TL; DR. Kulesi sihloko, sihlola izikimu eziqinile ezisebenza ngaphandle kwebhokisi ekusatshalalisweni kweLinux okuhlanu okudumile. Kokunye, sithathe ukucushwa kwe-kernel okuzenzakalelayo, salayisha wonke amaphakheji, futhi sahlaziya izikimu zokuphepha kumabhanari anamathiselwe. Ukusabalalisa okucatshangelwayo yi-OpenSUSE 12.4, Debian 9, CentOS, RHEL 6.10 kanye ne-7, kanye no-Ubuntu 14.04, 12.04 kanye ne-18.04 LTS.
Imiphumela iqinisekisa ukuthi ngisho nezikimu eziyisisekelo ezifana nokupakisha ama-canaries kanye nekhodi ezimele azikamukelwa yiwo wonke umuntu. Isimo sibi nakakhulu kubahlanganisi uma kuziwa ekuvikeleni ubungozi obunjengokungqubuzana kwe-stack, okugqame kakhulu ngoJanuwari ngemuva kokushicilelwa.
Ukubuyekezwa kubonise ukuthi inombolo enkulu yezindlela zokuvikela isetshenziswa ku-Ubuntu 18.04 ku-OS kanye namazinga ohlelo lokusebenza, ilandelwa i-Debian 9. Ngakolunye uhlangothi, i-OpenSUSE 12.4, i-CentOS 7 kanye ne-RHEL 7 nazo zisebenzisa izikimu zokuvikela eziyisisekelo, nokuvikelwa kokushayisana kwezitaki. isetshenziswa kabanzi kakhulu ngesethi eminyene kakhulu yamaphakheji azenzakalelayo.
Isingeniso
Kunzima ukuqinisekisa isofthiwe yekhwalithi ephezulu. Naphezu kwenani elikhulu lamathuluzi athuthukile okuhlaziya ikhodi emile nokuhlaziywa kwesikhathi sokusebenza okuguquguqukayo, kanye nenqubekelaphambili ebalulekile ekuthuthukisweni kwezihlanganisi nezilimi zokuhlela, isofthiwe yesimanje isahlushwa ubungozi obuhlala buxhashazwa abahlaseli. Isimo sibi nakakhulu kuma-ecosystem afaka ikhodi yefa. Ezimweni ezinjalo, asibhekene nje nenkinga yaphakade yokuthola amaphutha angasebenziseka kalula, kodwa futhi sikhawulwa yizinhlaka eziqinile zokubuyela emuva ezihambisanayo, ezivame ukudinga ukuthi silondoloze ikhodi enomkhawulo, noma okubi nakakhulu, esengozini noma enamaphutha.
Kulapho kutholakala khona izindlela zokuvikela noma zokuqinisa izinhlelo. Asikwazi ukuvimbela ezinye izinhlobo zamaphutha, kodwa singenza ukuphila komhlaseli kube nzima kakhulu futhi sixazulule inkinga kancane ngokuvimbela noma ukuvimbela ukuxhashazwa lamaphutha. Ukuvikela okunjalo kusetshenziswa kuzo zonke izinhlelo zokusebenza zesimanje, kodwa izindlela zihluka kakhulu ngobunkimbinkimbi, ukusebenza kahle kanye nokusebenza: kusuka kuma-stack canaries kanye
I-CVE nokuphepha
Sonke sibone izindatshana ezinezihloko ezifana nokuthi "Izinhlelo zokusebenza Ezisengozini Kakhulu Zonyaka" noma "Izinhlelo Zokusebenza Ezisengcupheni Kakhulu." Ngokuvamile bahlinzeka ngezibalo ngenani eliphelele lamarekhodi amayelana nokuba sengozini njengokungathi
Njengesibonelo, cabangela ingqikithi yenani lama-CVE eminyakeni emine edlule ye-Linux kernel kanye nokusatshalaliswa kwamaseva okuyisihlanu adume kakhulu, okungukuthi, Ubuntu, Debian, Red Hat Enterprise Linux kanye ne-OpenSUSE.
