Linux Security Summit Europe 2024

A retrospective on the work to restrict unprivileged user namespaces by default in Ubuntu 24.04. This presentation will cover the challenges, problems, and the solutions that Ubuntu choose. It will also take a look at work to address the problems that remain.

The Landlock security module lets Linux processes restrict what they can do and puts developers in charge of defining appropriate sandboxing policies for their programs. We will give a brief overview over Landlock’s current features, recent developments, and talk about what is next. We will discuss in more detail Landlock’s new support for restricting the use of IOCTL and the design considerations and trade-offs that went into it.

Linux Virtualization based Security (LVBS) is a security feature that can a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the kernel gets compromised. VBS uses hardware virtualization and the hypervisor (Hyper-V) to create an isolated virtual environment that runs as a higher trust level, called Virtual Trust Level 1 (VTL1). In earlier talks on LVBS we explored the fundamentals of having a secure kernel running in VTL1 and how we support basic kernel integrity through LVBS. In this talk we explore how LVBS can be extended to offer advanced kernel integrity features. We examine the status quo in Linux kernel today and the various kernel features that manipulate page tables to inject/modify kernel code. We then discuss how these features can be hardened via LVBS to ensure that authenticity and integrity of the modified/loaded code can be ensured, even if the kernel is compromised. We will also present the status of our work in hardening some of these features. Finally, as future work we also explore hardening of key kernel data structures that are target to attack and present our goals in guarding them against unauthorized modification.

eBPF is now widely used, particularly in monitoring and observability. Sadly, it can modify the system behavior, by using helpers like bpf_override_return() or bpf_send_signal(). It was also the root cause of some CVEs, like CVE-2021-3489 or CVE-2021-3490. Inspektor Gadget is an eBPF tool and systems inspection framework for k8s, containers and linux hosts. eBPF programs run by Inspektor Gadget are packaged as OCI images. This was first done to ease users' lives so they can share and use other's. We also leveraged this to improve eBPF programs' security by signing and verifying them. This presentation will showcase how we make use of cosign to: 1. Sign our OCI images in our CI. 2. Verify them at runtime and deny the execution if the image was not signed with the given public key. Everyone can use Inspektor Gadget to sign and verify their eBPF programs with their own private key. It can then be used to increase overall security of eBPF programs by running only signed ones.

Restricting system calls can significantly reduce the attack surface. However, solutions like seccomp can be bypassed(CVE-2009-0835, CVE-2019-2054, CVE-2023-2431, etc.). If unused syscalls can be eliminated at config level and compile time, the attack surface can be fundamentally controlled.
However, the widespread presence of .pushsection in kernel code prevents linker to perform code garbage collection. The associated KEEP() directive also causes ownership reversal issues, resulting in related sections that should be removed to remain, leaving more unused code for potential exploitation by hackers.
By systematically reworking the .pushsection directive, we propose dead syscalls elimination. After specifying the syscalls that need to be retained, it can remove other syscalls' code without affecting the normal operation of the kernel. Attackers cannot exploit something that does not exist. This not only reduces the kernel size and eliminates the overhead of seccomp but also completely eradicates the possibility of exploitation.
Besides, the approach of eliminating the KEEP() directive can be generalized, further reducing the kernel's dead code and decreasing the attack surface.

Contributors: Tan Yuan, Fan Siqi, Liu Xiao, Wu Zhangjin, Liu Xin

In this talk I'd like to give an update on what's new in systemd's various TPM related subsystems, such as disk encryption, PCR policy management, measurement APIs, event log and more.