=Start=
缘由:
今年早些时候爆出了一个由DCCP导致的本地提权漏洞「【漏洞预警】雪藏11年:Linux kernel DCCP double-free 权限提升漏洞(CVE-2017-6074)」,而这个漏洞需要内核编译的时候开启CONFIG_IP_DCCP ,许多Linux发行版本默认开启。不过在很多公司的生产环境中并没有主动加载,所以我们需要先提前判断一下系统是否已加载这个模块,如果没有加载的话我们可以通过某些方法限制该模块的加载;如果已经加载了,则要么升级内核并重启机器、要么先设置禁止开机加载然后重启生效。下面的内容就是我在检测并处理这个漏洞的时候学习到的一些和Linux内核配置相关的知识。
正文:
参考解答:
Linux下dccp漏洞的检测方法和缓解办法
# 查看内核编译时是否开启了CONFIG_IP_DCCP选项 $ grep "CONFIG_IP_DCCP=" /boot/config-`uname -r` # 查看正在运行的系统中是否已经加载了dccp模块 $ lsmod | grep --color -i "dccp" # 如果系统还没有加载dccp模块,则可以通过下面的命令禁止加载dccp模块;如果已经加载了,则需要先执行下面的命令,然后重启系统才可以生效 # echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf |
Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
$ cat /boot/config-$(uname -r) # RHEL/CentOS/... $ zcat /proc/config.gz > running.config # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built. $ cat /boot/config # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built. |
Linux下如何查看已经加载的内核驱动/模块?
$ lsmod $ cat /proc/modules |
Linux下如何查看有哪些内核驱动/模块以及它们的详细信息?
$ find /lib/modules/$(uname -r) -type f -name "*.ko" # 查看dccp模块的详细信息 $ modinfo dccp |
Linux下内核配置的说明
The 3 states of the main selection option for the SCSI subsystem (which actually selects the SCSI mid level driver) follow. Only one of these should appear in an actual kernel config file: CONFIG_SCSI=y #直接编译进内核并在开机启动时加载 CONFIG_SCSI=m #在内核编译的时候编译成模块,之后按需加载 # CONFIG_SCSI is not set #在内核编译的时候没有设置,后期也不会被加载 |
参考链接:
Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP
https://ma.ttias.be/linux-kernel-cve-2017-6074-local-privilege-escalation-dccp/
Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system
https://serverfault.com/questions/51032/how-do-i-check-what-kernel-options-were-compiled-without-looking-at-boot-config
https://unix.stackexchange.com/questions/123026/where-kernel-configuration-file-is-stored
https://unix.stackexchange.com/questions/83319/how-can-i-know-if-the-current-kernel-was-compiled-with-a-certain-option-enabled
Linux下如何查看已经加载的内核驱动/模块?
https://www.cyberciti.biz/tips/how-to-display-or-show-information-about-a-linux-kernel-module-or-drivers.html
https://www.cyberciti.biz/faq/howto-display-list-of-modules-or-device-drivers-in-the-linux-kernel/
https://serverfault.com/questions/62316/how-do-i-list-loaded-linux-module-parameter-values
https://serverfault.com/questions/10439/how-do-you-check-the-version-of-a-ko-kernel-module-in-linux
http://ask.xmodulo.com/find-information-builtin-kernel-modules-linux.html
https://stackoverflow.com/questions/9845877/how-to-determine-if-a-specific-module-is-loaded-in-linux-kernel
Linux下如何查看有哪些内核驱动/模块?
