Page MenuHomeVyOS Platform

Does Vyos take advantage of linux's improved security features?
Not ApplicablePublic

Description

most routers don't take advantage of Linux's improved security features

Is this something that should be looked into for Vyos ?

abstract:

Security hardening features such as ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), RELRO (RELocation Read-Only), and stack guards have been found to be missing in a recent security audit of 28 popular home routers.
"The absence of these security features is inexcusable"
The features discussed in this report are easy to adopt, come with no downsides, and are standard practices in other market segments (such as desktop and mobile software)

Researchers detailed this MIPS Linux bug in more detail in a separate research paper available
here

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Internal change (not visible to end users)

Event Timeline

fromport triaged this task as Wishlist priority.
fromport created this object in space S1 VyOS Public.
vyos@vyos:~$ show system kernel-messages | grep "Execute Disable" 
NX (Execute Disable) protection: active

@c-po I have access to it, let me know if you need a pdf out of it.

@fromport
These mitigation techniques are all turned on/off via compiler flags and most of them are enabled enabled per default. ASLR on the kernel side is enabled since 2.6.25.

Your paper by the way is focusing on MIPS, an arch we currently do not support actively.

dmbaturin added a project: VyOS 1.3 Equuleus.
dmbaturin set Is it a breaking change? to Perfectly compatible.
dmbaturin subscribed.

Now that 1.3 is near a stable release, it's a good idea to revisit the hardening measures and see if we can enable any new ones.

An easy start would be adding

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs

to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.

Here are some kernel features we need to consider:

  1. Disable kexec. The user should never need to swap the kernel.
  2. Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
  3. Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
  4. Harden BPF JIT. Might interfere with XDP. Testing necessary.
  5. Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.
erkin set Issue type to Internal change (not visible to end users).Aug 31 2021, 6:58 PM
syncer closed this task as Not Applicable.Oct 28 2024, 6:21 AM
syncer removed a project: VyOS 1.5 Circinus.