diff options
author | Hammad Ahmed <hammad.ahmed@irdeto.com> | 2016-12-06 16:23:29 -0500 |
---|---|---|
committer | Hammad Ahmed <hammad.ahmed@irdeto.com> | 2016-12-07 08:32:05 -0500 |
commit | cd313a5ccbdbd6aedf3209358fe84281fc7349ae (patch) | |
tree | 6e2f22ae33658acca171490e78c38d96ea56467f /sec-blueprint | |
parent | aa0ff0db391915afdaf484d0fa852409778e8b92 (diff) |
Adding kernel hardening for AGL
Diffstat (limited to 'sec-blueprint')
-rw-r--r-- | sec-blueprint/07-Hardening | 4 | ||||
-rw-r--r-- | sec-blueprint/07-Hardening.md | 597 |
2 files changed, 597 insertions, 4 deletions
diff --git a/sec-blueprint/07-Hardening b/sec-blueprint/07-Hardening deleted file mode 100644 index 84c45fb..0000000 --- a/sec-blueprint/07-Hardening +++ /dev/null @@ -1,4 +0,0 @@ -Boot -Kernel -System -Application diff --git a/sec-blueprint/07-Hardening.md b/sec-blueprint/07-Hardening.md new file mode 100644 index 0000000..7a6077b --- /dev/null +++ b/sec-blueprint/07-Hardening.md @@ -0,0 +1,597 @@ +Overview +======== + +Scope +----- + +The information contained in this document is applicable to systems based +on Automotive Grade Linux. + +Limitations +----------- + +- This document is based on knowledge and research gained from looking + at security desktop and server versions of Linux as well as Android + exploits and hardening. + +- Some kernel configuration options can have an impact on performance. + This will be noted where applicable. + +Document Structure +------------------ + +This document has been divided into three sections; REQUIREMENTS, +RECOMMENDATIONS, and VALIDATION. The REQUIREMENTS section details +explicit requirements that must be adhered to for the embedded +device**.** The RECOMMENDATIONS section details best practices, and some +recommended security settings for the embedded device. The third +section, VALIDATION, provides reference scripts and test procedures that +can be used to verify adherence with the REQUIREMENTS detailed in the +first section of this guide. + +Hardening +--------- + +The term *Hardening* refers to the tools, techniques and processes +required in order to reduce the attack surface on an embedded system, +such as an embedded control unit (ECU) or other managed device. The +target for all hardening activities is to prevent the execution of +invalid binaries on the device, and to prevent copying of security +related data from the device. There are three main areas of focus for +hardening an embedded device: + + +Requirements +============ + + For the purposes of reference and explanation, we are providing guidance + on how to configure an embedded device that runs with a linux 3. 10.17 + Linux kernel. These requirements must still be met by manufacturers that + opt to build using an alternative version of the Linux kernel. + +Kernel Hardening +---------------- + + The following sub-sections contain information on various kernel + configuration options to enhance the security measures in the kernel + and also for applications compiled to take advantage of these security + features. Additionally, there are also configuration options that + close known vulnerable configuration options. Here’s a high level + summary of various kernel configurations that shall be required for + deployment. + +### Disable the serial console + + The serial console should be disabled to prevent an attacker from + accessing this powerful interface. + +``` + CONFIG_SERIAL_8250=n + CONFIG_SERIAL_8250_CONSOLE=n + CONFIG_SERIAL_CORE=n + CONFIG_SERIAL_CORE_CONSOLE=n +``` + +### Restrict access to kernel memory through device file + + The /dev/kmem file in Linux systems is directly mapped to kernel + virtual memory. This can be disastrous if an attacker gains root + access, as the attacker would have direct access to kernel virtual + memory. + + To disable the /dev/kmem file, which is very infrequently used by + applications, the following kernel option should be set in the + compile-time kernel configuration: + +``` + CONFIG_DEVKMEM=n +``` + + In case applications in userspace need /dev/kmem support, it should be + available only for authenticated applications. + +### Bake-in the kernel command-line + + The kernel command-line is used to control many aspects of the booting + kernel, and is prone to tampering as they are passed in RAM with + little to no reverse validation on these parameters. To prevent this + type of attack, the kernel shall be configured to ignore command line + arguments, and use pre-configured (compile time) options instead. + + Set the kernel command line in the CONFIG\_CMDLINE KConfig item and + then pass no arguments from the bootloader. + +``` + CONFIG_CMDLINE_BOOL=y + CONFIG_CMDLINE=”<*insert kernel command line here*>” + CONFIG_CMDLINE_OVERRIDE=y +``` + + It is recommended that any per-device settings (eg. MAC addresses, + serial numbers, etc.) be stored