https://unix.stackexchange.com/questions/184877/how-to-list-all-loadable-kernel-modules
Linux内核配置说明
http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html
https://stackoverflow.com/questions/5392756/what-does-m-mean-in-kernel-configuration-file
=END=
《 “Linux内核配置” 》 有 12 条评论
CentOS/RedHat系统的源码文件放在哪个目录下?(/usr/src/kernels/$version/)
https://unix.stackexchange.com/questions/62506/how-to-know-root-of-the-kernel-source-tree
https://wiki.centos.org/HowTos/I_need_the_Kernel_Source
https://www.cyberciti.biz/faq/rhel5-installing-kernel-source-code/
`
# rpm -qa | grep “kernel-devel”
# rpm -ql kernel-devel-2.6.32-431.5.1.el6.x86_64 | head
# ls /usr/src/kernels/$version/
`
kplugs – Linux 内核模块,提供在 Linux 内核中动态执行脚本的接口
https://github.com/avielw/kplugs
Kernel Forensics and Rootkits
https://www.tophertimzen.com/resources/cs407/slides/week06_01-Rootkits.html#slide1
kconfig-hardened-check – 用于检查 Linux 内核配置中的安全加固选项的脚本
https://github.com/a13xp0p0v/kconfig-hardened-check
Linux Kernel 防御地图
https://github.com/a13xp0p0v/linux-kernel-defence-map
A script for checking the hardening options in the Linux kernel config
https://github.com/a13xp0p0v/kconfig-hardened-check
Linux 内核漏洞利用开发教程(Point of no C3 | Linux Kernel Exploitation – Part 0)
https://0x00sec.org/t/point-of-no-c3-linux-kernel-exploitation-part-0/11585
Linux系统安全强化指南
https://www.freebuf.com/articles/system/266248.html
`
# 文章目录
选择正确的Linux发行版
* 内核
* Stable vs LTS 内核
* Sysctl
* — Kernel self-protection
* — 网络
* — 用户空间
引导参数
* — Kernel self-protection
* — CPU缓解
* — 结果
hidepid
* 减少内核攻击面
* — 其他内核指针泄漏
* — 限制对sysfs的访问
* — Linux强化
* — Grsecurity
* — 内核运行时防护
* — 自编译内核
强制访问措施
* 沙箱
* — 应用沙箱
* — Systemd沙箱
* — gVisor
* — 虚拟机
强化内存分配器
* 强化编译标志
* 内存安全语言
* Root账户
* — /etc/securetty
* — 限制su
* — 锁定root账户
* — 拒绝通过SSH的远程root登陆
* — 增加散列回合数
* — 限制Xorg root访问
* — 安全访问root
防火墙
* 身份标识
* — 主机名和用户名
* — Timezones / Locales / Keymaps
* — 机器ID
* — MAC地址欺骗
* — 时间攻击
* — 按键指纹
文件权限
* — setuid / setgid
* — umask
核心转储
* — sysctl
* — systemd
* — ulimit
* — setuid进程
Swap
* PAM
* Microcode更新
* IPv6隐私扩展
* — NetworkManager
* — systemd-networkd
分区和挂载选项
* 熵
* — RDRAND
以root身份编辑文件
* 特定发行版的安全强化
* — HTTP包管理器镜像
* — APT seccomp-bpf
物理安全
* — BIOS / UEFI强化
* — Bootloader密码
* — 验证引导
* — USBs
* — DMA攻击
* — 冷启动攻击
最佳实践
* 其他指南
* 术语
* 能力
`
Linux系统安全强化指南(Linux Hardening Guide)
https://madaidans-insecurities.github.io/guides/linux-hardening.html
`
# Contents
1. Choosing the right Linux distribution
2. Kernel hardening
2.1 Stable vs. LTS
2.2 Sysctl
2.2.1 Kernel self-protection
2.2.2 Network
2.2.3 User space
2.3 Boot parameters
2.3.1 Kernel self-protection
2.3.2 CPU mitigations
2.3.3 Result
2.4 hidepid
2.5 Kernel attack surface reduction
2.5.1 Boot parameters
2.5.2 Blacklisting kernel modules
2.5.3 rfkill
2.6 Other kernel pointer leaks
2.7 Restricting access to sysfs