U-fig. 1
Lisitshelani leli grafu? Ingabe inani eliphezulu lama-CVE lisho ukuthi ukusatshalaliswa okukodwa kusengozini kakhulu kunomunye? Akunampendulo. Isibonelo, kulesi sihloko uzobona ukuthi i-Debian inezindlela zokuphepha ezinamandla uma ziqhathaniswa, yithi, i-OpenSUSE noma i-RedHat Linux, kanti i-Debian inama-CVE amaningi. Kodwa-ke, azisho ngempela ukuphepha okubuthakathaka: ngisho nokuba khona kwe-CVE akubonisi ukuthi ubungozi bukhona yini. xhashazwa. Amaphuzu okuqina anikeza inkomba yokuthi kanjani mhlawumbe ukuxhashazwa kokuba sengozini, kodwa ekugcineni ukuxhashazwa kuncike kakhulu ekuvikelweni okukhona kumasistimu athintekile kanye nezinsiza namandla abahlaseli. Ngaphezu kwalokho, ukungabikho kwemibiko ye-CVE akusho lutho ngabanye okungabhalisiwe noma okungaziwa ubuthakathaka. Umehluko ku-CVE ungase ubangelwe ezinye izici ngaphandle kwekhwalithi yesofthiwe, okuhlanganisa izinsiza ezabelwe ukuhlola noma usayizi wesisekelo somsebenzisi. Esibonelweni sethu, inombolo ephezulu ye-Debian yama-CVE ingavele ikhombise ukuthi i-Debian ithumela amaphakheji esoftware amaningi.
Impela, uhlelo lwe-CVE luhlinzeka ngolwazi oluwusizo olukuvumela ukuthi udale ukuvikela okufanele. Uma siziqonda kangcono izizathu zokwehluleka kohlelo, kuba lula ukuhlonza izindlela ezingase zisetshenziswe ukuxhashazwa futhi sithuthukise izindlela ezifanele. ukutholwa kanye nempendulo. Emfanekisweni. 2 ibonisa izigaba zobungozi kukho konke ukusatshalaliswa eminyakeni emine edlule (
U-fig. 2
Imisebenzi
Kulesi sihloko sihlose ukuphendula imibuzo elandelayo:
- Kuyini ukuphepha kokusatshalaliswa kweLinux okuhlukile? Yiziphi izindlela zokuvikela ezikhona ku-kernel kanye nezicelo zesikhala somsebenzisi?
- Ukwamukelwa kwezindlela zokuphepha kushintshe kanjani ngokuhamba kwesikhathi kukho konke ukusatshalaliswa?
- Imaphi ama-avareji okuncika kwamaphakheji nemitapo yolwazi ngokusabalalisa ngakunye?
- Yiziphi izivikelo ezisetshenziswayo ku-binary ngayinye?
Ukukhethwa kokusabalalisa
Kuvela ukuthi kunzima ukuthola izibalo ezinembile ekufakweni kokusabalalisa, njengoba ezimweni eziningi inani lokulandwayo alibonisi inani lokufakwa kwangempela. Kodwa-ke, izinhlobonhlobo ze-Unix zakha iningi lezinhlelo zeseva (kumaseva ewebhu 69,2%, ngo
Ukusabalalisa/inguqulo
Isibindi
Yakha
I-OpenSUSE 12.4
4.12.14-95.3-okuzenzakalelayo
#1 SMP Wed Dec 5 06:00:48 UTC 2018 (63a8d29)
I-Debian 9 (yelula)
4.9.0-8-amd64
#1 SMP Debian 4.9.130-2 (2018-10-27)
I-CentOS 6.10
2.6.32-754.10.1.el6.x86_64
#1 SMP Tue Jan 15 17:07:28 UTC 2019
I-CentOS 7
3.10.0-957.5.1.el7.x86_64
#1 SMP NgoLwesihlanu Februwari 1 14:54:57 UTC 2019
I-Red Hat Enterprise Linux Server 6.10 (Santiago)
2.6.32-754.9.1.el6.x86_64
#1 SMP NgoLwesithathu Nov 21 15:08:21 EST 2018
I-Red Hat Enterprise Linux Server 7.6 (Maipo)
