ASL Kernel Features

From Atomicorp Wiki
Jump to: navigation, search

Contents

Introduction

This is a list of all the ASL secure kernel features.

Note: This list is not complete, and is currently being updated. To get a full list of kernel features, please see the ASL product page or contact support.

Protections

Address Space Protection

This menu lets you choose options that affect the Address Space Protection

Deny writing to /dev/kmem, /dev/mem, and /dev/port

/dev/kmem and /dev/mem< won't be allowed to be written to via mmap or otherwise to modify the running kernel. /dev/port also is not be allowed to be opened. This closes up four ways that are currently used to insert malicious code into the running kernel.

Nothing legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem but only to video memory, which is the only writing we allow in this case. If you wish to use X with ASL, please see the X_with_ASL article for configuration instructions.


Disable privileged I/O

All ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel.

Unfortunately, some programs need this access to operate properly, the most notable of which are XFree86 and hwclock. Hwclock is remedied by having RTC support in the kernel to ensure that hwclock operated correctly.

XFree86 still will not operate correctly with this protection enabled. If you wish to use X with ASL, please see the X_with_ASL article for configuration instructions to disable this protection.

Remove addresses from /proc/<pid>/[smaps|maps|stat]

The /proc/<pid>/maps and /proc/<pid>/stat files will give no information about the addresses of its mappings if PaX features that rely on random addresses are enabled on the task. This closes up a hole that makes ALSR, as exists some some Linux kernels, useless for suid binaries.

Harden module auto-loading

Module auto-loading in response to use of some feature implemented by an unloaded module is restricted to root users.

This feature helps defend against attacks by unprivileged users who abuse the auto-loading behavior to cause a vulnerable module to load that is then exploited. This feature will also prevent a legitimate use of auto-loading for a non-root user, the administrator can execute modprobe manually with the exact name of the module mentioned in the alert log.

Alternatively, the administrator can add the module to the list of modules loaded at boot time by modifying init

Hide kernel symbols

This feature restricted to users with CAP_SYS_MODULE to get information on loaded modules, and displaying all kernel symbols. For software compatibility reasons, /proc/kallsyms is restricted to the root user.

The ASL RBAC system can also hide that entry even from root.

This feature revents leaking of kernel addresses through several /proc entries.

This feature also causes the permissions on /boot, /lib/modules, and the kernel source directory to change at compile time to prevent reading by non-root users.

This feature provides a useful protection against local and remote kernel exploitation of overflows and arbitrary read/write vulnerabilities.

Role Based Access Control

Hide kernel processes

All kernel threads are hidden to all processes but those whose subject has the "view hidden processes" flag.

RBAC brute force protections

The kernel prevents attempts to brute force the RBAC authentication system, by setting a maximum number of times a user can attempt to authorize themselves with the RBAC system before being denied the ability to attempt authorization again for a specified time.

A minimum time the user must wait after attempting to authorize to the RBAC system with the maximum number of invalid passwords is also enforced.


Filesystem Protections

Personal tools