wright State University, MS Thesis, Advisor: Prabhaker Mateti. 2004. Slides | Thesis Recommended Reading.
  7. Defcon 21 - Defeating SEAndroid 35 slides, 2013. Recommended Reading.

9 End

Copyright © 2016 www.wright.edu/~pmateti 2016-11-20