The invention relates to the general field of securing computer programs.
The invention more particularly aims a method for orchestrating the computer security of a computer equipment infrastructure using mitigation policies.
It is recalled that when software has a vulnerability, the mitigation does not aim to correct this software which continues to execute normally, but to block the effects of the vulnerability. For example, if software has a security flaw when it sends a particular packet via a packet sending function, mitigation of this vulnerability can consist in blocking the process of sending this particular packet. The mitigation does not remove the vulnerability but it makes it unexploitable.
In the field of computer security, security flaws are listed in a public list accessible at the address https://cve.mitre.org/, each vulnerability referenced in the list being identified by a unique CVE (Common Vulnerabilities and Exposures) identifier.
Thousands of CVE identifiers are issued each year, and complex software can accumulate hundreds of CVEs.
The management of CVEs to maintain the security of a fleet of computer equipment can therefore be excessively complex.
The invention aims to facilitate the management of the security of a fleet of computers by detecting the processes of these computers undergoing an attempted computer attack. Consequently, the invention makes it possible to strengthen the security of a fleet of computers.
To this end, and according to a first aspect, the invention relates to a method for detecting an attempted computer attack implemented by a computer, said attack exploiting a vulnerability of a function to be protected executing in a process of a user space of said computer, a launching of the execution of the function to be protected resulting in the execution, before said attack, of a function of the kernel, said method including steps of:
Correlatively, the invention proposes a module for detecting an attempted computer attack in a computer, said attack exploiting a vulnerability of a function to be protected executing in a process of a user space of said computer, a launching of the execution of said function to be protected resulting in the execution, before said attack, of a kernel function, said module including:
Thus, the method makes it possible to identify the processes on which computer attacks take place, a computer attack designating one or several instructions making it possible to circumvent one or several security rules in the execution of a computer process.
A flaw in a process is called vulnerability, this flaw making it possible, if exploited, to override security rules of the computer system on which this process is executed. For example, the CVE-2021-44228 vulnerability called “Log4Shell” is present in the logging software component Log4J. The component Log4J is used by many applications using the Java language. This vulnerability allows a remote attacker in the most severe cases to execute an arbitrary code by the target machine.
It is recalled that a namespace isolates, in an abstraction, the instance of a system resource for the processes associated with this namespace. Changes to the system resource are visible to the other processes associated with the namespace, but are invisible to the other processes. The namespaces are in particular used to implement containers. It will be subsequently written that a system resource in a namespace is declared by this namespace.
A container is an execution environment on which processes execute, a container being associated with a set of namespaces making it possible to isolate the execution of these processes from the rest of the processes of the system.
In one embodiment, the data representative of a process and comprised in the message is a data representative of the namespace associated with the process. The detection process then makes it possible to identify the namespaces, for example of the containers, undergoing a computer attack.
It should be specified that the containers constitute only one non-limiting example in one particular embodiment of the method as described above.
The method makes it possible to send messages identifying the namespaces of the attacked processes to a security management server.
The security management server can in particular receive such messages from other computers which implement this same detection method.
Also, in embodiments of the method, the messages sent to a security management server comprise the identifiers of the vulnerabilities exploited by the attacks.
The method presented proposes to use a mitigation policy executed in the computer kernel. Advantageously, it is not necessary to restart the kernel for the mitigation policy to be effective.
According to the method, the program of the mitigation policy loaded into the kernel is an executable program. It is not a simple signature or a simple set of rules.
The execution of the mitigation policy at the kernel level is triggered directly or indirectly by the launching of the execution, in the user space, of the function to be protected.
For example, the execution of the mitigation policy is triggered directly by the function to be protected, in other words by the function to be protected itself.
In another example, the execution of the mitigation policy is triggered indirectly by the function to be protected, in other words by another function of the user space whose execution is triggered by the launching of the execution of the function to be protected.
In one embodiment, the execution of the mitigation policy makes it possible to both detect an attack using this function, and block this attack.