3.10.0-957.1.3.el7.x86_64
#1 SMP NgoLwesine Nov 15 17:36:42 UTC 2018
Ubuntu 14.04 (Trusty Tahr)
4.4.0β140-okuvamile
#166~14.04.1-Ubuntu SMP Sat Nov 17 01:52:43 UTC 20β¦
Ubuntu 16.04 (Xenial Xerus)
4.15.0β1026-gcp
#27~16.04.1-Ubuntu SMP Fri Dec 7 09:59:47 UTC 2018
Ubuntu 18.04 (Bionic Beaver)
4.15.0β1026-gcp
#27-Ubuntu SMP Thu Dec 6 18:27:01 UTC 2018
Ithebula 1
ΠΠ½Π°Π»ΠΈΠ·
Ake sifunde ukucushwa kwe-kernel okuzenzakalelayo, kanye nezakhiwo zamaphakheji ezitholakala ngomphathi wephakheji wokusabalalisa ngakunye ngaphandle kwebhokisi. Ngakho-ke, sicabangela kuphela amaphakheji avela ezibukweni ezizenzakalelayo zokusabalalisa ngakunye, ukuziba amaphakheji asuka kumakhosombe angazinzile (njengezibuko 'zokuhlola' ze-Debian) kanye namaphakheji ezinkampani zangaphandle (njengamaphakheji e-Nvidia asuka ezibukweni ezijwayelekile). Ukwengeza, asicabangi ukuhlanganiswa kwe-kernel yangokwezifiso noma ukucushwa okuqiniswe kwezokuphepha.
I-Kernel Configuration Analysis
Sisebenzise iskripthi sokuhlaziya esisekelwe kukho
Ngokuvamile, ama-kernels amasha anezilungiselelo eziqinile ngaphandle kwebhokisi. Isibonelo, i-CentOS 6.10 kanye ne-RHEL 6.10 ku-2.6.32 kernel ayinazo izici ezibucayi ezisetshenziswe kuma-kernel amasha njenge
Elinye iphuzu okufanele licatshangelwe lapho utolika imiphumela: okunye ukulungiselelwa kwe-kernel okwandisa indawo yokuhlasela nakho kungasetshenziselwa ukuphepha. Izibonelo ezinjalo zifaka phakathi ama-uprobes nama-kprobes, amamojula we-kernel, ne-BPF/eBPF. Isincomo sethu ukusebenzisa lezi zindlela ezingenhla ukuze zinikeze isivikelo sangempela, njengoba zingeyona into encane ukuthi zisetshenziswe futhi ukuxhashazwa kwazo kuthatha ukuthi abadlali abanonya sebevele sebesungule isisekelo ohlelweni. Kodwa uma lezi zinketho zinikwe amandla, umlawuli wesistimu kufanele aqaphe ngokuqhubekayo ukuhlukumeza.
Uma sibheka okufakiwe kuThebula 2, sibona ukuthi izinhlamvu zamanje zinikeza izinketho ezimbalwa zokuvikela ekuxhashazweni kobungozi njengokuvuza kolwazi kanye nokuchichima kwesitaki/yinqwaba. Kodwa-ke, siyaqaphela ukuthi nokusatshalaliswa kwakamuva okudumile akukakasebenzisi ukuvikeleka okuyinkimbinkimbi (isibonelo, ngamapeshi
Ukuhlaziywa Kwesicelo
Akumangazi ukuthi ukusabalalisa okuhlukile kunezici zephakheji ezihlukile, izinketho zokuhlanganisa, ukuncika komtapo wolwazi, njll. Umehluko ukhona ngisho
Ukusatshalaliswa
Sekukonke, silande amaphakheji angu-361 kukho konke ukusatshalaliswa, sikhipha amaphakheji kuphela ezibukweni ezizenzakalelayo. Sizibe amaphakheji angenayo i-ELF esebenzisekayo, njengemithombo, amafonti, njll. Ngemva kokuhlunga, amaphakheji angu-556 asele, aqukethe inani elingamabhinari angu-129. Ukusatshalaliswa kwamaphakheji namafayela kuwo wonke ukusabalalisa kuboniswa ku-Fig. 569.
