Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Strange security mitigations

Strange security mitigations

Tips and tricks to understand some typical vulnerabilities and how to mitigate them following tips and tricks from an attacker's mind. In this presentation, we going to meet a lot of Linux kernel module generators for custom hardening.

CoolerVoid

April 17, 2022
Tweet

More Decks by CoolerVoid

Other Decks in Programming

Transcript

  1. Strange security mitigations Tips and tricks from an attacker’s mind

    Author: CoolerVoid Tips and tricks to understand some typical vulnerabilities and how to mitigate them following an untypical intelligent approach. abr. 17, 2022 Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  2. Summary 1 Whoamy 2 Depths of vulnerabilities (not all) 3

    Always watch your home Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  3. Whoamy Whoamy Antonio Costa - CoolerVoid Appsec tech leader Cybersecurity

    engineer Open-source programmer Reverse engineer github.com/CoolerVoid Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  4. Depths of vulnerabilities (not all) Depths of vulnerabilities (not all)

    Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  5. Depths of vulnerabilities (not all) Heap overflow In late 2001,

    ”Vudo Malloc Tricks” by Michel ”MaXX” and ”Once Upon A free()” defined the exploitation of overflowed dynamic memory chunks on Linux. late 2004, a series of patches to GNU libc malloc implemented over a dozen mandatory integrity assertions, effectively rendering the existing techniques to exploit obsolete. Malloc Maleficarum by Phantasmal Phantasmagoria dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.txt cwe.mitre.org/data/definitions/122.html github.com/shellphish/how2heap Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  6. Depths of vulnerabilities (not all) Heap overflow - Malloc resources

    ptmalloc2 – glibc dlmalloc - Linux, android jemalloc – FreeBSD and Firefox tcmalloc – Google libumem – Solaris Hoard - CISCO, SAP and CreditSuisse Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  7. Depths of vulnerabilities (not all) First rant, libraries alternatives In

    late 2010 DieHard Allocator: An error-resistant memory allocator for Windows, Linux, and Mac OS X microsoft.com/en-us/research/video/dieharder-securing-the-heap/ github.com/emeryberger/DieHard In late 2017 FreeGuard: A Faster Secure Heap Allocator arxiv.org/abs/1709.02746 In late 2019 GrapheneOS’s Hardened malloc: Successor to a previous implementation based on extending OpenBSD malloc with various additional security features. github.com/GrapheneOS/hardened_malloc Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  8. Depths of vulnerabilities (not all) Motivation for C language talk

    Figure: Yes, Java needs libC to run and use other resources like C libraries and syscalls. Yes, we are going to talk about kernel memory allocation soon. Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  9. Depths of vulnerabilities (not all) Tools to audit heap memory

    Valgrind(detect memory leak, anomalies), helgrind plugin to detect race conditions Deleaker, gdb, Windbg... cppchecker, splint and semgrep and soon. Heap detective https://github.com/CoolerVoid/heap_detective Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  10. Depths of vulnerabilities (not all) Tools to hardening Heap context

    github.com/GrapheneOS/hardened_malloc CMD: LD_PRELOAD=/opt/hardened_malloc/out/libhardened_malloc.so bin/go_server github.com/microsoft/snmalloc CMD: LD_PRELOAD=project/libsnmalloc-checks.so ./my_app Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  11. Depths of vulnerabilities (not all) Tools to audit heap memory

    Figure: github.com/CoolerVoid/heap_detective Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  12. Depths of vulnerabilities (not all) Heart bleed in OpenSSL OpenSSL

    library CVE-2014-0160 A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. https://www.openssl.org/news/secadv/20140407.txt Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  13. Depths of vulnerabilities (not all) Second rant, libraries alternatives OpenBSD’s

