summaryrefslogtreecommitdiffstats
path: root/docs/security-blueprint/part-4/2-Memory.md
blob: d7af4466b71a00a9caab938d92b08751e718d55b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Memory

## Restrict access to kernel memory

The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory. This can be disastrous if an attacker gains root access, as the attacker would have direct access to kernel virtual memory.

To disable the /dev/kmem file, which is very infrequently used by applications, the following kernel option should be set in the compile-time kernel configuration:

<!-- section-config -->

Domain                         | `Config` name    | `Value`
------------------------------ | ---------------- | -------
Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n`

<!-- end-section-config -->

In case applications in userspace need /dev/kmem support, it should be available only for authenticated applications.

--------------------------------------------------------------------------------

## Disable access to a kernel core dump

This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives attackers a useful view into kernel memory.

<!-- section-config -->

Domain                   | `Config` name       | `Value`
------------------------ | ------------------- | -------
Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable swap

If not disabled, attackers can enable swap at runtime, add pressure to the memory subsystem and then scour the pages written to swap for useful information.

<!-- section-config -->

Domain               | `Config` name | `Value`
-------------------- | ------------- | -------
Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`

<!-- end-section-config -->

<!-- section-note -->

- Enabling swap at runtime require `CAP_SYS_ADMIN`.
- Swap block device is usually under root:disk.
- Linux never swaps kernel pages.
- If swap disabling is not possible, swap encryption should be enabled.

<!-- end-section-note -->

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Disable "Load All Symbols"

There is a /proc/kallsyms file which exposes the kernel memory space address of many kernel symbols (functions, variables, etc...). This information is useful to attackers in identifying kernel versions/configurations and in preparing payloads for the exploits of kernel space.

Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled;

<!-- section-config -->

Domain                         | `Config` name         | `Value`
------------------------------ | --------------------- | -------
Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS`     | `n`
Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Stack protection

To prevent stack-smashing, similar to the stack protector used for ELF programs in user-space, the kernel can protect its internal stacks as well.

This configuration is supported in **Linux 3.11 and greater** and thus should only be enabled for such versions.

This configuration also requires building the kernel with the **gcc compiler 4.2 or greater**.

<!-- section-config -->

Domain                | `Config` name              | `Value`
--------------------- | -------------------------- | -------
Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`

<!-- end-section-config -->

Other defenses include things like shadow stacks.

--------------------------------------------------------------------------------

## Disable access to /dev/mem

The /dev/mem file in Linux systems is directly mapped to physical memory. This can be disastrous if an attacker gains root access, as the attacker would have direct access to physical memory through this convenient device file. It may not always be possible to disable such file, as some applications might need such support. In that case, then this device file should be available only for authenticated applications.

This configuration is supported in **Linux 4.0 and greater** and thus should only be disabled for such versions.

<!-- section-config -->

Domain                 | `Config` name   | `Value`
---------------------- | --------------- | -------
Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Disable cross-memory attach

Disable the process_vm_*v syscalls which allow one process to peek/poke the virtual memory of another.

This configuration is supported in **Linux 3.5 and greater** and thus should only be disabled for such versions.

<!-- section-config -->

Domain                         | `Config` name         | `Value`
------------------------------ | --------------------- | -------
Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Stack Smashing Attacks

<!-- section-config -->

Domain                        | `compiler` and `linker` options | _State_
----------------------------- | ------------------------------- | --------
Kernel-Memory-StackSmashing-1 | `-fstack-protector-all`         | _Enable_

<!-- end-section-config -->

Emit extra code to check for buffer overflows, such as stack smashing attacks.

--------------------------------------------------------------------------------

## Detect Buffer Overflows

<!-- section-config -->

Domain                          | `compiler` options and `config` name | `Value`
------------------------------- | ------------------------------------ | -------
Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE`                  | `2`
Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE`              | `y`

<!-- end-section-config -->

Helps detect some buffer overflow errors.