U-fig. 3
Ungase uqaphele ukuthi lapho ukusatshalaliswa kwesimanjemanje, kulapho kuqukethe amaphakheji kanye namabhanari amaningi, okunengqondo. Kodwa-ke, amaphakheji e-Ubuntu kanye ne-Debian afaka phakathi amabhanari amaningi (kokubili okusebenzisekayo namamojula ashukumisayo nemitapo yolwazi) kune-CentOS, SUSE kanye ne-RHEL, okungenzeka kube nomthelela endaweni yokuhlasela ye-Ubuntu ne-Debian (kufanele kuqashelwe ukuthi izinombolo zibonisa zonke izinguqulo zazo zonke izinguqulo. iphakheji, okungukuthi, amanye amafayela ahlaziywa izikhathi ezimbalwa). Lokhu kubaluleke kakhulu uma ucabangela ukuncika phakathi kwamaphakheji. Ngakho-ke, ukuba sengozini kuphakeji eyodwa kanambambili kungathinta izingxenye eziningi ze-ecosystem, njengoba nje umtapo wezincwadi osengozini ungathinta zonke izinhlobo ezimbili eziwungenisayo. Njengesiqalo, ake sibheke ukusatshalaliswa kwenani lokuncika phakathi kwamaphakheji kumasistimu wokusebenza ahlukene:
Cishe kukho konke ukusatshalaliswa, ama-60% amaphakheji anokuncika okungenani okungu-10. Ngaphezu kwalokho, amanye amaphakheji anenani elikhulu kakhulu lokuncika (ngaphezu kuka-100). Kuyafana nokuhlehlisa ukuncika kwephakheji: njengoba kulindelekile, amaphakheji ambalwa asetshenziswa amanye amaphakheji amaningi ekusabalaliseni, ngakho ubungozi kulawo ambalwa akhethiwe buyingozi enkulu. Njengesibonelo, ithebula elilandelayo libala amaphakheji angu-20 anenani eliphezulu lokuncika okubuyela emuva ku-SLES, Centos 7, Debian 9 kanye no-Ubuntu 18.04 (iseli ngalinye libonisa iphakheji kanye nenani lokuncika kokuhlehla).
Ithebula 3
Iqiniso elithakazelisayo. Yize wonke ama-OS ahlaziywayo akhelwe ukwakheka kwe-x86_64, futhi amaphakheji amaningi anezakhiwo ezichazwe njenge-x86_64 kanye ne-x86, amaphakheji ngokuvamile aqukatha okumbambili kwezinye izakhiwo, njengoba kuboniswe kuMfanekiso 5. XNUMX.
U-fig. 5
Esigabeni esilandelayo, sizocubungula izici zabombambili abahlaziyiwe.
Izibalo zokuvikela ifayela kanambambili
Okungenani, udinga ukuhlola isethi eyisisekelo yezinketho zokuvikeleka zamabhanari akho akhona. Ukusabalalisa okuningana kwe-Linux kuza nemibhalo eyenza ukuhlola okunjalo. Isibonelo, i-Debian/Ubuntu ineskripthi esinjalo. Nasi isibonelo somsebenzi wakhe:
$ hardening-check $(which docker)
/usr/bin/docker:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
Umbhalo uhlola okuhlanu
- I-Position Independent Executable (PIE): Ibonisa ukuthi ingabe ingxenye yombhalo yohlelo ingahanjiswa ngenkumbulo ukuze kuzuzwe okungahleliwe uma i-ASLR inikwe amandla ku-kernel.
- Isitaki Sivikelwe: Ukuthi ama-canaries estaki anikwe amandla ukuze avikeleke ekuhlaselweni kokungqubuzana kwesitaki.
- Umthombo Wokuqinisa: noma ngabe imisebenzi engaphephile (isibonelo, i-strcpy) ithathelwa indawo ozakwabo abavikeleke kakhulu, futhi amakholi abhekwa ngesikhathi sokusebenza athathelwa indawo ozakwabo abangahloliwe (ngokwesibonelo, i-memcpy esikhundleni se-__memcpy_chk).
- Ukususwa kokufunda kuphela (i-RELRO): Ukuthi ukufakwa kwethebula lokuthuthela kwenye indawo kumakwa njengokufundiwe kuphela uma kwenziwa ngaphambi kokuthi kuqale ukusebenza.
- Ukubophezela ngokushesha: Ukuthi isixhumanisi sesikhathi sokusebenza siyakuvumela yini konke ukunyakaza ngaphambi kokuthi kuqale ukusebenza kohlelo (lokhu kulingana ne-RELRO egcwele).
Ingabe lezi zindlela ezingenhla zanele? Ngeshwa cha. Kunezindlela ezaziwayo zokudlula zonke lezi zindlela zokuzivikela ezingenhla, kodwa uma ukuzivikela kuqina, iba nkulu ibha yomhlaseli. Ngokwesibonelo,
Besifuna ukufunda ukuthi mangaki amafayela kanambambili ekusabalazweni okukhulunywa ngakho avikelwe yilezi nezinye izindlela ezintathu:
- Ingxenye engasebenziseki (
NX ) ivimbela ukusetshenziswa kunoma yisiphi isifunda okungafanele sisebenziseke, njengenqwaba yesitaki, njll. I-RPATH/I-RUNPATH ichaza indlela yokwenza esetshenziswa isilayishi esiguqukayo ukuze kutholwe amalabhulali afanayo. Esokuqala sithi impoqo yanoma iyiphi isistimu yesimanje: ukungabi khona kwayo kuvumela abahlaseli ukuthi babhale ngokunganaki ukulayishwa kweholo kumemori futhi bakwenze njengoba injalo. Okwesibili, ukucushwa kwendlela yokwenza okungalungile kusiza ekwethuleni ikhodi engathembekile engaholela enanini lezinkinga (isb.ukukhuphuka kwelungelo Futhiezinye izinkinga ).- Ukuvikela ukushayisana kwesitaki kunikeza ukuvikeleka ekuhlaselweni okudala ukuthi isitaki sidlulelane kwezinye izindawo zememori (njengenqwaba). Njengoba kunikezwe ukuxhashazwa kwakamuva
ubungozi bokushayisana kwenqwaba ye-systemd , sibone kufaneleka ukufaka le nqubo kudathasethi yethu.
Ngakho-ke, ngaphandle kokuchitha isikhathi, ake sehlele ezinambeni. Ithebula 4 no-5 liqukethe isifinyezo sokuhlaziywa kwamafayela asebenzisekayo nemitapo yolwazi yokusabalalisa okuhlukahlukene, ngokulandelanayo.
- Njengoba ubona, ukuvikelwa kwe-NX kusetshenziswa yonke indawo, ngaphandle kokungavamile. Ikakhulukazi, umuntu angabona ukusetshenziswa kwayo okuphansi kancane ekusatshalalisweni kwe-Ubuntu ne-Debian uma kuqhathaniswa ne-CentOS, i-RHEL ne-OpenSUSE.
- Izitaki ze-canaries azikho ezindaweni eziningi, ikakhulukazi ekusabalaliseni okunezinhlamvu ezindala. Enye inqubekelaphambili ibonakala ekusatshalalisweni kwakamuva kwe-Centos, i-RHEL, i-Debian kanye ne-Ubuntu.
- Ngaphandle kwe-Debian ne-Ubuntu 18.04, ukusabalalisa okuningi kunokusekelwa okungekuhle kwe-PIE.
- Ukuvikela ukushayisana kwesitaki akunamandla ku-OpenSUSE, Centos 7 naku-RHEL 7, futhi akukho nhlobo kwezinye.
- Konke ukusatshalaliswa okunama-kernels esimanje kunokwesekwa okuthile kwe-RELRO, Ubuntu 18.04 buhamba phambili bese i-Debian ingena isibili.
Njengoba sekushiwo, amamethrikhi kuleli thebula ayisilinganiso sazo zonke izinguqulo zefayela kanambambili. Uma ubheka kuphela izinguqulo zakamuva zamafayela, izinombolo zizohluka (isibonelo, bona
Ithebula 4. Izici zokuphepha zamafayela asebenzisekayo aboniswe ku-Fig. 3 (ukwenziwa kwemisebenzi efanele njengephesenti yenani lengqikithi yamafayela asebenzisekayo)
Ithebula 5. Izici zokuphepha zemitapo yolwazi eboniswe ku-Fig. 3 (ukwenziwa kwemisebenzi efanele njengephesenti yenani lesamba semitapo yolwazi)
Ngakho ingabe ikhona intuthuko? Kukhona ngempela: lokhu kungabonakala kwizibalo zokusabalalisa ngakunye (isibonelo,
Ngeshwa, inani lamafayela asebenzisekayo ekusabalaliseni okuhlukene alikabi nakho ukuvikela okungenhla. Isibonelo, uma ubheka ku-Ubuntu 18.04, uzoqaphela i-ngetty kanambambili (i-getty replacement), kanye namagobolondo e-mksh ne-lksh, umhumushi we-picolisp, amaphakheji we-nvidia-cuda-toolkit (iphakheji elidumile lezinhlelo zokusebenza ezisheshiswa yi-GPU. njengezinhlaka zokufunda zomshini), kanye nama-klibc -utils. Ngokufanayo, kanambambili ye-mandos-client (ithuluzi lokuphatha elikuvumela ukuthi uqalise kabusha ngokuzenzakalelayo imishini enezinhlelo zefayela ezibethelwe) kanye ne-rsh-redone-client (ukwenziwa kabusha kwe-rsh ne-rlogin) ngaphandle kokuvikelwa kwe-NX, nakuba inamalungelo e-SUID : (. Futhi, okumbambambili okuningana kwe-suid akunaso isivikelo esiyisisekelo njengama-canaries estaki (isibonelo, kanambambili ye-Xorg.wrap kusukela kuphakheji ye-Xorg).
Isifinyezo kanye namazwi okuphetha
Kulesi sihloko, sigqamise izici ezimbalwa zokuphepha zokusatshalaliswa kweLinux yesimanje. Ukuhlaziywa kubonise ukuthi ukusatshalaliswa kwakamuva kwe-Ubuntu LTS (18.04) kusebenzisa, ngokwesilinganiso, i-OS enamandla kakhulu nokuvikelwa kwezinga lohlelo lokusebenza phakathi kokusabalalisa okunezinhlamvu ezintsha, ezifana no-Ubuntu 14.04, 12.04 kanye ne-Debian 9. Nokho, ukusatshalaliswa okuhloliwe i-CentOS, RHEL kanye I-OpenSUSE kusethi yethu ngokuzenzakalelayo ikhiqiza isethi yamaphakheji aminyene, futhi ezinguqulweni zakamuva (i-CentOS ne-RHEL) banamaphesenti aphezulu okuvikela ukushayisana kwezitaki uma kuqhathaniswa nezimbangi ezisekelwe ku-Debian (Debian kanye no-Ubuntu). Uma siqhathanisa izinguqulo ze-CentOS ne-RedHat, sibona intuthuko enkulu ekusetshenzisweni kwezitaki ze-stack canaries kanye ne-RELRO kusukela ezinguqulweni zesi-6 kuye kwezingu-7, kodwa ngokwesilinganiso i-CentOS inezici eziningi ezifakiwe kune-RHEL. Ngokuvamile, konke ukusabalalisa kufanele kunake ngokukhethekile ukuvikelwa kwe-PIE, okuthi, ngaphandle kwe-Debian 9 kanye ne-Ubuntu 18.04, isetshenziswe ngaphansi kuka-10% wamabhanari kudathasethi yethu.
Okokugcina, kufanele kuqashelwe ukuthi nakuba senze ucwaningo mathupha, maningi amathuluzi okuvikela atholakalayo (isb.
Source: www.habr.com