Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement basic kernel hardening and defenses #209

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Implement basic kernel hardening and defenses #209

wants to merge 2 commits into from

Commits on Apr 19, 2021

  1. Kernel Hardening: Linux Hardened patch stack 

    Network equipment is critical infrastructure with long uptimes and
significant throughput/processing, especially in undercloud fabric.
The OS kernel is responsible for managing raw system resources and
the enforcement of security (privilege/access) boundaries. This
set of responsibilities, and a number of technical reasons such as
long-running memory layouts, and physical page table access, make
the kernel a high-value target for attackers. Rebooting the system
for upgrades can be problematic, and patches providing correct
solutions for ring0 concerns may take some time to matriculate to
stable release - leaving gaps in the security posture of systems.

In order to reduce exposure during these gaps, and the impact or
feasibility of 0-day attacks, this high-value target needs to be
better protected with probabilistic, deterministic, and semantic
defenses. While this effort is by no means a replacement for the
professional-grade mitigations in Grsecurity/PaX, it does start
down the path of elevated defensive posture by introducing the
Linux Hardened kernel patchset from GrapheneOS by Daniel Micay and
others.

The hardening patchset implements a number of C-level fixes, higher
entropy ASLR, namespace protections, FS access restrictions to
sensitive targets like /dev/mem, and syscall restrictions. Atop the
basics, it adds GCC plugins or improves upon the upstream ones to
randomize struct layouts, initify and initialize variables at
compile-time, and provides a PRNG from the jitterentropy source.
More info at https://www.whonix.org/wiki/Hardened-kernel as well as
in the source repo https://github.com/anthraxx/linux-hardened.

Notes:
  While not in the scope of this pull request, the kernel-tier
mechanisms provided here should be complemented by Daniel Micay's
hardened-malloc to guard against userspace memory corruption, UAF,
and other malfeasance.
  This effort parallels a similar pull request for VyOS - sonic-net#132.
The added functionality provided there in regards to LVS, XTables,
and other patches can be backported here on request.

Testing:
  None on this branch, we maintain 5.4 and 5.10 branches in-house
    RageLtMan committed Apr 19, 2021
    Configuration menu
    Copy the full SHA
    a32997c View commit details
    Browse the repository at this point in the history

  2. Kernel Hardening: Linux Kernel Runtime Guard 

    Import the Linux Kernel Runtime Guard (LKRG) from OpenWall by Adam
Zabrocki and and Alex Peslyak.

LKRG provides additional tiers of mitigation by actively hashing
and validating kernel memory regions, further restricting access
to common LPE and escape vectors, as well as mechanisms for
modifying the running kernel commonly used to bypass LSMs. LKRG
can be built directly into the kernel to provide enforcement from
early-boot, but should be deployed as a module initially while
tunables and operational stability are ironed out and validated on
this platform. More information is available at the projects
homepage: https://www.openwall.com/lkrg/ and in their source repo:
https://github.com/openwall/lkrg
    RageLtMan committed Apr 19, 2021
    Configuration menu
    Copy the full SHA
    6e62be4 View commit details
    Browse the repository at this point in the history