firewalls, vulnerabilities and linux kernel modules. 1
TRANSCRIPT
![Page 1: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/1.jpg)
Workshop in Information Security
Building a Firewall within the Linux Kernel
Firewalls, vulnerabilities and
Linux Kernel Modules.
Lecturer: Eran Tromer
Teaching assistant: Coby Schmidt
Advisor: Assaf Harel, Ariel Haviv
![Page 2: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/2.jpg)
2 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
![Page 3: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/3.jpg)
3 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
![Page 4: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/4.jpg)
4 .
Firewall goals (reminder)
A piece of soft/hardware intended to keep a certain
network secure:
– Enforce protocol correctness.
– Enforce policy of the network administrator.
– Minimize chance of intrusion & attacks.
Can operate in different levels of the OSI.
– First firewalls looked up to the TCP/IP level.
– Today’s firewalls inspect all the way up to the application
level.
![Page 5: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/5.jpg)
5 .
Firewall requirements (reminder)
A firewall needs to look into packets, so it must a have
some communication with the kernel.
Needs to decide fast, we want maximum throughput. Can’t
afford slowing down the traffic.
Needs to be configurable.
Needs to provide some way for the user to see what’s
going on inside.
![Page 6: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/6.jpg)
6 .
Packet filtering (reminder)
Each packet that is inspected waits for a verdict
– Accept
– Drop
Actually, mainly connection filtering.
We make certain connections legal, and the others illegal
(rules).
For example, we allow incoming connections to the host
10.1.1.1 only on port 80.
Another example – disallow all connections from
172.23.31.0/24 network.
![Page 7: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/7.jpg)
7 .
Packet filtering (reminder cont.)
We look into the IP header of the packet to identify the
source and destination IP, and into the UDP/TCP header
to identify the source and destination ports.
When a new connection is established we check the
connection against a set of rules.
After a connection is accepted each packet is checked if it
is a part of an existing connection.
![Page 8: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/8.jpg)
8 .
Firewall Functionality
A Firewall filter connections
against a policy or a rulebase,
rule by rule.
Generally speaking as we go
down there are more general
rules.
And as we go up there are more
specific rules
General
Specific Rule
Number
SourceIP DestIP SourcePort DestPort verdict
1 91.93.133.12
0
192.168.4.1
22
1550 3790 Accept
2 0.0.0.0 –
255.255.255.
255
192.168.4.1
22
Any Any Drop
3 0.0.0.0 –
255.255.255.
255
192.168.0.0
–
192.168.255
.255
Any 22 Accept
4 192.168.3.0
–
192.168.3.25
5
0.0.0.0 –
255.255.255
.255
Any Any Drop
5 192.168.0.0-
192.168.255.
255
0.0.0.0-
255.255.255
.255
Any 80 Accept
6
255.255.255.
255
0.0.0.0 -
255.255.255
.255
Any Any Drop
![Page 9: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/9.jpg)
9 .
Firewall Functionality – lets have a thought experiment.
A possible organization
topology
192.168.1.0/24 intranet
of the organization –TOP
SECRET.
DMZ - Demilitarized
Zone. What the
organization willing to
expose to the public.
![Page 10: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/10.jpg)
10 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
![Page 11: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/11.jpg)
11 .
Vulnerabilities – bad input
A common mistake is to think that by writing the code, you
know you will never get bad input from the other side of the
conversation.
Someone can send you a hand-crafted packet with bad
input – and BOOM.
If you don’t check the input, and it’s bad input:
– You might crash due to segmentation fault. That’s the better
scenario.
– In a worse scenario, you don’t crash:
– You mess up data in another part of your program.
– Someone can execute code on your machine.
– You unknowingly expose sensitive data.
![Page 12: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/12.jpg)
12 .
Protocol Violation
Spoofing – forging source IP address.
An attacker can forge the IP address of a target inside a
protected network, and behave as if he/she is part of the
targeted network.
Can be protected simply by seeing an IP source address
coming from the wrong interface.
“Smurf attack”
![Page 13: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/13.jpg)
13 .
Protocol Violation (cont)
“Ping of Death” sending a packet with size larger than
65536 bytes had crashed many OS
When a OS reassemble the packet it overruns memory
located next to the packet buffer and damages the system.
Not just ping but any protocol over IPv4.
A way to avoid is to patch the OS.
Let a Firewall make sure that the maximum packet size is no
larger than 65536 bytes.
![Page 14: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/14.jpg)
14 .
