SlideShare a Scribd company logo

Kernel Recipes 2018 - CLIP OS: Building a defense-in-depth OS around Linux kernel kernel security improvements - Thimotée Ravier & Mickael Salaun

Anne Nicolas
Anne Nicolas

The French Network and Information Security Agency (ANSSI) just declassified and released the sources of its long-time internal hardened Linux distribution: CLIP OS. The project’s main goal is to build an operating system able to handle confidential information at multiple levels. This talk is focused on the CLIP OS architecture and the main security-relevant additions to the Linux kernel. As the project is now open source and day-to-day development realized in the open, more modifications will be suggested for inclusion in upstream projects. We are also revisiting some parts of the architecture and we discuss possible security evolutions we are interested in.

Software
1 of 51
Download to read offline
CLIP OS: Building a defense-in-depth OS around Linux kernel security improvements Timothée Ravier, Mickaël Salaün Agence nationale de la sécurité des systèmes d’information (ANSSI) September 26, 2018
About the ANSSI Agence nationale de la sécurité des systèmes d’information French authority in the area of cyberdefence, network and information security We are not an intelligence agency ANSSI CLIP OS: Building a defense-in-depth OS 2/27
Overview
CLIP OS ? Linux distribution developed by the ANSSI Initially only available internally Now open source, mostly under the LGPL v2.1+ Code and issue tracker hosted on GitHub: Version 4: available as reference and for upstream patch contribution1 Version 5: currently developed version, alpha status2 1https://github.com/CLIPOS-Archive 2https://github.com/CLIPOS ANSSI CLIP OS: Building a defense-in-depth OS 4/27
Hardened OS Hardened Linux kernel and userspace Confined services "Unprivileged" admin, audit and update roles: ⇒ the root account is not usable Automatic updates using A/B partition model (similar to Android 7+) ANSSI CLIP OS: Building a defense-in-depth OS 5/27
Multilevel security OS Provide two isolated user environments: low and high Interactions follow the Bell-LaPadula model: Write up: upload documents from low to high Read down: high has read only access to untrusted USB devices Trusted write down: encrypt documents from high to write them in low Level high can only access network through a VPN Per level user device assignment ANSSI CLIP OS: Building a defense-in-depth OS 6/27
Multilevel from the end user point of view ANSSI CLIP OS: Building a defense-in-depth OS 7/27
Admin panel: devices assignment per level ANSSI CLIP OS: Building a defense-in-depth OS 8/27
Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS ANSSI CLIP OS: Building a defense-in-depth OS 9/27
Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS Goal of CLIP OS We target non-expert users Bell-LaPadula model with two levels We favor a defense-in-depth approach ANSSI CLIP OS: Building a defense-in-depth OS 9/27
Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS Goal of CLIP OS We target non-expert users Bell-LaPadula model with two levels We favor a defense-in-depth approach Technical point of view Hypervisor vs. supervisor isolation Limited access right, even for the administrator ANSSI CLIP OS: Building a defense-in-depth OS 9/27
Architecture ANSSI CLIP OS: Building a defense-in-depth OS 10/27
CLIP OS 4
Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching ANSSI CLIP OS: Building a defense-in-depth OS 12/27
Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs ANSSI CLIP OS: Building a defense-in-depth OS 12/27
Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs grsecurity/PaX Kernel self-protection (e.g., memory protection, CFI) Multiple userspace hardening features (e.g., chroot, TPE) ANSSI CLIP OS: Building a defense-in-depth OS 12/27
Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs grsecurity/PaX Kernel self-protection (e.g., memory protection, CFI) Multiple userspace hardening features (e.g., chroot, TPE) CLIP LSM Complement the Linux permission model Leverage Linux-VServer and grsecurity/PaX ANSSI CLIP OS: Building a defense-in-depth OS 12/27
Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation ANSSI CLIP OS: Building a defense-in-depth OS 13/27
Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime ANSSI CLIP OS: Building a defense-in-depth OS 13/27
Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points ANSSI CLIP OS: Building a defense-in-depth OS 13/27
Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points Mount points Enforce W ⊕ X thanks to mount options: ro ⊕ noexec ANSSI CLIP OS: Building a defense-in-depth OS 13/27
Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points Mount points Enforce W ⊕ X thanks to mount options: ro ⊕ noexec The O_MAYEXEC flag Enforce and extend W ⊕ X from mount points to scripts (via interpreters) ANSSI CLIP OS: Building a defense-in-depth OS 13/27
O_MAYEXEC ANSSI CLIP OS: Building a defense-in-depth OS 14/27
Partitioning Hardened containers Leverage Linux-VServer admin and watch (audit) concepts New capability bounding sets: for root and per container Hardened chroot ANSSI CLIP OS: Building a defense-in-depth OS 15/27
Partitioning Hardened containers Leverage Linux-VServer admin and watch (audit) concepts New capability bounding sets: for root and per container Hardened chroot Container content and interaction Tailored filesystem layouts per service Container management with vsctl and clip-libvserver (self-jailing) ANSSI CLIP OS: Building a defense-in-depth OS 15/27
Veriexec and permissions (CLIP-LSM) Goal Split Linux capabilities (e.g., Fuse, unshare) Add new permissions (e.g., network, XFRM) Can be tied to an XID Does not use xattr (thus independent from the filesystem) ANSSI CLIP OS: Building a defense-in-depth OS 16/27
Veriexec and permissions (CLIP-LSM) Goal Split Linux capabilities (e.g., Fuse, unshare) Add new permissions (e.g., network, XFRM) Can be tied to an XID Does not use xattr (thus independent from the filesystem) Configuration example: /etc/verictl.d/chromium /usr /.../ chrome -sandbox 1002 e SETUID|SETGID|SYS_CHROOT SETUID|SETGID|SYS_CHROOT - cUP sha256 45 bcbd1 ... ANSSI CLIP OS: Building a defense-in-depth OS 16/27
Veriexec example ANSSI CLIP OS: Building a defense-in-depth OS 17/27
CLIP OS 5
General Linux kernel hardening Strict whitelist of kernel options, but easily composable sets Paranoid command line iommu=force, pti=on, spectre_v2=on, etc. Strict sysctl defaults kernel.kptr_restrict, kernel.yama.ptrace_scope, etc. ANSSI CLIP OS: Building a defense-in-depth OS 19/27
Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes ANSSI CLIP OS: Building a defense-in-depth OS 20/27
Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes Security may come first We can handle minor compatibility breakage in our userspace Will accept changes that upstream may reject ANSSI CLIP OS: Building a defense-in-depth OS 20/27
Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes Security may come first We can handle minor compatibility breakage in our userspace Will accept changes that upstream may reject Interaction with upstream & KSPP Include in-progress or ready-for-upstream patches Integrate and validate patches in a single tree Maintain hardening patches for latest stable kernel ANSSI CLIP OS: Building a defense-in-depth OS 20/27
Patch series: linux-hardened Features Memory hardening improvements, including: better userspace ASLR slab allocators hardening (mostly SLUB) simpler page sanitizing Various restrictions: TIOCSTI ioctl, perf subsystem, device timing side channels, etc. Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc. ANSSI CLIP OS: Building a defense-in-depth OS 21/27