2.8 linux-hardened
2.9 Grsecurity
2.10 Linux Kernel Runtime Guard
2.11 Kernel self-compilation
3. Mandatory access control
4. Sandboxing
4.1 Application sandboxing
4.2 Common sandbox escapes
4.2.1 PulseAudio
4.2.2 D-Bus
4.2.3 GUI isolation
4.2.4 ptrace
4.2.5 TIOCSTI
4.3 Systemd service sandboxing
4.4 gVisor
4.5 Virtual machines
5. Hardened memory allocator
6. Hardened compilation flags
7. Memory safe languages
8. The root account
8.1 /etc/securetty
8.2 Restricting su
8.3 Locking the root account
8.4 Denying root login via SSH
8.5 Increasing the number of hashing rounds
8.6 Restricting Xorg root access
8.7 Accessing root securely
9. Firewalls
10. Identifiers
10.1 Hostnames and usernames
10.2 Timezones / Locales / Keymaps
10.3 Machine ID
10.4 MAC address spoofing
10.5 Time attacks
10.5.1 ICMP timestamps
10.5.2 TCP timestamps
10.5.3 TCP initial sequence numbers
10.5.4 Time synchronization
10.6 Keystroke fingerprinting
11. File permissions
11.1 setuid / setgid
11.2 umask
12. Core dumps
12.1 sysctl
12.2 systemd
12.3 ulimit
12.4 setuid processes
13. Swap
14. PAM
15. Microcode updates
16. IPv6 privacy extensions
16.1 NetworkManager
16.2 systemd-networkd
17. Partitioning and mount options
18. Entropy
18.1 Additional entropy sources
18.2 RDRAND
19. Editing files as root
20. Distribution-specific hardening
20.1 HTTPS package manager mirrors
20.2 APT seccomp-bpf
21. Physical security
21.1 Encryption
21.2 BIOS / UEFI hardening
21.3 Bootloader passwords
21.3.1 GRUB
21.3.2 Syslinux
21.3.3 systemd-boot
21.4 Verified boot
21.5 USBs
21.6 DMA attacks
21.7 Cold boot attacks
22. Best practices
`
《With Friends Like eBPF, Who Needs Enemies?》
https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619
GitHub
https://github.com/Gui774ume/ebpfkit
《Warping Reality – creating and countering the next generation of Linux rootkits using eBPF》
https://defcon.org/html/defcon-29/dc-29-speakers.html#path
GitHub
https://github.com/pathtofile/bad-bpf
Cilium eBPF实现机制源码分析
https://mp.weixin.qq.com/s?__biz=MzUyMDM0OTY5NA==&mid=2247483747&idx=1&sn=6f0dce420f3dd412a52496e3ce3e2e38&scene=21#wechat_redirect
Datadog的eBPF安全检测机制分析
https://mp.weixin.qq.com/s?__biz=MzUyMDM0OTY5NA==&mid=2247483757&idx=1&sn=f0cc24e6bdf6e0dea683575f706ca279&scene=21#wechat_redirect
Bad BPF – Warping reality using eBPF
https://blog.tofile.dev/2021/08/01/bad-bpf.html
Documentation for /proc/sys/kernel/
https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled
BPF字节码签名计划
https://lwn.net/Articles/853489/
反对意见
https://lwn.net/Articles/854386/
GitHub/saBPF-project
https://github.com/saBPF-project/sabpf-kernel
bpf() subcommand reference
https://www.kernel.org/doc/html/latest/userspace-api/ebpf/syscall.html
elixir.bootlin.com/linux
https://elixir.bootlin.com/linux/v5.16.10/source/tools/lib/bpf/netlink.c#L237
TC命令分类器