and accessed from read-only memory (or + files), and that any such parameters be verified (signature checking) + prior to their use. + +### Disable kernel debug symbols + + Debug symbols should always be removed from production kernels as they + provide a lot of information to attackers. + +``` + CONFIG_DEBUG_INFO=n +``` + + These kernel debug symbols are enabled by other config items in the + kernel. Care should be taken to disable those also. If + CONFIG\_DEBUG\_INFO cannot be disabled then enabling + CONFIG\_DEBUG\_INFO\_REDUCED is second best. + +### Disable access to a kernel core dump + + This kernel configuration disables access to a kernel core dump from + user space -- if enabled it gives attackers a useful view into kernel + memory. + +``` + CONFIG_PROC_KCORE=n +``` + +### Disable KGDB + + The Linux kernel supports KGDB over USB and console ports. These + mechanisms are controlled by the kgdbdbgp and kgdboc kernel + command-line parameters. It is important to ensure that no shipping + product contains a kernel with KGDB compiled-in. + +``` + CONFIG_KGDB=n +``` + +### Disable Kprobes + + Kprobes enables you to dynamically break into any kernel routine and + collect debugging and performance information non-disruptively. You + can trap at almost any kernel code address, specifying a handler + routine to be invoked when the breakpoint is hit. + +``` + CONFIG_KPROBES=n +``` + +### Disable Tracing + + FTrace enables the kernel to trace every kernel function. Providing kernel + trace functionality would assist an attacker in discovering attack vectors. + +``` + CONFIG_FTRACE=n +``` + +### Disable Profiling + + Profiling and OProfile enables profiling the whole system, include the kernel, + kernel modules, libraries, and applications.Providing profiling functionality + would assist an attacker in discovering attack vectors. + +``` + CONFIG_OPROFILE=n + CONFIG_PROFILING=n +``` + +### Disable magic sysrq support + + On a few architectures, you can access a powerful debugger interface + from the keyboard. The same powerful interface can be present on the + serial console – responding to serial break – of Linux on other + architectures. Disable to avoid potentially exposing this powerful + backdoor. + +``` + CONFIG_MAGIC_SYSRQ=n +``` + +### Disable OOPS print on BUG() + + The output from OOPS print can be helpful in Return Oriented + Programming (ROP) when trying to determine the effectives of an + exploit. + +``` + CONFIG_DEBUG_BUGVERBOSE=n +``` + +### Disable kexec + + This prevents someone who gets root from supplanting the kernel. This + can be used as a way to bypass signed kernels. + +``` + CONFIG_KEXEC=n +``` + +### Disable kernel IP autoconfiguration + + It is preferable to have IP configuration performed using a user-space + tool as these tend to have more validation. We do not want the network + interface coming up until the system has come up properly. + +``` + CONFIG_IP_PNP=n +``` + +### Disable /proc/config.gz + + It is extremely important to not expose the kernel configuration used + on a production device to a potential attacker. With access to the + kernel config, it could be possible for an attacker to build a custom + kernel for the device that may disable critical security features. + +``` + CONFIG_IKCONFIG=n +``` + +### Disable swap + + If not disabled, attackers can enable swap at runtime, add pressure to + the memory subsystem and then scour the pages written to swap for + useful information. + +``` + CONFIG_SWAP=n +``` + +### Disable namespace support + + Do not allow namespace support to prevent duplicates of dev nodes, + pids and mount points. This may be used in virtualization and + container solutions like LXC, so in some cases it cannot be disabled. + +``` + CONFIG_NAMESPACES=n +``` + +### Disable NFS file system + + While often enabled in development, when left enabled in production + builds this can be a very useful way for an attacker to get files onto + and off of an STB. + +``` + CONFIG_NFSD=n + CONFIG_NFS_FS=n +``` + +### Disable support for binary formats other than ELF + + This will make possible to plug wrapper-driven binary formats into + the kernel. It enables support for binary formats other than ELF. Providing + the ability to use alternate interpreters would assist an attacker in + discovering attack vectors + +``` + CONFIG_BINFMT_MISC=n +``` + +### Disable “Load All Symbols” + + There is a /proc/kallsyms file which exposes the kernel memory space + address of many kernel symbols (functions, variables, etc.). This + information is useful to attackers in identifying kernel + versions/configurations and in preparing payloads for exploits of + kernel space. + + Both KALLSYMS\_ALL and KALLSYMS shall be disabled; + +``` + CONFIG_KALLSYMS=n + CONFIG_KALLSYMS_ALL=n +``` + +### Disable Kernel Debugging + + There are development-only branches