    LibreSSL Memory sanitization is a central feature in LibreSSL that is lacking in OpenSSL. Prior to the deallocation of objects, LibreSSL explicitly zeros out memory using OpenBSD’s explicit_bzero(3) function. This proactively reduces the impact of memory exposure in the event of a future vulnerability or an unprivileged process that gains control of a tainted memory segment. Google’s BoringSSL Currently BoringSSL is the SSL library in Chrome/Chromium and Android. BearSSL, MatrixSSL, mbedtls, PolarSSL, lib sodium and soon Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  14. Depths of vulnerabilities (not all) Second rant, libraries alternatives Figure:

    github.com/CoolerVoid/nist_utils Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  15. Depths of vulnerabilities (not all) Second rant, libraries alternatives Figure:

    github.com/CoolerVoid/nist_utils Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  16. Depths of vulnerabilities (not all) Big check list Stack buffer

    overflow, Heap Overflow, integer overflow, buffer underflow, off-byone, memory leak, use after free, double free, race conditions(TOCTOU), lack of ASLR, lack of DEP, lack of stack cookie, lack of relro, lack of certificate pinning, lack of signature check, RCE, IDOR, RFI, LFI, SSO, CSRF, SSRF , SSTI, XEE, ReDOS, NoSQLi, SQLi, blind SQLi, XSS, blind XSS, DomXSS, Open Redirect, Path traversal, Insecure deserealization, LDAP injection, HQL injection, http parameter pollution, improper permissions, uncontrolled upload, uncontrolled resource consumption, CSV injection, graph injection, Denial of service, weak cryptography, lack of salt, lack of secret key, lack of anti-tampering, lack of root detect, lack of secomp/pledge, lack of rate limiting, lack of resource anti-robot, lack of http header hardening, lack of anti-hooking, misconfiguration, Uncontrolled Search Path Element, information leak,hardcoded credentials, tempest attack... Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  17. Depths of vulnerabilities (not all) Dark depths in vulnerabilities -

    fuzzing! AFL! Figure: Magic the gathering card, dark depths by Mathias Kollros Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  18. Always watch your home Always watch your home Antonio Costa

    (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  19. Always watch your home Allow list of syscalls Enumerate syscalls

    of each resource Linux’s seccomp() function OpenBSD’s Pledge() function Restrict a Container’s Syscalls with seccomp kubernetes.io/docs/tutorials/security/seccomp/ github.com/antitree/syscall2seccomp Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  20. Always watch your home Hide your treasures Prevent hardcoded credentials

    using the proper vault Uses a safe library example LibreSSL and lib sodium Use safe algorithm for cryptography following OWASP, CERT and NIST. Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  21. Always watch your home LKM to hide and protect file

    system resources Casper-fs is a custom Linux Kernel Module generator to work with resources to protect or hide a custom list of files. Each LKM has resources to protect or hide files following a custom list in the YAML rule file. Not even the root has permission to see the files or make actions like edit and remove. The files only can be caught, edited, and deleted if the user sends a proper key to the custom device. github.com/CoolerVoid/casper-fs Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  22. Always watch your home Master librarian to audit operational system

    libraries Figure: from the game castlevania 1997 Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  23. Always watch your home Master librarian to audit operational system

    libraries A tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities Uses pkg-config resource to list all operational system libraries github.com/CoolerVoid/master_librarian Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  24. Always watch your home Vision to audit all services banners

    Vision2 analyses the Nmap XML scanning results, parses each CPE context, and correlates to search CVE on NIST. You can use that to find public vulnerabilities in services Uses nmap result to search security issues following NVD github.com/CoolerVoid/Vision2 Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  25. Always watch your home LKM for Hidden firewall Tool to

    generate a Linux kernel module for hidden and custom rules with Netfilter hooking. (block ports, Hidden mode, firewall functions) The motivation: in a bad situation, an attacker can put your iptables/ufw to fall. But if you have HiddenWall, the attacker will not find the hidden kernel module that blocks external access because it has a hook to netfilter on kernel land(think like a second layer for Firewall). github.com/CoolerVoid/HiddenWall Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022
  26. Always watch your home Shared Library Application Firewall ”SLAF” Spock

    SLAF is a Shared Library Application Firewall ”SLAF”. It has the purpose to protect any service that uses the OpenSSL library. The SLAF inserts hooking to intercept all communication to detect security anomalies and block and log attacks like buffer overflow, path traversal, XXE and SQL injection. So to detect anomalies, Spock uses Deterministic Finite Automaton with rank scores to compute risks and create alerts for each context. github.com/CoolerVoid/spock_slaf Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022