Subsequently, it will be written that the process is attacked, or that the container (or more generally the namespace) in which this process executes is attacked, if an attack is triggered directly or indirectly by the execution of this function.
The method described advantageously makes it possible to report the information on attacked processes to a security management server. This information can for example identify the containers, or more generally the namespaces, in which these processes are executed. The security management server can be controlled by a central administrator.
This method can advantageously be applied to a plurality of computers in a computer fleet, which makes it possible to report to the security management server the information on the attacks undergone by each of the computers in the computer fleet.
In this case, the central administrator has a role of orchestration of the security on the fleet of computers.
The invention also allows the central administrator to avoid the need to manually consult each administrator of each computer so that each of them, for example, manually and locally verifies whether a given vulnerability affects the software of their machine.
According to one particular mode of implementation of the detection method, said mitigation policy is loaded into a namespace dedicated to security and associated with the root process of said computer.
A computer implementing the detection method comprises a root process associated with namespaces inherited by the namespaces of the computer containers. If a mitigation policy is declared in the namespace associated with the root process and dedicated to security, then the namespaces associated with each container and dedicated to security inherit from this mitigation policy. In other words, a process executing in a container will be protected by the mitigation policy declared in the namespace associated with the root process.
This embodiment advantageously makes it possible to automatically monitor all the containers of the computer because each container inherits from the mitigation policies of the namespace associated with the root process of the computer.
Thus, for any container (or more generally for any namespace dedicated to security) of the computer, if a process of this container calls the function to be protected, the mitigation policy is executed and makes it possible to detect whether an attack is in progress in this container.
According to one particular mode of implementation of the invention, the detection method includes steps of:
This embodiment advantageously allows a central administrator controlling the security management server to orchestrate the installation of mitigation policies in a fleet of computers.
The mitigation policies can therefore be managed centrally, without requiring the contribution of the administrators of at least some computers of the fleet, which makes it possible to avoid the manual installation of the mitigation policy on at least some, for example on all the machines of the fleet.
According to one particular mode of implementation of the detection method, said installation method includes substeps of:
Advantageously, the detection method proposes to download the program of the appropriate mitigation policy when a vulnerability affecting software executing on the computer equipment has been identified, and to automatically install this program in the kernel of the equipment to mitigate this vulnerability.
As a variant, it can be chosen to systematically install a mitigation policy on all computers. The coupling with a vulnerability scanner proposed here to install the policy only if this scanner detects that the software is potentially vulnerable (independently of its actual exploitability) is an option.
This embodiment thus proposes to install the mitigation policy if necessary from a security server.
This use of a security server makes it possible to advantageously save memory space on the kernel of the computer.
This embodiment also makes it possible to make available to the computer a database including a plurality of mitigation policies that can be installed if necessary, upon decision of the security management server.
According to one particular mode of implementation of the detection method, said step of sending said message to the security management server is implemented from the user space in response to the kernel sending a signal to the user space in order to notify the detection of the attack vector by the mitigation policy.
A signal is sent from the kernel to the user space. This sending is triggered by the execution of the mitigation policy. Particularly, the sending of the message can be coded in the mitigation policy itself. Part of the data to be sent can be coded in the mitigation policy and another part can be retrieved automatically from the kernel (for example the identifier of the namespace dedicated to security and/or the identifier of the current process).
This signal contains the information on the process, for example on the namespace associated with the process and possibly the container of this process, and can identify the attack.
The message sent to the security management server makes it possible to characterize the attacked process and/or its namespace and/or the container in which the process was executed. Particularly, this message can reuse the information contained in the signal transmitted to the user space by the kernel, and can in particular contain additional information to characterize more accurately the attacked container, for example: name of the container image, name of the main process, start time of the container.
