KernelTLV: Deep Dive Into Linux Security

#1

After a long time we’re coming back (!) with 2 presentations: “Forcing CFI on Embedded Devices” and “Shadow SUID for privilege persistence”.

Schedule:
19:00-19:10: Mingle Mingle Mingle
19:10-19:15: Opening talk
19:15-20:00: Forcing CFI on Embedded Devices
20:00-20:15: Break
20:15-21:00: Shadow SUID for privilege persistence

Details:

Forcing CFI on Embedded Devices \ Gili Yankovitch

IoT device diversity is on the rise today. Most of these devices are being developed in an insecure fashion due to lack of knowledge and training or worse. This is easily solvable with good practices and training. But to achieve this, one must educate hundreds of developers worldwide, which just might be unfeasible. Therefore, a different solution might be better, placing responsibility on technology: In this talk we’ll dive into the world of dynamic binary modification and how to utilize it to secure every Linux Based (ARM) embedded system, enhancing devices’ integrity using modern security mechanisms enforcement. Although Control Flow Integrity is an already a known practice in the security world, it isn’t common in software today, let alone in embedded systems. We will see how the framework integrates modern flow control integrity and other mechanisms to enforce and harden security features on top of already built binaries to protect even on the most under-secured software at runtime, while achieving low overhead.

Shadow SUID for privilege persistence \ Dor Dankner

When compromising a Linux machine, attacker have several known techniques to keep executing code in high privileges, but they all share the same major problem - they are well known, and therefore are easily discovered.
Even a new Linux user might notice an oddly named suid or a suspicious crontab. That fact makes attackers and red-teams crave for novel ways to hiddenly execute code in high privileges, in a way that would be hard for IT and users to notice.

In my talk i’ll expose “shadow suid” - a privilege persistence method I found in binfmt, the Linux executable loader. I’ll first have a step by step walkthrough on how the Linux kernel loads and executes ELF binaries and scripts, and finally I will show how the binfmt mechanism can be manipulated to gain a yet unknown privilege persistence.

1 Like