Establishing Digital Trust: Don't Sacrifice Security for Convenience
BOSTON -- There is a widely held belief that Linux is a completely secure operating system. But to Brad Spengler of the grsecurity project, the belief is far from accurate. And he has the kernel exploits to prove it.
Speaking at the Linux security summit during the Linux Foundation's LinuxCon conference here this week, Spengler described how his efforts have resulted in Linux becoming more hardened for security, even though his approach -- developing Linux kernel exploits -- may be viewed with suspicion by some.
For instance, he said he created a Linux kernel exploit system called Enlightenment that ultimately won him some negative interest from the U.S.'s National Security Agency (NSA). According to Spengler, Enlightenment can disable Linux access control policy, including features such as Security-Enhanced Linux (SELinux) and AppArmor -- and in doing so, proves an important point, he said.
"Access control is not the be-all and end-all for security," Spengler told the security summit audience. "It only comes into play when something is known, and should really be considered to be the last mile of defense."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Spengler said that over the course of the last year, he wrote 11 kernel exploits that he feels have helped to make Linux more secure. As to why he had to write so many exploits, Spengler said that after releasing seven exploits that could potentially have left Red Hat Enterprise Linux users at risk, Red Hat still didn't have a fix for issues that he disclosed. But that after releasing the eighth vulnerability, Red Hat took notice and addressed all the issues.
"Only public exploits produce a change in the public perception of security," Spengler said.
The NSA, however, might have a different view. Spengler said that the U.S. agency, which originally helped to develop SELinux, responded to one of his exploits not by getting in touch with Spengler, but instead by contacting his employer in what he described as an attempt to make trouble for him.
"It didn't work so well for the NSA, as I released five more exploits and I'm still working at the same place," Spengler said. "The ends do justify the means here: In the end, SELinux is now a better product."
But improving security isn't all about developers like Spengler creating exploits. On the contrary, Spengler suggested that there are a number of things that Linux users and administrators can do to create more secure systems, all based around the idea that the best way to deal with attackers is to create a hostile and unpredictable environment for them.
At the top of his list of suggestions, is for administrators to use address space layout randomization, or ASLR -- a technique for randomizing the location of shared objects in memory. Spengler explained that ASLR makes it more difficult for exploits to rely on hardcoded memory address space.
Linux developers themselves also could do more to make the platform more secure. For one thing, he suggested that they remove what he described as "infoleaks" from the kernel. One such leak is the slabinfo function, which reports on the size of memory blocks. According to Spengler, the function could potentially be used by attackers.
In general, Spengler said he believes that sensitive data needs to be better secured in the Linux kernel. He suggested that a number of kernel items, including the syscall table of system calls, be labeled as read-only to prevent exploitation.
"We need to protect against invalid userland memory accesses in general," Spengler said. "Basically, the message is secure the kernel, as all your eggs are in one basket and that basket is the kernel."