of code in the kernel enabled by + the DEBUG\_KERNEL conf. This should be disabled to compile-out these + branches. + +``` + CONFIG_DEBUG_KERNEL=n +``` + + In some kernel versions, disabling this requires also disabling + CONFIG\_EMBEDDED, and CONFIG\_EXPERT Disabling CONFIG\_EXPERT makes it + impossible to disable \_COREDUMP, DEBUG\_BUGVERBOSE, \_NAMESPACES, + \_KALLSYMS and \_BUG. In which case it is better to leave this enabled + than enable the others. + +### Disable the kernel debug filesystem + + The kernel debug filesystem presents a lot of useful information and + means of manipulation of the kernel to an attacker. + +``` + CONFIG_DEBUG_FS=n +``` + +### Disable BUG() support + + The kernel will display backtrace and register information for BUGs + and WARNs in kernel space, making it easier for attackers to develop + exploits. + +``` + CONFIG_BUG=n +``` + +### Disable Sysctl syscall support + + Enabling this will result in code being included that is hard to + maintain and not well tested. + +``` + CONFIG_SYSCTL_SYSCALL=n +``` + +### Kernel Modules + +### Disable module unloading + + This stops an attacker unloading security focused kernel modules. It + will also prevent the attacker from removing evidence of any attempted + kernel tampering that may have been initiated by loading of a kernel + module. + +``` + CONFIG_MODULE_UNLOAD=n +``` + +### Disable Forced Module Loading + + If enabled, then modules without version information or with + mismatched version information may be forcibly loaded into the kernel. + Disabling this configuration forces the attackers to build modules + with matched kernel sources and configuration in order to load them. + +``` + CONFIG_MODULE_FORCE_LOAD=n +``` + +Recommendations +=============== + +The following sections detail best practices that should be applied in +order to secure a device. Although they are not currently listed as hard +requirements, they may be upgraded to requirements status in the future. + + + +Kernel Hardening +---------------- + + The following sub-sections contain information on various kernel + configuration options that will require updating to a newer kernel + version in order to enhance the security measures in the kernel and + also for applications compiled to take advantage of these security + features. + + Additionally, there are also configuration options that close known + vulnerable configuration options. Here’s a high level summary of the + various kernel configurations and which kernel version they pertain: + +| Kernel Configuration | Kernel Version | +|---------------------------------------|----------------| +| CONFIG\_CHECKPOINT\_RESTORE=n |3.3+ | +| CONFIG\_UNIX\_DIAG=n |3.3+ | +| CROSS\_MEMORY\_ATTACH=n |3.5+ | +| CONFIG\_PANIC\_ON\_OOPS=y |3.5+ | +| CONFIG\_COREDUMP=n |3.7+ | +| CONFIG\_MODULE\_SIG\_FORCE=y |3.7+ | +| CONFIG\_PACKET\_DIAG=n |3.7+ | +| CONFIG\_FW\_LOADER\_USER\_HELPER=n |3.9+ | +| CONFIG\_CC\_STACKPROTECTOR=y |3.11+ (MIPS) | +| CONFIG\_USELIB=n |3.15+ | +| BPF\_JIT=n |3.16+ (MIPS) | +| CONFIG\_DEVMEM=n |4.0+ | + +### Build with Stack Protection + + Similar to the stack protector used for ELF programs in user-space, + the kernel can protect its internal stacks as well. This configuration + for the MIPS architecture is supported in Linux 3.11 and greater and + thus should only be enabled for such versions. This configuration also + requires building the kernel with the gcc compiler 4.2 or greater. + +``` + CONFIG_CC_STACKPROTECTOR=y +``` + +### Disable access to /dev/mem + + The /dev/mem file in Linux systems is directly mapped to physical + memory. This can be disastrous if an attacker gains root access, as + the attacker would have direct access to physical memory through this + convenient device file. It may not always be possible to disable such + file, as some applications might need such support. In that case then + this device file should be available only for authenticated + applications. This configuration is supported in Linux 4.0 and greater + and thus should only be disabled for such versions. + +``` + CONFIG_DEVMEM=n +``` + +### Disable cross-memory attach + + Disable the process\_vm\_\*v syscalls which allow one process to + peek/poke the virtual memory of another. This configuration is + supported in Linux 3.5 and greater and thus should only be disabled + for such versions. +``` + CROSS_MEMORY_ATTACH=n +``` + +### Disable core dumps + + Core dumps provide lot of debug information for hackers. So disabling + core dumps is recommended in production builds. This configuration is + supported in Linux 3.7 and greater and thus should only be disabled + for such versions. + +``` + CONFIG_COREDUMP=n +``` + +### Disable Legacy Linux Support + + There are some Kernel Configs which are present only to support legacy + binaries. See also section 2.2.2.18 for disabling support