Such complementary information can be useful in particular if a container is stopped and relaunched. In this case, a signal obtained by the kernel does not allow making the link between the stopped container and the relaunched container since the latter is associated with a namespace whose identifier has changed with the relaunching of the container. The name of the container image in particular allows making this link. The complementary information can also be useful to be able to apply security processing to all the processes executing a container image identical to that of the attacked process that triggered the execution of the mitigation policy and the sending of the signal.
According to one mode of implementation of the detection method, said at least one message includes at least one piece of information among:
This mode of implementation advantageously makes it possible to spatially and temporally locate an attack on a fleet of computers implementing the detection method.
The identifier of the computer is for example its IP (Internet Protocol) address.
The data representative of the container can for example be the identifier of the container namespace dedicated to security and comprising the mitigation policy.
According to a second aspect, the invention proposes an identification method implemented by a security management server to identify an attempted computer attack on at least one computer, said attack exploiting a vulnerability of a function to be protected executing in a user space of the computer. This method includes steps of:
Correlatively, the invention proposes an identification module that can be implemented in a security management server, said module being configured to identify an attempted computer attack on at least one computer, said attack exploiting a vulnerability of a function to be protected executing in a user space of the computer, said module including:
The invention proposes a method for identifying, from a server, all the processes attacked in a fleet of computers, and/or the namespaces or containers associated with these processes.
This identification of the attacked processes advantageously makes it possible to facilitate the orchestration of security on the fleet of computers by a central administrator controlling the security management server.
To this end, the invention proposes to pool the messages coming from the attacked computers by adding them to a list.
This list in particular allows the administrator to make decisions regarding the management of security in the fleet of computers. For example, the presence of some attacks on particular processes or containers may encourage installing additional security programs to improve the security of these processes or these containers.
According to one particular mode of implementation, the method includes a step of sending to at least one computer an identifier of said mitigation policy.
Thus, if the central administrator becomes aware of a new vulnerability endangering the fleet of computers, the invention advantageously allows him to order the installation of a mitigation policy on the entire fleet to protect the computers of this vulnerability.
This embodiment makes it possible to avoid urging the administrators of the different computers to manually install the mitigation policies in order to protect these computers.
According to one particular mode of implementation of the invention, the identification method includes a step of sending to said at least one computer, an identifier of a security server from which said mitigation policy is extracted.
In a case where the mitigation policies are distributed across several security servers, the invention allows each computer to identify the security server from which the desired mitigation policy is downloaded.
Each of the methods described above can be implemented by a computer program.
Consequently, the invention also relates to a computer program on a recording medium, this program being capable of being implemented in computer equipment or more generally in a computer. This program includes instructions allowing the implementation of a method as described above.
This program can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form or in any other desirable form.
The invention also relates to an information medium or a recording medium readable by a computer, and including instructions of a computer program as mentioned above.
The information or recording medium can be any entity or device capable of storing the programs. For example, the media can include a storage means such as a ROM for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording means for example a hard disk or a flash memory.
On the other hand, the information or recording medium can be a transmissible medium such as an electrical or optical signal, which can be conveyed via an electrical or optical cable, by radio link, by wireless optical link or by other means.
The program according to the invention can particularly be downloaded onto an Internet type network.
Alternatively, the information or recording medium can be an integrated circuit in which a program is incorporated, the circuit being adapted to execute or to be used in the execution of one of the methods as described above.
Other characteristics and advantages of the present invention will emerge from the description given below, with reference to the appended drawings which illustrate one exemplary embodiment without any limitation.
On the annexes:
In the example represented in
Such an example on a single computer is represented for the sake of simplicity but is in no way limiting the invention. Particularly, the detection and identification methods can be implemented on several computers.
It should be specified that in other embodiments of the invention, the detection and identification methods can be implemented independently of each other.
The steps, represented in
The steps of the identification method represented in
The steps of the identification method are carried out by a module MIDA of the security management server CNode while the steps of the detection method are carried out by a module MDETn of the user space of the computer EQn.
The module MIDA sends and receives signals or messages via communications means 13′ represented in
The module MDETn sends and receives signals or messages via communications means 13.
The signal sent to the computer during step E_E is for example of the form http://IPHost:port/add_policy?namespace=0&CVE_ID=CVEID where “IPHost: port” is the IP address of the computer EQn, where the argument “namespace=0” indicates that the mitigation policy is to be installed in a namespace of the root process of the computer EQn, and where the argument “CVE_ID=CVEID” indicates the identifier CVEID of the vulnerability CVE against which the containers of the computer EQn are protected.
It should be noted that the installation, in this example, of the mitigation policy PGk in a namespace of the root process corresponds to one particular mode of implementation of the invention and is not limiting. In particular, namespaces associated with other processes can be chosen to install the mitigation policy PGk. Thus, as indication, the signal sent by the security management server and received by the computer may include an argument indicating the namespace in which the mitigation policy PGk must be installed, for example a namespace of the root process or another namespace. Also as indication, the server can send to several computers signals indicating that the mitigation policy is to be installed in namespaces that may differ depending on the computers.
The advantage of choosing the namespace of the root process lies in the fact that the containers in which the other processes are executed inherit from the mitigation policy PGk installed in the namespace of the root process. Thus, in this case, the mitigation policy makes it possible to detect attempted attacks in all the containers of the computer EQn and to protect them.
Following receipt F_R of the signal from the security management server CNode, the module MDETn implements an installation step F_I of the mitigation policy PGk on the kernel KERn, in response to this signal. For example, if this signal contains the identifier of a vulnerability CVE, the module MDETn implements the installation of a mitigation policy making it possible to protect the computer EQn against this vulnerability.
One particular mode of implementation of the installation step F_I is represented in
In this embodiment, the launching of the execution of this vulnerable function fc1 indirectly leads to the execution of a kernel function oper_exec( ) which itself leads to the execution of the mitigation policy PGk. Particularly, the execution of the function to be protected fc1 leads to the execution of a function exec( ) in the user space USRn, which itself leads to the execution, in the kernel, of the function oper_exec( ).
In another embodiment, the execution of a function to be protected directly leads to the execution of a function in the kernel associated with a mitigation policy.
The triggering of the mitigation policy PGk by the execution of the kernel function oper_exec( ) is for example enabled by a trigger point (hook) well known to those skilled in the art. This mechanism makes it possible to link the mitigation policy PGk to the function oper_exec( ) in such a way that the mitigation policy PGk is executed before the attack, if it were to occur. Depending on the result of the execution of the mitigation policy, the vulnerable function is blocked or executed.
Such execution of the mitigation policy PGk in the kernel KERn is described in particular in document [1] which proposes a security method using a security policy, the mitigation policy taking the role of a security policy. Such a method is represented in
If the mitigation policy PGk detects an attack, a sending FE_1 of a signal to the user space USRn is performed. The instruction of this first sending FE_1 can be directly coded in the executable program of the mitigation policy.
This signal can for example take the form “Timestamp, IPHost, SecurityNamespaceID, CVEID, Msg”. Here, “Timestamp” corresponds to the millisecond when the mitigation policy was triggered in response to the attempt to exploit the vulnerability identified “CVEID”. “IPHost” corresponds to the IP address of the computer EQn. “SecurityNamespaceID” corresponds to the namespace dedicated to the security of container C1 on which the process p1 that triggered the policy was executed. “Msg” corresponds to an additional text message to describe the attack. An example of writing this signal could be: “1644824642, 192.168.1.152, 4026532216, CVE-2021-3156, Attempt to exploit CVE-XXXX-XXXX blocked”.
During step F_E2 of sending to the security management server Cnode, the module MDETn can optionally enrich the message described above with context information to more specifically characterize the attacked container (for example: name of the container image, name of the main process, start time of the container), to form the message Logi.
The message Log sent during step F_E2 is received by the security management server CNode during step E_R.
During step E_A, a signal representative of this message Logi is added to a list. This signal can for example be a copy of the message Logi, or a compressed version of this message.
The example of the vulnerability CVE-2021-3156 makes it possible to illustrate the execution of a mitigation policy. This vulnerability CVE affecting the sudo command is particularly critical given that sudo is used in so many environments. When a command is passed with sudo, the arguments of the command are first concatenated and the metacharacters are escaped with an antislash (for example, “\” becomes “\\”). When a special character, for example [, {, (, \ or {circumflex over ( )}, is read as a regular character and not as a special character, it can be preceded by an antislash \. This is called escaping a character.
Particularly, the escape described here is not performed when sudo is executed via the symbolic link sudoedit-s. Therefore, if an argument of the sudoedit command ends with a single antislash, the arguments not being escaped by sudo, the program will copy characters outside the limits of the buffer, which will cause a buffer overflow.
A mitigation policy attached to the kernel function oper_exec( ) triggered by the launching of the execution of a binary can mitigate the vulnerability CVE-2021-3156 by detecting and blocking any attempt to execute the sudoedit command with an argument ending with a single antislash.
One example of an executable code snippet in eBPF (Extended Berkeley Packet Filter) language of such a mitigation policy is presented in the Annex 1. In this code snippet, the first call to the function STRING_HELPER verifies whether the command executed is sudoedit. The second call verifies whether an argument ends with a single antislash. If the sudoedit command is executed with a single antislash, then the execution of the command is canceled (with the instruction “RET_DENIED”), otherwise, the command is executed (with the instruction “RET_ALLOWED”).
In this example, the function STRING_HELPER is a support function necessary for the execution of the mitigation policy. It can in particular be loaded onto the kernel KERn as described later.
The Annex 2 presents an executable code snippet in eBPF language of a mitigation policy indicating a sending of a message to the user space if the sudoedit command was launched with a single antislash. This message indicates the detection of this attack by the mitigation policy. This code snippet can in particular be added to a line preceding the instruction “return RET_DENIED” in the code snippet presented by the Annex 1.
The security management server CNode is equipped with a module MIDA implementing the identification method in accordance with one embodiment of the invention. It is also equipped with communication means 13′ with the computers and a module COM for communication with a user, for example an administrator of the set of computers.
Each computer EQ1 and EQ2 is equipped to implement the detection method in accordance with one embodiment of the invention. For the sake of clarity, the details of the computer EQ2 are not detailed in
The computer EQ1 includes a software system SYS1 and hardware components, including in particular: a processor 10, a random access memory 11 of the RAM type, a read only memory 12 of the ROM type, communication means 13 and a non-volatile rewritable memory, for example a hard disk 14.
The communication means 13 are configured to communicate with the security server SRVSEC and the security management server CNode.
The server SERVSEC and the other means used in this example to implement the step of installing F_I a mitigation policy are presented below.
This security server SERVSEC includes a database BD including a set of vulnerability identifiers CVE and in association with each of these vulnerability identifiers IDCVEi, the identifier IDFi of a description file of a program PGi configured to execute in the kernel of a computer and to implement a mitigation policy able to mitigate the identifier vulnerability IDCVEi. The description file identified by IDFi is represented in
The programs PGi can be downloaded by the equipment EQ1 from the security server SERVSEC. For the sake of simplicity, such a program PGi implementing a mitigation policy is called mitigation policy.
A vulnerability identifier IDCVEi is for example of the form CVE-AAAA-IIII, where AAAA is the year of publication and IIII a unique number.
In the embodiment described here, the mitigation policies PGi downloadable from the security server SERVSEC are source files in eBPF language, denoted PGSi.
In another embodiment described here, the mitigation policies PGi downloadable from the security server SERVSEC are object files denoted PGOi obtained by compilation of source files PGSi in eBPF language.
In the embodiment described here, the description files are in JSON (Java Script Object Notation) format.
In the exemplary embodiment described here, the description file IDA of a mitigation policy PGi includes:
In the embodiment described here, the metadata of the mitigation program PGi include:
In the embodiment described here, a mitigation policy PGi can make use of at least one support function (or dependency, “helper”) HLPi,j.
In the exemplary embodiment described here, when a policy PGi makes use of at least one support function HLPi,j:
In the embodiment described here, the metadata META_HLP of a support function HLPi,j include:
The software system SYS1 includes a kernel or operating system KER1, and a user space USR1. In the embodiment described here, the operating system KER1 is of the Linux type (registered trademark).
In the embodiment represented in
In the example described here, the user space USR1 includes:
In this example, the launching of the execution of a vulnerable function fc1 (for example sudoedit) causes the execution of the function exec in the user space USRn, itself launching the execution of the function oper_exec to be executed in the kernel KER1.
The vulnerable function fc1 to be protected is for example the sudoedit function mentioned above.
A vulnerability CVE such as CVE-2021-3156 described previously can be detected at the level of the LSM (Linux Security Module) operations triggered by the launching of the execution of this function fc1. In this case, a central administrator can carry out the step of sending E_E a signal received by the kernel of each computer EQ1 and EQ2, or only to one of the two computers. As described previously, in this embodiment, this signal comprises an identifier of the vulnerability. This identifier makes it possible to implement the installation step F_I.
This particular mode is described in the French patent application filed on Mar. 2, 2021 under number 2102026.
this installation step F_I for a computer EQn which can designate one of the computers EQ1 and EQ2 represented in
During a sub-step F10 of the installation step F_I, the installation sub-module MINSTn sends a request REQ to the server SRVSEC, this request REQ including the vulnerability identifier IDCVEK corresponding to the signal sent E_E by the security management server and received (F_R) in the user space USRn of the computer EQn.
During a substep F20, the installation submodule MINSTn receives, in response to the request REQ, the description file whose identifier IDFk is associated with the vulnerability identifier IDCVEK in the database BD of the security server SRVSEC.
This description file IDFk is represented in
In the exemplary embodiment described here, the description file IDFk includes:
In the example of
In the example of
In the example of
During a sub-step F30 of the installation step F_I, the installation sub-module MINSTn verifies whether the support functions HLPk1 and HLPk2 necessary for the execution of the mitigation policy PGk and identified in the description file IDFk received in substep F20 are already installed in the kernel KERn.
In the embodiment described here, the module MINSTn performs this verification through a kernel interface of the kernel KERn. This operation can be carried out by querying a virtual file system, for example similar to the system Sysfs described particularly in the Linux manual https://man7.org/linux/man-pages/man5/sysfs.5.html.
In practice, generic support functions likely to be called by many mitigation programs can be preinstalled in the kernel KERn.
In the exemplary embodiment described here, the support functions HLPk1 and HLPk2 are already installed in the kernel KERn and the result of the test F30 is positive.
During a substep F40, the installation module MINSTn downloads the mitigation program PGk identified in the description file IDFk received in substep F20. In the embodiment described here, this downloading is done from the security server SRVSEC.
In the embodiment described here, this program (denoted PGSk) is downloaded in source code in the eBPF format.
During a substep F50, the installation module MINSTn compiles the mitigation program PGk.
During a substep F60, the mitigation program PGk is linked with a header file HDF according to a link editing mechanism (link), to obtain an executable mitigation program PGEk. In the embodiment described here, this header file HDF is stored in the rewritable non-volatile memory 14 (
This header file HDF is updated every time a support function HLPk1 and HLPk2 is installed in the kernel KERn.
Each line L1, L2 can include:
The header file HDF can include, after the set of lines L1, L2, . . . corresponding to each of the support functions installed in the kernel KERn, a line: #define fnsup_stat (fs_id, h, pe_id, arg) fnsup_dyn (__ID_##fs_id ##_##h ##_, pe_id, arg)
Those skilled in the art thus understand that if, for example, the mitigation file PGk includes in its source code the instruction fnsup_stat (HLPk1, a0 . . . 65f, 4, arg), the link editing substep F60 translates this instruction:
The executable form of the mitigation policy PGk, in binary, is stored in the non-volatile memory 14 of the computer EQn for installation in an area ZPS of the kernel KERn during a substep F70 described subsequently.
In the embodiment described here, the function fnsup_stat is a static function that acts as a proxy to call the support functions installed in the kernel KERn. In the embodiment described here, this function includes three parameters:
In accordance with this embodiment of the invention, when the mitigation programs are loaded into the kernel (substep F70 described later), a memory space is reserved for them, and the address of this memory space is associated with the support function identifier fs_id in a table TB of the kernel KERn.
In the example of
Returning to the test F30 (
In the embodiment described here, the support functions are downloaded in object code and intended to be linked with the object code of the mitigation policy.
These download steps are carried out by a module of the user space USRn benefiting from administrator rights.
Once all the support functions necessary for the execution of the mitigation policy PGk are installed in the kernel KERn, this file can be compiled (sub-step F50), linked (sub-step F60) and loaded in turn in the kernel.
In the variant of embodiment described above, the mitigation program is downloaded in source code. As a variant, the mitigation program PGk is downloaded in the form of object code (denoted PGOK) and the compilation substep F50 is not necessary. In one embodiment of this variant, the compilation of the mitigation program into source code uses the description file IFFk of
It is important to remember that in this example, the mitigation policy PGk aims to mitigate and detect the vulnerability exploiting the call of the function fc1 by a process.
To execute the mitigation policy, and in the embodiment described here, the invention implements the security method described in the document [1].
This security method is represented in
In the embodiment described here, the processes of the user space USRn are isolated using the namespace mechanism. For example, the operating system Linux proposes several namespaces (for example: Network, IPC, PID, User) that can be used to isolate processes in a mechanism in which sets of processes are defined, so that the processes of a given set cannot see the resources used by another set of processes.
In the example described here:
In the example described here, the process p1 calls the function fc1 to be protected, the execution of which calls another function exec executing in the user space USRn.
In the embodiment described here, it is considered that the operations oper_open( ) of opening a file, oper_exec( ) of executing a function are sensitive operations.
In the example in
In the example of
In accordance with the mechanism described in document [1] and represented in
In the embodiment described here, the process p0 is associated with the security management namespace ENSECURE0 and the container C1 is associated with the security management namespace ENSECURE1.
Particularly, the field nsproxy includes a pointer ENSECURE to the namespace dedicated to security management associated with this process. This namespace defines a data structure which in particular comprises the mitigation policy.
The namespace ENSECURE of a process includes a link to the namespace ENSECURE of the parent of the namespace of this process. In the example described here, ENSECURE1 associated with the container C1 points to the namespace ENSECURE0 of the process p0.
The namespaces ENSECURE therefore form a tree.
In a manner known to those skilled in the art, a process can change the namespace to join the namespace of one of its child processes, for example by using the command unshare( ).
From the user space USRn, it is possible to access the identifier of a namespace but it is not possible to modify its structure. This characteristic advantageously makes it possible to prevent any modification or deactivation of a security or mitigation policy by a container.
In the exemplary embodiment described here, it is assumed that the process p0( ) has defined a mitigation policy PGk to secure the calls to the sensitive function execution operation oper_exec( ) It is assumed that it has not defined a security policy to secure the calls to the sensitive file opening operation oper_open( ).
In the exemplary embodiment described here, it is assumed that the container C1 has not defined its own security policy to secure the calls by its processes, in this case p1, to the sensitive binary execution operation oper_exec( ) in addition to the policy PGk defined by the process p0.
The context in which the mitigation policy PGk has been generated by compilation and editing of links during sub-steps F50 and F60 of the installation step F_I is now considered. The mitigation program PGk stored in the non-volatile memory 14 must be loaded into the security policy area ZPS of the kernel KERn.
