 Hello everyone myself is Vandana. I am a senior software architect at Micron at Micron. I recently joined Micron I am working on some of the memory management, sorry, I need to be here some of the exciting feature of CXL memory management as such and particularly BPF is some of one of my Topic of interest as such I've done a lot of work on that as such so today I wanted to talk about Securing the Linux kernel Using the BPFS particularly the BPF and the LSM that has been used as such, okay so To talk about myself I have been working on Linux kernel as such like almost 24 years, and I've been working on Linux device drivers kernel subsystems we have systems like Networking and velvet systems as well as security as such, okay, and I'm also like like to Do presentations mentor People new folks that are interested open source Linux kernel as such So today I'll talk about the BPF LSM BFF So basically the agenda is to start with understanding the security. What are the basic security aspects that we look? What are the existing security framework that is there in the Linux kernel? such as the audit framework and Managing framework and then the existing enforcement policies that are driven through the LSM's and how BPF Fits into all of this as such and we look at some of the example demos as such So when we talk of security So the security starts from the very basic like the physical securities locks and all that stuff and then that we do more security starts with other is the securing the use accounts Passwords and file systems That is giving proper file access permissions and authentication process as such Another aspect that comes is the monitoring monitoring the system activities as such and that has been governed by particularly like Monitoring the log files monitoring the user active accounts file system accounts socket network traffic that is there as such and All that things in the Linux kernel has been done through the one of the framework that is there is the colors of Linux audit subsystem as such and Another approach taken to security is enforcement blanks the default Linux security is the discrete access Control that the security enforced through the permissions and capabilities as such but if some More security actual to implement the something called would call as the mandatory access control that can be done through the enforcement and that enforcement is done through the Framework that has been implemented through the LSM as such and some of the examples of the SL Selenix and the other LSM modules that basically Implements the enforcement policies security and smooth policies as such So when you say security aspects like basically what we would look be looking at in the signals or the events are the Activities that is happening or the system as such like the the process that are running they are executing and modifying the Different configuration it might be file configuration or the actual inter internal kernel resources as such and And those activities it might be Very well planned or what is expected it has to do Other than that it could be something not very good as a not very Expected that is some kind of suspicious program or malware that is trying to go in tempo or modify the useful resource as such for those activities has to be monitored or actions has to be taken as such Like someone some some applications trying to do some LD preload as such It might be doing as it is expected to do or it might be trying to load some library that is My compromise your system as such so though all those actions It might be legit or illegit as such so the The counterpart of those actions or events is the mitigation as such if something has been tempered or compromised how that what What appropriate actions would be taken to mitigate those damages as such so some of the things is like white listening means like one of the What is same the aspects of a dynamic kernel dynamic memory loading that is kernel modules so to ensure the integrative this corner modules white less than the kernel modules and If someone is trying to load Some malicious program through the kernel module than what actions should be taken as such also the activities like About the external devices USB devices preventing mounting of USB drivers so and also like If it has been Encountered or it has been known that there is some vulnerabilities in the libraries or in the library or in the binaries that has been deployed on to Various servers as such in the network in that case the mitigation action would be like going and patching all that servers with the corrected Libraries as such before it goes before it more damage happens as such so One way that we looked at is the Monitoring that has been done and in the Linux kernel the framework that is there is the Linux audit framework so Linux Audit framework basically provides a controlled access Protection profile that basically provides collects the information About the events that is happening that might be related to security or non-security events as such And that helps to track the track actions performed on the system to analyze like what is happening on system like It works by listening to the events report events And it does the work of logging them into the file as such and then basically The application that are using that does it on the monitoring and making use of this log audit log Audit subsystem basically they collect this information in the log files and then further processing is done on that On that events that has been collected as such So basically this audit framework helps you to figure out what if something bad is happening as such But in this case of audit framework it Does not provide the actual security additional security as such So if something bad has happened Then based on the logs that you can you get to know that that is bad is bad happening So but the action is not taken as miss as a security