for legacy + binary formats. The uselib system call, in particular, has no valid + use in any libc6 or uclibc system in recent times. This configuration + is supported in Linux 3.15 and greater and thus should only be + disabled for such versions. + +``` + CONFIG_USELIB=n +``` + +### Disable firmware auto-loading user mode helper + + The firmware auto loading helper, which is a utility executed by the + kernel on hotplug events requiring firmware, needs to be set setuid. + As a result of this, the helper utility is an attractive target for + attackers with control of physical ports on the device. Disabling this + configuration is supported in Linux 3.9 and greater. + +``` + CONFIG_FW_LOADER_USER_HELPER=n +``` + +### Enable Kernel Panic on OOPS + + When fuzzing the kernel or attempting kernel exploits attackers are + likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC + can impede their progress. This configuration is supported in Linux + 3.5 and greater and thus should only be enabled for such versions. + +``` + CONFIG_PANIC_ON_OOPS=y +``` + +### Disable socket monitoring interface + + These monitors can be used to inspect shared file descriptors on Unix + Domain sockets or traffic on ‘localhost’ which is otherwise assumed to + be confidential. The **CONFIG\_PACKET\_DIAG** configuration is + supported in Linux 3.7 and greater and thus should only be disabled + for such versions. The **CONFIG\_UNIX\_DIAG** configuration is + supported in Linux 3.3 and greater and thus should only be disabled + for such versions. + +``` + CONFIG_PACKET_DIAG=n + CONFIG_UNIX_DIAG=n +``` + +### Disable BPF JIT + + The BPF JIT can be used to create kernel-payloads from firewall table + rules. This configuration for the MIPS architecture is supported in + Linux 3.16 and greater and thus should only be disabled for such + versions. +``` + BPF_JIT=n +``` + +### Disable checkpoint/restore + + The checkpoint/restore service can take a process, freeze it and + migrate it. This results in providing more info than a core dump. This + configuration is supported in Linux 3.3 and greater and thus should + only be disabled for such versions. + +``` + CONFIG_CHECKPOINT_RESTORE=n +``` + +### Enable Enforced Module Signing + + This configuration is supported in Linux 3.7 and greater and thus + should only be enabled for such versions. + +``` + CONFIG_MODULE_SIG_FORCE=y +``` + +### Disable all USB, PCMCIA (and other hotplug bus) drivers that aren’t needed + + To reduce the attack surface, the driver enumeration, probe, and + operation happen in the kernel. The driver data is parsed by the + kernel, so any logic bugs in these drivers can become kernel exploits. + +### Disable all file systems not needed + + To reduce the attack surface; file system data is parsed by the kernel + so any logic bugs in file system drivers can become kernel exploits. + +### Kernel Address Display Restriction + + When attackers try to develop "run anywhere" exploits for kernel + vulnerabilities, they frequently need to know the location of internal + kernel structures. By treating kernel addresses as sensitive + information, those locations are not visible to regular local users. + + /proc/sys/kernel/kptr\_restrict is set to "1" to block the reporting + of known kernel address leaks. + + Additionally, various files and directories should be readable only by + the root user: /boot/vmlinuz\*, /boot/System.map\*, + /sys/kernel/debug/, /proc/slabinfo + +### DMESG Restrictions + + When attackers try to develop "run anywhere" exploits for + vulnerabilties, they frequently will use dmesg output. By treating + dmesg output as sensitive information, this output is not available to + the attacker. + + /proc/sys/kernel/dmesg\_restrict can be set to "1" to treat dmesg + output as sensitive. + +### SELinux + + If SELinux is in use on the embedded system, the following kernel + options should be enabled to prevent SELlinux from being disabled at + either runtime or boot time. + +``` + CONFIG_SECURITY_SELINUX_DEVELOP=n + CONFIG_SECURITY_SELINUX_DISABLE=n + CONFIG_SECURITY_SELINUX_BOOTPARAM=n +``` + + +Validation +========== + +Image Security Analysis Framework (ISAFW) +----------------------------------------- +**meta-security-isafw** is an OE layer that allows enabling the Image +Security Analysis Framework (isafw) for your image builds. + +The primary purpose of isafw is to provide an extensible +framework for analysing different security aspects of images +during the build process. + +The isafw project itself can be found at + https://github.com/01org/isafw + +This layer can be added to your builds to produce an analysis report, +including a kernel config analysis. + +### Usage + +In order to enable the isafw during the image build, please add +the following line to your build/conf/local.conf file: + +```python +INHERIT += "isafw" +``` |