In the embodiment of the installation step F_I described here, the installation submodule MINSTn includes instructions load_ps( ) to load (substep F70) a mitigation program in the form of an eBPF file compiled in binary form in the area ZPS of the kernel KERn. This function load_ps( ) consists in opening the eBPF file comprised in the non-volatile memory 14 and copying it to an interface with the kernel KERn. As described previously, this step comprises the allocation of a memory space in the area ZPS for this mitigation function, and the association of the address of this memory space with a support function identifier fs_id in a table TB of the kernel KERn.
In the embodiment described here, this writing in the kernel interface triggers an event to store the mitigation program in the namespace of the root process p0.
In the embodiment described here in relation to
In the exemplary embodiment described here, the kernel KERn includes a control table TABCTR which defines, for each sensitive operation OPS (file opening, execution of a binary, etc.) whether the security module LSM1 wants to control or not these sensitive operations.
In the verification example described here, it is assumed that the security module LSM1 only wishes to verify the sensitive binary execution operation oper_exec( ).
In the exemplary embodiment described here, the system call manager GAS determines, during a step E10, whether a system call triggered by a process of the user space must perform a sensitive operation OPS. If so, it triggers the security control infrastructure ICS of the kernel KERn.
The framework ICS determines whether the sensitive operation OPS is listed in the table TABCTR.
In the exemplary embodiment described here, if a process wishes to carry out the sensitive file opening operation (oper_open( ) by call to the function open( ) as this sensitive operation is not verified by the security module LSM1, the result of the determination step is negative. This operation can nevertheless be verified by the security module LSM2, for example SELinux and an AppAmor module.
When the process p1 calls the function exec, the infrastructure ICS determines that this operation is listed in the table TABCTR and it triggers the execution of the security module LSM1 during a step E20.
During a step E30, the security module LSM1 determines the namespace associated with the current process at the origin of this call. To do so, it uses the current process from the table of the processes TABPID. This is the process p1.
The security module LSM1 then executes a loop to execute the policies of the namespace of the current process related to this sensitive operation. In one particular embodiment, the security module LSM1 then executes a loop to execute the policies of its ancestor namespaces if they exist.
During a step E40, the security module LSM1 determines whether the current namespace has defined one or several security policies to verify the validity of the sensitive operation.
This is the case if the binary execution function exec( ) was called by the process p1.
If this is the case, the concerned security module LSM1 executes during a step E50 the security policy(ies) defined in the namespace dedicated to the security management ENSECURE of the current process for this sensitive operation.
In this case, during the first iteration, no mitigation policy PGk is executed.
In the embodiment described here, a mitigation policy, and particularly the mitigation policy PGk returns a negative RET result if it detects a security problem (reflecting for example malicious or abnormal behavior) and a positive result if it does not detect any security issues.
If this RET value is positive, the security module determines, if it exists, the parent namespace of the namespace of the current process (step E60) and the loop repeats.
In this case, during the second iteration, the mitigation policy PGk of the namespace ENSECURE0 of the process p0 is executed and the function open_exec( ) is blocked.
The security module LSM1 records this blockage in a log file FLOG (
In another case where all security policies (in this example only the mitigation policy PGk is installed) of the whole namespace tree have been executed with a positive RET result, the security module LSM1 sends a positive RET result to the security control infrastructure ICS (test E90).
In the embodiment described here, if the security control infrastructure ICS receives a positive RET result, it does not trigger a particular action and the system call is executed, unless an action is triggered by another security module LSM2, for example, a SELinux module or an AppAmor module.
In the embodiment described here, if the security control infrastructure ICS receives a negative RET result, the security control infrastructure ICS triggers a security action AS during a step E80. This action may consist in destroying the process at the origin of the call and raising an alert in the log file FLOG.
The annexes are presented below.
Number | Date | Country | Kind |
---|---|---|---|
FR2201751 | Feb 2022 | FR | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2023/053824 | 2/16/2023 | WO |