Protecting Linux from Within

Back in the 90’s, hackers would define slash in UNIX as a white space to dissolve pathnames. The shell would thus see ‘/etc/file’ as ‘ etc file’. After this, they’d run any set-uid-root program (like ‘at’) that opened an executable in /etc as root. But the root program would look for etc because they dissolved the slash. They then put a file called etc in their local directory with commands to copy the shell, and they got a root shell. Ta da! Owned.

By the way, if you didn’t follow the paragraph above, then consider re-reading it with a pencil and paper. It’s easier to follow than you might think. Trust me – the exercise is worth the time. This is especially true if you’ve never visualized a true UNIX exploit. And if you don’t have the patience to go back through my choppy writing, then have a look at this video, and perhaps you’ll understand it then.

Welcome to the world of advanced kernel-level attacks in operating systems. Last week, I took the C train to Brooklyn and spent an amazing morning with one of the finest minds in Linux security – John Viega, CEO of Capsule8. John was kind enough to spend time updating me on the state-of-the-art in detecting advanced exploits in Linux. I took fifteen pages of notes – and I’ll try to summarize my learning here:

“Everyone agrees that Linux has won in production,” Viega explained. “But the security industry has not done a good job securing Linux run-time environments. Ops teams are forced to run all sorts of different tools such as intrusion detection, file integrity monitoring, and anti-virus, and this generates reams of data, and can often impede the performance and reliability of run-time production workloads. Security can’t come at the cost of compromised network performance.”

To deal with this problem, Capsule8, which Viega co-founded in 2016, has developed a Linux security solution which he described as “being built by black hats for black hats.” The solution has kernel-level visibility (without using a kernel module), and addresses exploits ranging from command injection to logical inconsistencies in executable behavior. The goal is to protect Linux from within, rather than relying on containers to provide isolation.

The essence of Capsule8 involves attack protection and alerting in a manner that integrates required controls into a single, unified solution that can provide security teams confidence that the underlying operating system is secure. Common attacks such as privilege escalation and container escapes are directly mitigated, and this is important, because breaking out from a container works only if the underlying OS is insecure.

Additionally, Capsule8 provides operating system context reporting, with the goal of driving down false positive rates for security and ops teams. “Obviously we focus on preventing attacks,” Viega explained, “but we also try to improve the quality of the data being reported by the operating system to other layers. Everything is done through APIs, so this makes data sharing simple for more environments.”

The Capsule8 solution works well for environments supporting workload containers, virtual machines, and even bare metal, and this improves extensibility. “Our software works perfectly well in any cloud, across any infrastructure, and also on premise.” Viega showed me an awesome demo of some exploit detections for production Linux running in AWS, and the reporting interfaces looked straightforward and familiar.

Too many cyber security solutions purport to address production weaknesses by marrying application-level controls with their app-counterparts on top of the underlying OS. It stands to reason that if black hats can undermine the base kernel, then you’re going to have trouble at the higher layers. Container escapes are perhaps the most common example of this, and such exploits are unacceptable for important computing applications.

My guess is that if you’ve read this far, then you’re supporting production Linux or cryptomining, or some other Linux-heavy activity. This probably also means that you’re swimming in false positives from the tools you’ve deployed. Perhaps you should do as I did and take the C train to Brooklyn, or just give John Viega a call. I think you’ll find Capsule8’s approach to be the perfect solution for securing production Linux.

And as always, please share what you’ve learned.