https://man7.org/linux/man-pages/man8/tc-bpf.8.html
eBPF IDA Proc
https://github.com/cylance/eBPF_processor
Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool
BCC类库Demo lsm probe
https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md#11-lsm-probes
GitHub/BCC
https://github.com/iovisor/bcc
Demo BPF applications
https://github.com/libbpf/libbpf-bootstrap
bpf-core-reference-guide
https://nakryiko.com/posts/bpf-core-reference-guide/
Creating and Countering the Next Generation of Linux Rootkits
https://www.youtube.com/watch?v=g6SKWT7sROQ
DEFCON 29 – eBPF, I thought we were friends
https://www.youtube.com/watch?v=5zixNDolLrg
Offensive BPF: Malicious bpftrace
https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
Bad BPF – Warping reality using eBPF
https://blog.tofile.dev/2021/08/01/bad-bpf.html
Lifetime of BPF objects
https://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html
BPF程序(BPF Prog)类型详解:使用场景、函数签名、执行位置及程序示例
https://arthurchiao.art/blog/bpf-advanced-notes-1-zh
Features of bpftool: the thread of tips and examples to work with eBPF objects
https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/
Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool
eBPF Syscall
https://www.kernel.org/doc/html/latest/userspace-api/ebpf/syscall.html
ebpfkit is a rootkit powered by eBPF
https://github.com/Gui774ume/ebpfkit
On Bypassing eBPF Security Monitoring(译文)
https://tttang.com/archive/1779/
https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html
`
前言
正文
eBPF 如何工作的简述
常见的缺点和潜在的绕过(这里是重点)
1. 了解捕获了哪些事件
1.1 执行绕过
1.2 网络绕过
2. 延迟执行
3. 规避基于 cgroup 的范围事件监控
4. 内存限制和事件丢失
5. 永远不要相信用户空间
6. 滥用 seccomp-bpf 和内核差异的缺失
7.干扰代理
来源
* A few words on how eBPF works
* Common shortcomings & potential bypasses (here be dragons)
– * 1. Understand which events are caught
– – * 1.1 Execution bypasses
– – * 1.2 Network bypasses
– * 2. Delayed execution
– * 3. Evade scoped event monitoring based on cgroup
– * 4. Memory limits and loss of events
– * 5. Never trust the userspace
– * 6. Abuse the lack of seccomp-bpf & kernel discrepancies
– * 7. Interfere with the agents
`
中国eBPF大会演讲slide
https://gitee.com/linuxkerneltravel/ebpf-conference/tree/master
`
首届中国eBPF大会演讲题目、项目征集以及建议征集。
PPT/主会场
PPT/主会场/5.基于eBPF的Service Mesh性能瓶颈定位与优化.pdf
PPT/主会场/4.基于eBPF的Linux内核探索之旅—开源项目LMP.pptx
PPT/主会场/2.从Linux内核到eBPF.pptx
PPT/主会场/3.Linux Tracing System 浅析 & eBPF框架开发经验分享.pptx
PPT/分会场三
PPT/分会场三/4.bcc应用最佳实践.pdf
PPT/分会场三/8.观测云采集器.pptx
PPT/分会场三/2.eBPF技术在CT领域的分布式性能追踪的实践.pptx
PPT/分会场三/6.eBPF在Android平台的实践.pptx
PPT/分会场三/3.Extend Database Mesh with eBPF.pptx
PPT/分会场三/7.DeepFlow基于eBPF的高度自动化可观测性实践.pdf
PPT/分会场三/1.阿里基于eBPF的应用可观测技术实践.pptx
PPT/分会场三/5.基于eBPF的程序摄像头—Trace Profiling的设想.pdf
PPT/分会场一
PPT/分会场一/5.Hardware accelerator for eBPF.pdf
PPT/分会场一/1.基于eBPF构建可编程调度框架.pptx
PPT/分会场一/6.ARM64 eBPF JIT现状介绍.pptx