engineer What you do based on the logs you will go and update the policies security policies so that for the damage does not happen But your mitigation is not provided. So What do you say? Logging and mitigation. They are considered there. They are happening separately as such the damage has happened And you are trying to you are trying to make the system more secure based on the damage that is there as such So audit audit subsystem might not always be a good option as such. They say also it is like the framework that is part of the current so if New policies has to be added or some changes has to happen then that that that delays the whole of the Mitigation cycle as such So So that's where we look at another Framework that is been provided in the kernel called is the LSM. That is a Linux security Module as such so here in this case the Linux security module Basically, it is used to implement the mandatory access control as such By implementing the security policies and that can be done without modifying the kernel like from the security point of view application white listening has been Proved to be one of the effective ways to medicaid any kind of cyber attacks as such and those mitigations one of the recommended way is considered this LSM Linux security module as such so basically It LSM itself does not provide a security, but it provides a framework as such Whereby you can enforce the security policies and this LSM framework what it does it? It provides a set of hooks Which helps to mediate or various operations in the kernel because the hooks can be added at the various kernel subsystem locations as such and along with the Hooks, there is another security fields that is there Secure field that has been added to To a lot of kernel data structures as such so all that security information can be can be stored on Through this white basically are nothing but a white point is so like if you look at the Task structure, you'll have a security pointer for that and these these white pointers They are basically been used by the security hooks as such So just to give an a summary of this LSM that they are being categorized as a major major LSM's and minor LSM's as such And the example of major LSM is the AC Linux app more as such as You guys might be aware of as such and the minor ones. They are also Provide a particular functionality and they sit on top of the major LSM's as such and here in this case basically The framework It the LSM framing helps you to implement the security policies and It does through initializing the set of the hooks that can be added as such So wherever the security has to be enforced those security Hooks has to be implemented here. This is just it. This is an example and The of the security that is done through the one of the LSM taking an example of Vyama as a LSM as such and most of the code for this LSM resites in the security directory security dot c basically provides the framework the core framework of the LSM as such and the initialization happens with this security in it and Basically what it does it it will go and register the different security hooks for that particular LSM API that I'm just noted on is the Security and hooks as such so we are basically we pass the pointer to the data structure where all the security Hooks are being initialized So this is this area that talked about So here in this case again taking the example for Yama LSM as such So here the hooks that are been defined at the P trace Pre-trace access then peace they control and task-free. So these are the places where this LSM hooks will be Attached as such so based on I actually this there is a whole list of security hooks that can be implemented So if whatever the LSM that has been used it will define all this security hooks and the based on the policies that has to be enforced when that particular system call or particular Colonel code path has to take care of the security this LSM hooks get triggered as such So task repair is basically this is the function and that has been called when the process is terminating as such minute Does the work of releasing all the resources and I saw so at that time Based on the policies if some particular action has to be taken then that has to be implemented as part of the second Parameter that we see that is the function that would call will be get called when the task-free Apia is called as such So for example like a Yama P trace trace me as they These are the hooks for the P trace system call as such So the P trace system fall basically Internally in the pretrace dot see there is P trace me which goes and calls this function security underscore P trace and Internet it goes and called the LSM hook as such. So this is the way The LSM hooks are being called basic the LSM hooks there can be multiple LSM hooks Unable at the time and they are like linked lists They are changing the linked lists as such so whatever the function hooks that are being defined that will get executed one after the other So here just to give you a flow of an open open system call as such So open system call is basically the input parameters open system call goes the file name at the Various more parameters flag as such. So here in this case The system call is dispatched and the path name that is a file name is used to obtain the kernel data structure That is a file. I know that file file data structure and the I know data structure that represent the file that has been opened and If the input parameter that is a file name is correct and the permissions are been set then It will go for the further Processing otherwise it returns the error then then the normal Discrete access that is a discrete access control The security that is the default in external security where file permissions are checked as such So if the application the process was opening the file has the appropriate permissions or not That error checking happens if that succeeds