Add privilege escalation detection support #3471

Open
wants to merge 1 commit into
from

Projects

None yet

2 participants

@mjg59
Contributor
mjg59 commented Dec 12, 2016

This consists of several components:

  1. Kernel support for sending notifications on certain events.
  2. qemu support for passing those notifications on to a policy agent.
  3. A policy agent that builds a tree of process state and verifies that
    this state is unmodified during in-kernel privilege checks.

There's also a minimal amount of code in rkt to add support for this.

Notifications are handled by hitting an io port and passing arguments in
registers. The kernel then blocks the running process until the notification
is handled. This is achieved by the policy agent clearing the blocking flag
and allowing execution to proceed.

A --monitor flag is added to indicate that this mode should be enabled. If
not passed, qemu will simply instruct the kernel to continue rather than
waiting for monitoring.

@mjg59
Contributor
mjg59 commented Dec 12, 2016

TODO:

  • Add alternatives support for the hypercall so there's no performance overhead when monitoring is disabled
@mjg59
Contributor
mjg59 commented Dec 13, 2016 edited

gif_one

The kernel in this demo has been deliberately backdoored such that opening /proc/interrupts raises the current process to UID and GID 0. This is then detected by the policy agent and the container is shut down automatically.

@mjg59
Contributor
mjg59 commented Dec 13, 2016

Anyone wanting to test this out - you'll need to build the qemu-based KVM stage 1 (./configure --with-stage1-flavors=kvm --with-stage1-kvm-hypervisors=qemu), pass an appropriate --stage1 argument to use that and pass the --monitor argument to the run command.

@mjg59 mjg59 Add privilege escalation detection support
This consists of several components:

1) Kernel support for sending notifications on certain events.
2) qemu support for passing those notifications on to a policy agent.
3) A policy agent that builds a tree of process state and verifies that
   this state is unmodified during in-kernel privilege checks.

There's also a minimal amount of code in rkt to add support for this.

Notifications are handled by hitting an io port and passing arguments in
registers. The kernel then blocks the running process until the notification
is handled. This is achieved by the policy agent clearing the blocking flag
and allowing execution to proceed.

A --monitor flag is added to indicate that this mode should be enabled. If
not passed, qemu will simply instruct the kernel to continue rather than
waiting for monitoring.
06bdc51
@philips
Member
philips commented Dec 16, 2016

@mjg59 could you document the ABI with xor on r12 a bit in the relevant patches?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment