LFD441 Security and the Linux Kernel

Seminarinformationen

Seminar - Ziel

In diesem 4-tägigen Seminar „Security and the Linux Kernel (LFD441)“ stehen die sicherheitsrelevanten Grundlagen des Linux-Kernels im Mittelpunkt. Sie beschäftigen sich mit Aspekten wie Speicher-, Prozess- und Dateisystemsicherheit sowie dem Schutz von Systemaufrufen. Dabei lernen Sie zentrale Sicherheitsmechanismen des Linux-Kernels kennen, darunter Mandatory Access Control (MAC), Linux Security Modules (LSM) und Secure Boot.

Im Verlauf des Seminars sammeln Sie praktische Erfahrungen in der Absicherung sowohl des Userspace als auch des Kernels durch den gezielten Einsatz verschiedener Sicherheitsfunktionen. So entwickeln Sie ein fundiertes Verständnis dafür, wie Sicherheit auf Kernel-Ebene in modernen Linux-Systemen umgesetzt wird.

Teilnehmer - Zielgruppe

• Systems Programmers
• Userspace Developers
• Kernel Engineers

Kurs - Voraussetzungen

Für eine optimale Teilnahme am Kurs empfehlen wir folgende Vorkenntnisse:

• Gute Kenntnisse der Programmiersprache C
• Vertrautheit mit grundlegenden Linux-/UNIX-Werkzeugen wie ls, grep und tar
• Sicherer Umgang mit einem Texteditor wie vi, vim, emacs oder vergleichbaren Editoren
• Erfahrung mit einer gängigen Linux-Distribution ist hilfreich, aber nicht zwingend erforderlich
• Kenntnisse auf dem Niveau des Kurses LFD420: Linux Kernel Internals and Development

Seminardauer

• 4 Tage
• 09:00 Uhr bis 17:00 Uhr

Schulungsunterlagen

• nach Absprache

Seminar-Inhalt / Agenda

Einführung

• Objectives
• Who You Are
• The Linux Foundation{
• Copyright and No Confidential Information
• The Linux Foundation{ Training
• Certification Programs and Digital Badging
• Linux Distributions
• Platforms
• Things Change in Linux and Open Source Projects

Grundlagen

• Kernel Versions
• Kernel Sources and Use of git

Lab-Umgebung

• Virtual Machine
• Why proxmox {?
• Our Lab Environment
• Labs

Arbeiten in OSS-Projekten

• Overview on How to Contribute Properly
• Know Where the Code is Coming From: DCO and CLA
• Stay Close to Mainline for Security and Quality
• Study and Understand the Project DNA
• Figure Out What Itch You Want to Scratch
• Identify Maintainers and Their Work Flows and Methods
• Get Early Input and Work in the Open
• Contribute Incremental Bits, Not Large Code Dumps
• Leave Your Ego at the Door: Don't Be Thin-Skinned
• Be Patient, Develop Long Term Relationships, Be Helpful

Angriffsflächen reduzieren

• Why Security?
• Types of Security
• Vulnerabilities
• Layers of Protection
• Software Exploits
• Labs

Kernel-Funktionen

• Components of the Kernel
• User-Space vs. Kernel-Space
• What are System Calls?
• Available System Calls
• Scheduling Algorithms and Task Structures
• Process Context
• Labs

Veraltete Kernel-Schnittstellen

• Why Deprecated
• __deprecated
• BUG() and BUG_ON()
• Computed Sizes for kmalloc()
• simple_strtol() Family of Routines
• strcpy(), strncpy(), strlcpy()
• printk() %p Format Specifier
• Variable Length Arrays
• Switch Case Fall-Through
• Zero-Length and One-Element Arrays in Structs

Address Space Layout Randomization (ASLR)

• Why ASLR?
• How to Use ASLR
• Disabling ASLR for Specific Programs
• Kernel Configuration
• Kernel Address Space Layout Randomization (KASLR)
• How KASLR Works
• Enabling KASLR
• Labs

Kernel Structur-Randomization

• Benefits
• How Structure Randomization Works
• Structure Initialization
• Opt-in vs Opt-out
• Partial Randomization
• Enabling Structure Randomization
• Building Out-of-tree Modules with Structure Randomization

Einführung in Linux Kernel Security

• Linux Kernel Security Basics
• Discretionary Access Control (DAC)
• POSIX ACLs
• POSIX Capabilities
• Namespaces
• Linux Security Modules (LSM)
• Netfilter
• Cryptographic Methods
• The Kernel Self Protection Project

CGroups

• Introduction to CGroups
• Overview
• Components of CGroup
• cgroup initialization
• cgroup Activation
• cgroups Parameters
• Testing cgroups
• systemd and cgroups
• Labs

eBPF

• BPF
• eBPF
• Installation
• bcc Tools
• bpftrace
• Labs

Seccomp

• What is seccomp
• The seccomp Interface
• seccomp Strict Mode
• seccomp Filter Mode
• Labs

Secure Boot

• Why Secure Boot?
• Secure Boot x86
• Embedded Systems Secure Boot
• Labs

Module Signing

• What is Module Signing?
• Basics of Signatures
• Module Signing Keys
• Enabling Module Signature Verification
• How It Works
• Signing Modules
• Labs

Integrity Measurement Architecture (IMA)

• Why IMA?
• Conceptual Operations
• Modes of Operation
• Collect Mode textit {(Collect and Store)
• Logging Mode textit {(Appraise and Audit)
• Enforcing Mode textit {(Appraise and Protect)
• Extended Verification Module (EVM)
• Labs

DM-Verity

• What is dm-verity?
• How dm-verity Works
• Enabling dm-verity
• Setting up dm-verity
• Using dm-verity
• Signing with dm-verity
• Booting with dm-verity
• Labs

Verschlüsselte Speicherung

• Why Encrypted Storage?
• Data Encryption Solutions
• Survey of Storage Encryption Options
• Block Encryption
• Block Encryption Use
• Filesystem Encryption
• Filesystem Encryption Use
• Layered Filesystem Encryption
• Layered Filesystem Encryption Use
• Labs

Linux Security Modules (LSM)

• What are Linux Security Modules?
• LSM Basics
• LSM Choices
• How LSM Works
• An LSM Example: Yama
• Labs

SELinux

• SELinux
• SELinux Overview
• SELinux Modes
• SELinux Policies
• Context Utilities
• SELinux and Standard Command Line Tools
• SELinux Context Inheritance and Preservation**
• restorecon**
• semanage fcontext**
• Using SELinux Booleans**
• getsebool and setsebool**
• Troubleshooting Tools
• Labs

AppArmor

• What is AppArmor?
• Checking Status
• Modes and Profiles
• Profiles
• Utilities

Yama (LSM)

• Why Yama?
• Configuring Yama
• How Yama Works
• Labs

LoadPin (LSM)

• Why LoadPin?
• Enabling LoadPin
• Using LoadPin
• How LoadPin Works

Lockdown

• Why Lockdown?
• Lockdown Modes
• What Things are Locked Down?
• How It Works
• A Few Notes
• Labs

Safesetid

• Why Safesetid?
• Configuring Safesetid
• How Safesetid Works
• Labs

Netfilter

• What is netfilter?
• Netfilter Hooks
• Netfilter Implementation
• Hooking into Netfilter
• Iptables
• nftables
• Labs

Netlink Sockets**

• What are netlink Sockets?
• Opening a netlink Socket
• netlink Messages
• Labs

Abschluss und Evaluationsumfrage

• Evaluation Survey

Kernel Architektur I

• UNIX and Linux **
• Monolithic and Micro Kernels
• Object-Oriented Methods
• Main Kernel Components
• User-Space and Kernel-Space

Kernel-Programmierung (Preview)

• Task Structure
• Memory Allocation
• Transferring Data between User and Kernel Spaces
• Object-Oriented Inheritance - Sort Of
• Linked Lists
• Jiffies
• Labs

Kernel-Module

• What are Modules?
• A Trivial Example
• Compiling Modules
• Modules vs Built-in
• Module Utilities
• Automatic Module Loading
• Module Usage Count
• Module Licensing
• Exporting Symbols
• Resolving Symbols **
• Labs

Kernel-Architektur II

• Processes, Threads, and Tasks
• Kernel Preemption
• Real Time Preemption Patch
• Labs

Kernel-Konfiguration und Kompilierung

• Installation and Layout of the Kernel Source
• Kernel Browsers
• Kernel Configuration Files
• Kernel Building and Makefiles
• initrd and initramfs
• Labs

Kernel-Stil und allgemeine Aspekte

• Coding Style
• Using Generic Kernel Routines and Methods
• Making a Kernel Patch
• sparse
• Using likely() and unlikely()
• Writing Portable Code, CPU, 32/64-bit, Endianness
• Writing for SMP
• Writing for High Memory Systems
• Power Management
• Keeping Security in Mind
• Labs

Race Conditions und Synchronisation

• Concurrency and Synchronization Methods
• Atomic Operations
• Bit Operations
• Spinlocks
• Seqlocks
• Disabling Preemption
• Mutexes
• Semaphores
• Completion Functions
• Read-Copy-Update (RCU)
• Reference Counts
• Labs

Speicheradressierung

• Virtual Memory Management
• Systems With and Without MMU and the TLB
• Memory Addresses
• High and Low Memory
• Memory Zones
• Special Device Nodes
• NUMA
• Paging
• Page Tables
• page structure
• Labs

Speicherverwaltung

• Requesting and Releasing Pages
• Buddy System
• Slabs and Cache Allocations
• Memory Pools
• kmalloc()
• vmalloc()
• Early Allocations and bootmem()
• Memory Defragmentation
• Labs

Weitere Schulungen zu Thema Linux Foundation