Patch series: linux-hardened Features Memory hardening improvements, including: better userspace ASLR slab allocators hardening (mostly SLUB) simpler page sanitizing Various restrictions: TIOCSTI ioctl, perf subsystem, device timing side channels, etc. Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc. Development status: In progress CLIP OS status: Merged Upstream status: Most changes unlikely to be merged upstream ANSSI CLIP OS: Building a defense-in-depth OS 21/27
Upstream contribution integration: Lockdown Features Reduce options for root to run untrusted code in kernel context ANSSI CLIP OS: Building a defense-in-depth OS 22/27
Upstream contribution integration: Lockdown Features Reduce options for root to run untrusted code in kernel context Development status: Feature complete CLIP OS status: Merged Upstream status: Ready for upstream integration ANSSI CLIP OS: Building a defense-in-depth OS 22/27
Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() ANSSI CLIP OS: Building a defense-in-depth OS 23/27
Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() CLIP OS specific changes Kept alloca()-related changes (dropped for upstream in v15) ANSSI CLIP OS: Building a defense-in-depth OS 23/27
Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() CLIP OS specific changes Kept alloca()-related changes (dropped for upstream in v15) Development status: Feature complete CLIP OS status: Merged Upstream status: Ready for upstream integration ANSSI CLIP OS: Building a defense-in-depth OS 23/27
Upstream contribution: Landlock Features Enables seccomp-bpf -like self-sandboxing for unprivileged processes Stackable LSM Powered by eBPF Dynamic filesystem access control using whitelists & blacklists See landlock.io ANSSI CLIP OS: Building a defense-in-depth OS 24/27
Upstream contribution: Landlock Features Enables seccomp-bpf -like self-sandboxing for unprivileged processes Stackable LSM Powered by eBPF Dynamic filesystem access control using whitelists & blacklists See landlock.io Development status: Initial feature set ready CLIP OS status: Planned Upstream status: Work in progress ANSSI CLIP OS: Building a defense-in-depth OS 24/27
Upstream contribution: VServer-like LSM Features Adds a single kernel enforced indentifier for confined environments Similar in principle to VServer XID or to "Container IDs" Inspired by the VServer patch Integrated as a stackable LSM ANSSI CLIP OS: Building a defense-in-depth OS 25/27
Upstream contribution: VServer-like LSM Features Adds a single kernel enforced indentifier for confined environments Similar in principle to VServer XID or to "Container IDs" Inspired by the VServer patch Integrated as a stackable LSM Development status: Early development stage CLIP OS status: Planned ANSSI CLIP OS: Building a defense-in-depth OS 25/27
Conclusion Take away Hardened Linux distro and kernel Coordinated userspace and kernelspace Support multilevel security ANSSI CLIP OS: Building a defense-in-depth OS 26/27
Conclusion Take away Hardened Linux distro and kernel Coordinated userspace and kernelspace Support multilevel security Ongoing project Contributions welcome Browse the doc and the sources to find more interesting features: docs.clip-os.org ANSSI CLIP OS: Building a defense-in-depth OS 26/27
Thanks! clip-os.org clipos@ssi.gouv.fr v4: github.com/CLIPOS-Archive v5: github.com/CLIPOS We’re hiring! (but not directly for CLIP OS) Linux system security expert https://www.ssi.gouv.fr/emploi/expert-en-securite-des-systemes-linux/
Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware ANSSI CLIP OS: Building a defense-in-depth OS 28/27
Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) ANSSI CLIP OS: Building a defense-in-depth OS 28/27
Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) 3 EFI bundle: Linux kernel initramfs kernel command line ANSSI CLIP OS: Building a defense-in-depth OS 28/27
Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) 3 EFI bundle: Linux kernel initramfs kernel command line 4 DM-Verity partition: DM-Verity root hash set in kernel command line Forward error correction support (FEC) Read only uncompressed SquashFS root filesystem ANSSI CLIP OS: Building a defense-in-depth OS 28/27

Recommended

Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
XenApp Unix
XenApp UnixXenApp Unix
XenApp Unix
Helmut Hauser
 
Solaris Operating System - Oracle
Solaris Operating System - Oracle Solaris Operating System - Oracle
Solaris Operating System - Oracle
Malan Amarasinghe
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
Ashwin Pawar
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
Dru Lavigne
 
3494 Enterprise Tape Library
3494 Enterprise Tape Library3494 Enterprise Tape Library
3494 Enterprise Tape Library
IBM India Smarter Computing
 
Solaris, OpenSolaris y Virtualización
Solaris, OpenSolaris y VirtualizaciónSolaris, OpenSolaris y Virtualización
Solaris, OpenSolaris y Virtualización
juandanielp
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 

Recommended

Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
XenApp Unix
XenApp UnixXenApp Unix
XenApp Unix
Helmut Hauser
 
Solaris Operating System - Oracle
Solaris Operating System - Oracle Solaris Operating System - Oracle
Solaris Operating System - Oracle
Malan Amarasinghe
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
Ashwin Pawar
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
Dru Lavigne
 
3494 Enterprise Tape Library
3494 Enterprise Tape Library3494 Enterprise Tape Library
3494 Enterprise Tape Library
IBM India Smarter Computing
 
Solaris, OpenSolaris y Virtualización
Solaris, OpenSolaris y VirtualizaciónSolaris, OpenSolaris y Virtualización
Solaris, OpenSolaris y Virtualización
juandanielp
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 
LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure boot
Linaro
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
Dru Lavigne
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
Dru Lavigne
 
Open solaris (final)
Open solaris (final)Open solaris (final)
Open solaris (final)
liannemonique vergara
 
Olf2012
Olf2012Olf2012
Olf2012
Dru Lavigne
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
Dru Lavigne
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating System
Joshua Guillano
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
Dru Lavigne
 
Demo
DemoDemo
Demo
anoop_wi
 
Presentation1
Presentation1Presentation1
Presentation1
Jessica Chan
 
Training SUN SW & HW
Training SUN SW & HWTraining SUN SW & HW
Training SUN SW & HW
Roberto Solone Boccardi
 
Posscon2013
Posscon2013Posscon2013
Posscon2013
Dru Lavigne
 
Demo
DemoDemo
Demo
anoop_wi
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
Dru Lavigne
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Le Device Tree Linux
Le Device Tree LinuxLe Device Tree Linux
Le Device Tree Linux
Christian Charreyre
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
Dru Lavigne
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource Firewall
Erik Kirschner
 
Introduction to OpenSolaris 2008.11
Introduction to OpenSolaris 2008.11Introduction to OpenSolaris 2008.11
Introduction to OpenSolaris 2008.11
Eduardo Pelegri-Llopart
 
Flourish11
Flourish11Flourish11
Flourish11
Dru Lavigne
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
NETWAYS
 
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating systemEmbedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
Anne Nicolas
 

More Related Content

What's hot

BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 

What's hot (20)

LCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure bootLCA14: LCA14-105: UEFI secure boot
LCA14: LCA14-105: UEFI secure boot
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
Open solaris (final)
Open solaris (final)Open solaris (final)
Open solaris (final)
 
Olf2012
Olf2012Olf2012
Olf2012
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating System
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
 
Demo
DemoDemo
Demo
 
Presentation1
Presentation1Presentation1
Presentation1
 
Training SUN SW & HW
Training SUN SW & HWTraining SUN SW & HW
Training SUN SW & HW
 
Posscon2013
Posscon2013Posscon2013
Posscon2013
 
Demo
DemoDemo
Demo
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
Le Device Tree Linux
Le Device Tree LinuxLe Device Tree Linux
Le Device Tree Linux
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
 
pfSense, OpenSource Firewall
pfSense, OpenSource FirewallpfSense, OpenSource Firewall
pfSense, OpenSource Firewall
 
Introduction to OpenSolaris 2008.11
Introduction to OpenSolaris 2008.11Introduction to OpenSolaris 2008.11
Introduction to OpenSolaris 2008.11
 
Flourish11
Flourish11Flourish11
Flourish11
 

Similar to Kernel Recipes 2018 - CLIP OS: Building a defense-in-depth OS around Linux kernel kernel security improvements - Thimotée Ravier & Mickael Salaun

OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
NETWAYS
 
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating systemEmbedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
Anne Nicolas
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 

Similar to Kernel Recipes 2018 - CLIP OS: Building a defense-in-depth OS around Linux kernel kernel security improvements - Thimotée Ravier & Mickael Salaun (20)

OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating systemEmbedded Recipes 2019 - Overview of Fuchsia, a new operating system
Embedded Recipes 2019 - Overview of Fuchsia, a new operating system
 
ERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projectsERTS 2008 - Using Linux for industrial projects
ERTS 2008 - Using Linux for industrial projects
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
Cloud stack for z Systems - July 2016
Cloud stack for z Systems - July 2016Cloud stack for z Systems - July 2016
Cloud stack for z Systems - July 2016
 
Presentation on linux
Presentation on linuxPresentation on linux
Presentation on linux
 
Advancement on embedded linux-v2
Advancement on embedded linux-v2Advancement on embedded linux-v2
Advancement on embedded linux-v2
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
Operating project
Operating projectOperating project
Operating project
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
Module 4 Embedded Linux
Module 4 Embedded LinuxModule 4 Embedded Linux
Module 4 Embedded Linux
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To Linux
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)Lxc – next gen virtualization for cloud intro (cloudexpo)
Lxc – next gen virtualization for cloud intro (cloudexpo)
 
yosys_presentation that help in working on the yosys tool
yosys_presentation that help in working on the yosys toolyosys_presentation that help in working on the yosys tool
yosys_presentation that help in working on the yosys tool
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Recently uploaded (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 

Kernel Recipes 2018 - CLIP OS: Building a defense-in-depth OS around Linux kernel kernel security improvements - Thimotée Ravier & Mickael Salaun

  • 1. CLIP OS: Building a defense-in-depth OS around Linux kernel security improvements Timothée Ravier, Mickaël Salaün Agence nationale de la sécurité des systèmes d’information (ANSSI) September 26, 2018
  • 2. About the ANSSI Agence nationale de la sécurité des systèmes d’information French authority in the area of cyberdefence, network and information security We are not an intelligence agency ANSSI CLIP OS: Building a defense-in-depth OS 2/27
  • 4. CLIP OS ? Linux distribution developed by the ANSSI Initially only available internally Now open source, mostly under the LGPL v2.1+ Code and issue tracker hosted on GitHub: Version 4: available as reference and for upstream patch contribution1 Version 5: currently developed version, alpha status2 1https://github.com/CLIPOS-Archive 2https://github.com/CLIPOS ANSSI CLIP OS: Building a defense-in-depth OS 4/27
  • 5. Hardened OS Hardened Linux kernel and userspace Confined services "Unprivileged" admin, audit and update roles: ⇒ the root account is not usable Automatic updates using A/B partition model (similar to Android 7+) ANSSI CLIP OS: Building a defense-in-depth OS 5/27
  • 6. Multilevel security OS Provide two isolated user environments: low and high Interactions follow the Bell-LaPadula model: Write up: upload documents from low to high Read down: high has read only access to untrusted USB devices Trusted write down: encrypt documents from high to write them in low Level high can only access network through a VPN Per level user device assignment ANSSI CLIP OS: Building a defense-in-depth OS 6/27
  • 7. Multilevel from the end user point of view ANSSI CLIP OS: Building a defense-in-depth OS 7/27
  • 8. Admin panel: devices assignment per level ANSSI CLIP OS: Building a defense-in-depth OS 8/27
  • 9. Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS ANSSI CLIP OS: Building a defense-in-depth OS 9/27
  • 10. Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS Goal of CLIP OS We target non-expert users Bell-LaPadula model with two levels We favor a defense-in-depth approach ANSSI CLIP OS: Building a defense-in-depth OS 9/27
  • 11. Differences with Qubes OS CLIP OS development began 5 years earlier than Qubes OS Goal of CLIP OS We target non-expert users Bell-LaPadula model with two levels We favor a defense-in-depth approach Technical point of view Hypervisor vs. supervisor isolation Limited access right, even for the administrator ANSSI CLIP OS: Building a defense-in-depth OS 9/27
  • 12. Architecture ANSSI CLIP OS: Building a defense-in-depth OS 10/27
  • 14. Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching ANSSI CLIP OS: Building a defense-in-depth OS 12/27
  • 15. Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs ANSSI CLIP OS: Building a defense-in-depth OS 12/27
  • 16. Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs grsecurity/PaX Kernel self-protection (e.g., memory protection, CFI) Multiple userspace hardening features (e.g., chroot, TPE) ANSSI CLIP OS: Building a defense-in-depth OS 12/27
  • 17. Hardening mechanisms Gentoo Hardened Hardened toolchain Flexible patching Linux-VServer Linux namespaces with additional constraints Unique container and network IDs: XIDs and NIDs grsecurity/PaX Kernel self-protection (e.g., memory protection, CFI) Multiple userspace hardening features (e.g., chroot, TPE) CLIP LSM Complement the Linux permission model Leverage Linux-VServer and grsecurity/PaX ANSSI CLIP OS: Building a defense-in-depth OS 12/27
  • 18. Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation ANSSI CLIP OS: Building a defense-in-depth OS 13/27
  • 19. Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime ANSSI CLIP OS: Building a defense-in-depth OS 13/27
  • 20. Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points ANSSI CLIP OS: Building a defense-in-depth OS 13/27
  • 21. Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points Mount points Enforce W ⊕ X thanks to mount options: ro ⊕ noexec ANSSI CLIP OS: Building a defense-in-depth OS 13/27
  • 22. Write ⊕ Execute policy Avoid arbitrary code execution and persistent attacks, improve multilevel isolation Memory (PaX) Deny writable memory to be executable, throughout the system lifetime Devctl Enforce and extend W ⊕ X from devices to mount points Mount points Enforce W ⊕ X thanks to mount options: ro ⊕ noexec The O_MAYEXEC flag Enforce and extend W ⊕ X from mount points to scripts (via interpreters) ANSSI CLIP OS: Building a defense-in-depth OS 13/27
  • 23. O_MAYEXEC ANSSI CLIP OS: Building a defense-in-depth OS 14/27
  • 24. Partitioning Hardened containers Leverage Linux-VServer admin and watch (audit) concepts New capability bounding sets: for root and per container Hardened chroot ANSSI CLIP OS: Building a defense-in-depth OS 15/27
  • 25. Partitioning Hardened containers Leverage Linux-VServer admin and watch (audit) concepts New capability bounding sets: for root and per container Hardened chroot Container content and interaction Tailored filesystem layouts per service Container management with vsctl and clip-libvserver (self-jailing) ANSSI CLIP OS: Building a defense-in-depth OS 15/27
  • 26. Veriexec and permissions (CLIP-LSM) Goal Split Linux capabilities (e.g., Fuse, unshare) Add new permissions (e.g., network, XFRM) Can be tied to an XID Does not use xattr (thus independent from the filesystem) ANSSI CLIP OS: Building a defense-in-depth OS 16/27
  • 27. Veriexec and permissions (CLIP-LSM) Goal Split Linux capabilities (e.g., Fuse, unshare) Add new permissions (e.g., network, XFRM) Can be tied to an XID Does not use xattr (thus independent from the filesystem) Configuration example: /etc/verictl.d/chromium /usr /.../ chrome -sandbox 1002 e SETUID|SETGID|SYS_CHROOT SETUID|SETGID|SYS_CHROOT - cUP sha256 45 bcbd1 ... ANSSI CLIP OS: Building a defense-in-depth OS 16/27
  • 28. Veriexec example ANSSI CLIP OS: Building a defense-in-depth OS 17/27
  • 30. General Linux kernel hardening Strict whitelist of kernel options, but easily composable sets Paranoid command line iommu=force, pti=on, spectre_v2=on, etc. Strict sysctl defaults kernel.kptr_restrict, kernel.yama.ptrace_scope, etc. ANSSI CLIP OS: Building a defense-in-depth OS 19/27
  • 31. Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes ANSSI CLIP OS: Building a defense-in-depth OS 20/27
  • 32. Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes Security may come first We can handle minor compatibility breakage in our userspace Will accept changes that upstream may reject ANSSI CLIP OS: Building a defense-in-depth OS 20/27
  • 33. Enabling Linux kernel hardening Goals Protecting the kernel from itself and from userspace Include additional features for userspace Being able to test kernel and userspace coordinated changes Security may come first We can handle minor compatibility breakage in our userspace Will accept changes that upstream may reject Interaction with upstream & KSPP Include in-progress or ready-for-upstream patches Integrate and validate patches in a single tree Maintain hardening patches for latest stable kernel ANSSI CLIP OS: Building a defense-in-depth OS 20/27
  • 34. Patch series: linux-hardened Features Memory hardening improvements, including: better userspace ASLR slab allocators hardening (mostly SLUB) simpler page sanitizing Various restrictions: TIOCSTI ioctl, perf subsystem, device timing side channels, etc. Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc. ANSSI CLIP OS: Building a defense-in-depth OS 21/27
  • 35. Patch series: linux-hardened Features Memory hardening improvements, including: better userspace ASLR slab allocators hardening (mostly SLUB) simpler page sanitizing Various restrictions: TIOCSTI ioctl, perf subsystem, device timing side channels, etc. Miscellaneous additions: more BUG_ONs, more __ro_after_init, etc. Development status: In progress CLIP OS status: Merged Upstream status: Most changes unlikely to be merged upstream ANSSI CLIP OS: Building a defense-in-depth OS 21/27
  • 36. Upstream contribution integration: Lockdown Features Reduce options for root to run untrusted code in kernel context ANSSI CLIP OS: Building a defense-in-depth OS 22/27
  • 37. Upstream contribution integration: Lockdown Features Reduce options for root to run untrusted code in kernel context Development status: Feature complete CLIP OS status: Merged Upstream status: Ready for upstream integration ANSSI CLIP OS: Building a defense-in-depth OS 22/27
  • 38. Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() ANSSI CLIP OS: Building a defense-in-depth OS 23/27
  • 39. Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() CLIP OS specific changes Kept alloca()-related changes (dropped for upstream in v15) ANSSI CLIP OS: Building a defense-in-depth OS 23/27
  • 40. Upstream contribution integration: STACKLEAK Features Reduce information leaks and block attacks using uninitialized kernel stack variables: Erase the stack before returning from system calls Improve runtime detection of kernel stack overflows (e.g. Stack Clash): Instrument calls to alloca() CLIP OS specific changes Kept alloca()-related changes (dropped for upstream in v15) Development status: Feature complete CLIP OS status: Merged Upstream status: Ready for upstream integration ANSSI CLIP OS: Building a defense-in-depth OS 23/27
  • 41. Upstream contribution: Landlock Features Enables seccomp-bpf -like self-sandboxing for unprivileged processes Stackable LSM Powered by eBPF Dynamic filesystem access control using whitelists & blacklists See landlock.io ANSSI CLIP OS: Building a defense-in-depth OS 24/27
  • 42. Upstream contribution: Landlock Features Enables seccomp-bpf -like self-sandboxing for unprivileged processes Stackable LSM Powered by eBPF Dynamic filesystem access control using whitelists & blacklists See landlock.io Development status: Initial feature set ready CLIP OS status: Planned Upstream status: Work in progress ANSSI CLIP OS: Building a defense-in-depth OS 24/27
  • 43. Upstream contribution: VServer-like LSM Features Adds a single kernel enforced indentifier for confined environments Similar in principle to VServer XID or to "Container IDs" Inspired by the VServer patch Integrated as a stackable LSM ANSSI CLIP OS: Building a defense-in-depth OS 25/27
  • 44. Upstream contribution: VServer-like LSM Features Adds a single kernel enforced indentifier for confined environments Similar in principle to VServer XID or to "Container IDs" Inspired by the VServer patch Integrated as a stackable LSM Development status: Early development stage CLIP OS status: Planned ANSSI CLIP OS: Building a defense-in-depth OS 25/27
  • 45. Conclusion Take away Hardened Linux distro and kernel Coordinated userspace and kernelspace Support multilevel security ANSSI CLIP OS: Building a defense-in-depth OS 26/27
  • 46. Conclusion Take away Hardened Linux distro and kernel Coordinated userspace and kernelspace Support multilevel security Ongoing project Contributions welcome Browse the doc and the sources to find more interesting features: docs.clip-os.org ANSSI CLIP OS: Building a defense-in-depth OS 26/27
  • 47. Thanks! clip-os.org clipos@ssi.gouv.fr v4: github.com/CLIPOS-Archive v5: github.com/CLIPOS We’re hiring! (but not directly for CLIP OS) Linux system security expert https://www.ssi.gouv.fr/emploi/expert-en-securite-des-systemes-linux/
  • 48. Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware ANSSI CLIP OS: Building a defense-in-depth OS 28/27
  • 49. Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) ANSSI CLIP OS: Building a defense-in-depth OS 28/27
  • 50. Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) 3 EFI bundle: Linux kernel initramfs kernel command line ANSSI CLIP OS: Building a defense-in-depth OS 28/27
  • 51. Boot chain and root partition integrity protection 1 UEFI Secure Boot support: Custom keys (i.e. not signed by Microsoft) Requires enrollment in hardware 2 Minimal bootloader (gummiboot/systemd-boot) 3 EFI bundle: Linux kernel initramfs kernel command line 4 DM-Verity partition: DM-Verity root hash set in kernel command line Forward error correction support (FEC) Read only uncompressed SquashFS root filesystem ANSSI CLIP OS: Building a defense-in-depth OS 28/27