SYN floods
SYN packets are the most expansive in term of CPU and
memory resources
An easy way to attack networks, gateway, servers and
more is to flood them with SYN packets (mostly with forged
source IP)
Sophisticated monitoring over SYN packets can prevent it
Let the firewall be the “man in the middle”, perform 3 way
handshake in front of the conversation initiator.
To prevent slowing down traffic, or even crashing the
firewall we should use it only after unresolved SYN
connections number passes some threshold.
![Page 15: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/15.jpg)
15 .
The future (real near future)?
It becomes increasingly agreeable that attacks cannot be
completely blocked.
But what ever comes in, needs to come out.
By cultivating malwares, security analyst can construct a
list of bad reputations IP to block out going traffic to them.
![Page 16: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/16.jpg)
16 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Software Vulnerabilities 2
Intro to Linux Kernel Modules 3
A few words on the next assignment 4
![Page 17: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/17.jpg)
17 .
What is a Kernel Module
What is a kernel module? (wiki definition)
– An object file that contains code to extend the running kernel,
or so-called base kernel, of an operating system.
What is a kernel module? (my definition)
– A modular piece of code and data structures, that can be
plugged in and out of kernel space.
Modules register new facilities (functions and data
structures) to the kernel
![Page 18: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/18.jpg)
18 .
How kernel modules different from user-space programs
C library/header files are not available, so many familiar
functions will not be available
– Can’t include <stdio.h>, or any other glibc header.
– But <kernel.h> offers some nice utilities
– e.g. min_t(type, x, y), swap(a, b)
– And there are many more: kfifo.h, slab.h, kthread.h, wait.h
Kernel Modules are event driven
– It provides facilities that can be used by the kernel during
interrupts, system calls etc.
– The kernel can even start using registered facilities before all
of them had been registered.
![Page 19: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/19.jpg)
19 .
Building the Module
The purpose – eliminate the need to re-compile the kernel
every time you need to add/remove a specific feature.
A Makefile that adapts itself to current kernel.
– Look it up!
insmod and rmmod the module in and out the kernel.
Initialization function that is called when the module enters
the kernel.
Cleanup function that is called when the module is
removed from the kernel.
![Page 20: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/20.jpg)
20 .
Our Kernel Module – The Firewall!
What will we do with our kernel module? (spoilers ahead)
– Register a char device, to communicate with the user space
(AKA: the real world).
– Make sysfs virtual files to get and set module values.
– Use the mmap API to expose large chunks of data from kernel
space.
– Register our own functions (AKA: hooks) with the netfilter
API, to issue verdicts on packets going in/out/through our
linux box.
– Maybe juggle some kernel threads, that will help us complete
deferred or a-synchronic tasks.
When our module is removed, it will clean up all this mess,
as if it was never there.
![Page 21: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/21.jpg)
21 .
References
Further reference:
– Linux Device Drivers, Third Edition
– An excellent free e-book, contains all you need and don’t need
to know about kernel modules.
– Written for kernel 2.6, but not a lot changed since.
– Kernel Headers and Documentation
– On your machine
– e.g. /usr/src/linux-headers-`uname -r`/include/linux/ip.h
– On the net
– LXR or any other cross-reference site.
– http://kernel.org/doc/Documentation/
– The hardest to read, but probably the most useful.
– Your favorite search engine.
![Page 22: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/22.jpg)
22 .
Firewalls, vulnerabilities and Linux Kernel Modules.
1 Firewall Functionality
Software Vulnerabilities 2
A few words on the next assignment 4
Intro to Linux Kernel Modules 3
![Page 23: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/23.jpg)
23 .
A few words on the next assignment
To the end of this workshop you will have a working
firewall on the kernel, even if not a commercial one…
The next assignment will be the first step toward that goal,
completely in userspace
You’ll receive a fictitious state protocol of a car
communicating with a satellite
![Page 24: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/24.jpg)
24 .
The fictitious protocol
![Page 25: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/25.jpg)
25 .
A few words on the next assignment
Create all structs, modules and function needed to
implement a firewall based on that protocol
In the next assignment after this Firewall is stable it will
move to the kernel.
![Page 26: Firewalls, vulnerabilities and Linux Kernel Modules. 1](https://reader033.vdocument.in/reader033/viewer/2022052305/589d94cf1a28ab214a8bc44a/html5/thumbnails/26.jpg)
26 .
Assignment -demands
Write a modular code where different functions and
features will be independent with each other.
Write a well documented code, make me happy.
Try to make the as compact as possible
Remember, a well written code will be a code that will
easily move to the kernel, minimal and specific changes
will be much easier to handle.
Try the best to enjoy you code writing…