then the if there are the LSM's that are being enabled and The corresponding LSM hooks if they are been defined then those LSM hooks will be called so here in this case like suppose an LSM is defined and there is a Hope for open file open file open event as such so this LSM hook will be called and based on the policies that has been implemented that will be executed and if suppose you have the LSM basically the framework works like Let me show you I have a diagram for that So basically LSM or LSM framework works The set of the hooks that are been defined in the kernel and from the user space those are the policies that has to be defined so the the policies Based on the policies they LSM hopes takes the decision suppose the Alice policy has been defined such that the File open should not happen for a particular a process a particular process or set of pause It should not open the files like in case of a configuration files or network network configuration files like every user will not be given the access as such so Based on the policy if the rule says that the particular user is not allowed to access that file in that case the LSM hook would return an error and then It would return an error and then that that that means that the that Enforcement of policy has executed as such and if that there's no enforcement or that is then the it would return The open system call will execute successfully and it will return the file descriptor Whatever it is that to the application as such But if the policies that have been enforced is checking that it is it has to deny the operation Oh, that's not allow the operation and then in that case particular It will appropriately take an action and return an error as such So that's how the LSM hooks works as such So basically now what we wanted to look at is The the way till now the LSM hooks before this LSM BFFR LSM was LSM framework is part of the Linux kernel. That is They are not implemented even as a kernel module that because it deals with the security It is it is in the in the kernels whatever the kernel Whatever the LSM that are defined and what are the Functionality has support those are been used as such But to cater to the security needs another framework that has been That can be very effectively used is the BPF framework as such So BPF framework can be used to implement the LSM hooks as such So here what we are going to look at is how this BPF framework can be used to implement the LSM and that Uh That is that the this framework got introduced in since 5.7 kernel That is a extended LSM extended BPF functionality. So basically that allows the Security is to design the custom policies Which can be injected into the kernel At a runtime and the the security policies can be changed based on the behavior Or based on the requirement use cases as such it does not has to be fixed as such So those can be implemented through the BPF programs So you can implement the BPF programs as per the security requirements and they can be run They can be executed runtime or modified as in one needed as such and that's where the BPF programs Will be exposed by the LSM framework as such The BPF programs implement the policies without configuring the kernel or without using the kernel modules So whenever the Prior to this there was always a concern of implementing security policies other than LSM kernel module So a kernel module was not a very secure V as such Because there is always a possibility of having Some bugs in the kernel module causing the kernel to crash and as such So to mitigate that to come up with that drawbacks LSM framework BPF framework Is a very good option where this dynamically the process policies can be uploaded as such And as a BPF framework provides the secure execution environment That also Eliminates the possibility of system getting crash as such As the BPF programs have this verified as such which gets Verified when the BPF programs are loaded and executed when the LSM hooks are Arranged as such in that particular kernel code path So to summarize BPF as such is it's a kernel technology That allows the cost developers to write the code That can be loaded into the kernel runtime as such And it also helps to make changes to the kernel code path or Add the logic that you would like to add as part of the security enforcement as such And basically like when you see a BPF frame what is consists of the instruction set The different types of storage objects and the helper functions as such And basically it can be considered as a virtual virtual machine Which Which runs the BPF program in the isolated environment as such and that is done by Executing this bytecode With the verify ensures that the bytecode that the program that is getting loaded Ensures the integrity some of the checks that it does that It does not have a loop Infinite loop or a cycling dependency is not there And all those checks have been done by the verifier as such And these programs they are event-driven and they run When the kernel passes a certain particular these these are the BPF programs that get attached To a particular hooks in the kernel and whenever an application executes that kernel control path and hits that particular A kernel control this will be a programs who would be executed and There can these BPF programs can be attached to different at different locations as such What you call as the hooks that can be attached to system calls function entry or exit kernel trace points network events Scheduling algorithms on various other places as such Okay, so lsm BPF programs is like these programs allow the runtime instrumentation of the lsm hooks as such so here in this case you can program you can What do you say? Define the BPF programs and attach to the lsm hooks as such so whenever that lsm hooks is executing The attached BPF program would be executed and thereby we can you can you can implement some policies That has to