Linux Security Mitigations

A look at three security features

Hanno Böck
https://hboeck.de/

Disclaimer: This touches areas with poor documentation that I only vaguely understand. Things may be wrong

Stack Clash

Heap grows from below, Stack grows from above
If Stack grows too large they overlap
Guard Pages
gcc -fstack-check
Enabled in Gentoo Hardened
Some concerns about current implementation
http://www.openwall.com/lists/oss-security/2017/06/19/9

vsyscall

Legacy feature mapping commonly used kernel functions into the application memory at fixed addresses
Fixed address beats ASLR
Replaced by VDSO, which is dynamically (and randomly) allocated
Most systems use vsyscall in a safer, emulated mode
It's deprecated, let's just disable it
CONFIG_LEGACY_VSYSCALL_NONE=y
cat /proc/self/maps

IOMMU

Malicious devices connected to PCI, PCMCIA, Firewire
Full access to system memory via DMA bus
Recent attacks on Wifi Firmwares (Project Zero, Broadpwn)
IOMMU allows separate address space for each device
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
Some reports about problems with Intel GPUs (intel_iommu=igfx_off)
"works for me"

Please help

  • Test these features
  • Ask your distributions why they aren't enabled by default

Thanks for listening!

https://hboeck.de/