Making software more secure using Kafel and Dependency Analysis

[nikhedonia]

Automated Hardening With Kafel For Buckaroo Projects using Dependency Analysis

If we annotate every package with a Kafel policy, then we could automate software hardening of Buckaroo projects by analyzing the policies of every dependency.

What is Kafel ?

Kafel is a description language for defining seccomp-filters.
A seccomp policy specifies what syscalls can be used by an application.
The behavior of an breach of contract can either return an errorcode or cause a the termination of the program.
It is a security feature the linux kernels.

What is Software Hardening ?

Software hardening is the process of securing an application by reducing the attack surface.
The linux kernel has over 300 different syscall that can be exploited.
By adding a whitelist of expected syscalls, we can reduce the attack surface.

What Needs To Be Done?

• Assemble a list of accepted syscalls for each package
• create a Kafel policy for each package
• create a function that merges a list of policies

Assembling the list will be a tedious task.
If a project has integration tests, there might be an opportunity for automation.
Otherwise we have to create an example app which uses all features of a library and run it inside strace.

How Would It Look Like?

Once we have a policy for the application the user can either run his program in nsjail
or setup his seccomp filter using kafel at runtime.

Remarks

Adding a Kafel file is a good practice as it is not only usable for seccomp-filters but it also acts as documentation.

Unfortunately seccomp is afaik a Linux only feature.
What alternatives does MacOS and Windows provide ?
Is there a common abstraction ?