PPT/分会场一/2.Coolbpf在各内核版本的应用实践.pptx
PPT/分会场一/3.eunomia:让eBPF程序的开发和部署尽可能简单.pptx
PPT/分会场一/4.eBPF急先锋:surftrace.pptx
PPT/分会场一/8.基于eBPF的服务网格应用加速器.pptx
PPT/分会场一/7.基于eBPF系统调用钩子检测工具.key
PPT/分会场二
PPT/分会场二/1.基于 eBPF 的内存泄露(增长)通用分析方法.pptx
PPT/分会场二/5.首届eBPF大会_eBPF技术在服务网格场景应用经验总结与展望.pptx
PPT/分会场二/8.eCapture旁观者-CFC4N-首届中国eBPF研讨会.pdf
PPT/分会场二/7.沈典-东南大学-基于eBPF的多路径网络传输协议栈扩展.pdf
PPT/分会场二/2.首届eBPF大会交流-李强&张绪峰_final.pptx
PPT/分会场二/6.Agith宣讲材料.pptx
PPT/分会场二/4.基于eBPF的内核漏洞检测实践—许庆伟.pptx
PPT/分会场二/3.首届eBPF大会_gala-gopher:基于eBPF技术的系统白盒观测能力 v1.0.pptx
`
EBPF入门文献汇总
http://blog.nsfocus.net/ebpf/
`
2022.9.26之前,我对eBPF一无所知,历史上用于抓包的BPF不算。后来陆续看了很多eBPF文献,算是入了门,写点入门心得。
eBPF最近几年发展迅速,许多新特性挑内核,有些过时的eBPF限制没必要与之较劲,入门时完全可以在较新内核上学习,比较熟了再去生产环境考虑向后兼容性。我在Ubuntu 22.04.1 LTS (Jammy Jellyfish)上测试eBPF,5.15.0-52-generic内核,这个内核版本已经较高,即便如此,仍有一些eBPF新特性未被支持。
一、 bpftrace
入门最好从bpftrace开始,遍历如下文献,不要挑着看,全都看一遍,没必要零敲碎打地看其他的。
二、 BCC
bpftrace简捷明了,但对bpf-helpers(7)的封装不完整,没有bpf_probe_write_user。BCC Python Bindings相比bpftrace,能实现更多功能,遍历如下文献。BCC编程细节不在此介绍,看完下面这堆自然就会。
三、 BPF Performance Tools
参看 https://github.com/brendangregg/bpf-perf-tools-book
四、 unprivileged_bpf_disabled
参看 https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
五、Offensive BPF
遍历这个系列
https://embracethered.com/blog/tags/ebpf/
https://embracethered.com/blog/posts/2021/offensive-bpf/
https://github.com/wunderwuzzi23/Offensive-BPF/
六、 Bad BPF
遍历
————————————————————————–
Detecting Kernel Hooking using eBPF – Pat H [2021-07-07]
https://blog.tofile.dev/2021/07/07/ebpf-hooks.html
(介绍BPF-HookDetect的原理,用到bpf_get_stackid)
BPF-HookDetect
https://github.com/pathtofile/bpf-hookdetect
(Detect Kernel Rootkits hooking syscalls)
Using eBPF to uncover in-memory loading – Pat H [2021-02-15]
https://blog.tofile.dev/2021/02/15/ebpf-01.html
(有个从内存中加载ELF的完整例子)
七、 libbpf (eBPF loader)
libbpf号称要替换BCC,遍历
————————————————————————–
https://github.com/libbpf/libbpf
https://github.com/iovisor/bcc/tree/master/libbpf-tools
LIBBPF API
https://libbpf.readthedocs.io/en/latest/api.html
八、 libbpf-bootstrap
8.1 编译
参看
《GIT与GFW》
http://scz.617.cn:8/unix/202211231303.txt
8.2 eBPF代码兼容性
九、 其他文献
前面说”遍历”的,就是要一个字一个字看过去的,有些我反复看过,第二遍看比第一遍看领会更多。后面是一些其他相关文献,时间允许时,建议也遍历之。
`
https://github.com/iovisor/bpftrace
https://github.com/iovisor/bpftrace/tree/master/tools
https://github.com/iovisor/bpftrace/blob/master/INSTALL.md
https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md
https://www.brendangregg.com/BPF/bpftrace-cheat-sheet.html
https://github.com/iovisor/bcc
https://github.com/iovisor/bcc/tree/master/tools
BPF Documentation
https://docs.kernel.org/bpf/
Linux Extended BPF (eBPF) Tracing Tools
https://www.brendangregg.com/ebpf.html
Linux Tracing Workshops Materials
https://github.com/goldshtn/linux-tracing-workshop
Comparing SystemTap and bpftrace – Emanuele Rocca [2021-04-13]
https://lwn.net/Articles/852112/