Hardening A Linux Kernel
1 Background
- ../BuildKernel Overview of Kernel Source and How to Build
a Kernel, Deploying the Kernel.
2 Overview
- This article is about: Kernel bugs, and Applying patches.
2.1 Scope of Kernel Hardening in this Course
- We should be able to apply the tools of Development of Software
without Security Holes.
- We should be able to gather the patches delivered by experts since
the last such harvest.
- We should be able to patch the publicly released kernel, and build
a new hardened kernel. We select the patches from the above
harvest. We may omit some. The reasons for both select/ omit are
documented.
- We are not expecting to discover new bugs that are worthy of being
flashed across the world tech news sites.
- Limited by the time and lectures we can devote to this topic.
3 Kernel Security Modules
- The Linux Kernel Security Module (LKSM) mechanism permits new
kernel extensions.
- These extensions are not actually loadable kernel modules.
Instead, they are selectable at build-time via
CONFIGDEFAULTSECURITY and can be overridden at boot-time via the
"security=…" kernel command line argument
- The primary users of the LSM interface are Mandatory Access Control
(MAC) extensions.
cat /sys/kernel/security/lsm A list of the active security
modules
- The following grep results are from a build of Ubuntu standard kernel:
# grep CONFIG_DEFAULT_SECURITY /boot/config-4.18.0-10-generic
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="apparmor"
4 Add/ Delete/ Freeze System Calls
- It is not difficult to add system calls to the kernel.
- Using the Linux Kernel Modules mechanisms, Add/ Delete/ Freeze
System Calls can be done while the kernel is running.
- The Lab Lx TBD link gives you practical experience of doing this.
4.1 Why?
4.2 Kernel without Modules
4.3 Security Implications