be enforced on that particular control path as such Okay, so basically what do you could do? This what this is helping is used to implement some mandatory access control policies onto that particular Kernel control pass means As such so here in this diagram lsm hooks into BPF programs go into lsm hooks and basically it uses the helper functions and set of helper functions like suppose any kernel lsm hooks are been attached to Add some policies enforcement policy policies at the process level as such so the different hooks can be at the process creation process Creation or exit time so the lsm hooks can be added at the apis at fork system call or exit system call or exit system call or task free those kernel apis as such And when when you see the BPF program, they are the written user space application as such And this BPF program might be implemented might go and access the data structures as such so The definition and syntax of that thing has to be taken care as such and are ones that if Also another thing that is needed to select to send that data to user space as such all those things has been taken care by the BPF library as such okay And based on the policies the action can be taken whether to allow that particular operation to happen or not as such So all that functionality goes as part of the BPF program And the places where the hooks can be attached And the policies can be enforced can be for the file operations like opening creating moving or read moving or renaming the files Or mounting un-mounting the file systems in case of process management scheduling the task process creation exiting the process or What things that are needed as part of the scheduling this then changing user group identity of the process that you might want to ensure that the What you say the System calls like set set uid get uid and changing the permissions all those are the places where The BPF Programs can be hooked as such and of course the network operations We use network layer socket layer or tcp IP layer or at the lower levels as such Okay, so basically The programs can be attached at most of the system subsystems within the kernel control paths And these were suggested on These are some of the header files that will give you the idea What are the different function function pointers that are defined which can be implemented as Which can be implemented and whether it can attach to the lsm hooks as such So the requirement one of the requirements that this lsm bp lsm implementation using the BPF has been added in 5.7 carol. So that is the base Minimum requirement that is needed and other than that some kernel configs that are needed For getting for making use of the lsm bpf framework as such okay So these are just the this BPF is one of the concepts that we need to look at as the It it can it show it basically is used to represent the format type the The date because the kernel data structure access from the user is the program bpf programs And from the user programs the kernel data types The whole data structure might not be visible as such. So for that the one of the this BPF time format has been defined Which provides the metadata which encodes the debug information about these programs as such Okay, and basically it is used to have an understanding between the Contract between the user space and the kernel space like from the view program supposed BPF program is written for task creation So in that case the task data structure So to access the different elements of the task structure The definition of task has to be available with the user space program as such So that has been done through this big framework as such. So that is where the kernel config provides that interface as such And also at the At the application level that is the understanding between the elf file because basically what we're doing is we are loading That binary into the kernel space the of the whole of elf format understanding has to be done which the Libbpf libraries uses the various Helpful functions go and extract that kernel data structures as such So Basically as an application BPF program Or you might not need to know each and every element of the data structure you can make use of the help of functions as such Okay, so that has been taken care by the BPF so when we say about the when you when you talk about Implementing the BPF BPF program. So that is basically a user space program Uh, which uh, basically, uh, which has to be compiled Compiled into bytecode that will be loaded into the kernel kernel space as such And that is done through this So the BPF programs, they are described. There are different programs as such that has been described So you have we have to the library library provides the macros for doing that so BPF BPF program as such and here in this case the library Provides the helper apis to deal with the LSM interface The BPF programs they can be hooked to the kernel probes or trace points or the other events And also they can be hooked to the LSM interface. So there would be a set of apis for interacting with the LSM hooks as such Okay, so here in this case this the way it goes is like the BPF programming It will have two parts. One is the BPF program and another is there is will be another application that would Do the work of loading this BPF program into the kernel memory as such and attaching it to the different hooks. So that's where this This this My mouse has not been seen. So here that's the attachment to the LSM hooks comes And that attachment or loading is happens from the application Through the BPF system call itself as such the BPF system call will do the work of loading that BPF program into memory and verification as such Okay, let's See one app like demo application that will give us a better idea Okay, so this I have for demonstration purpose. I've So this is My file that I am writing a hook for demonstration. What we what we will do is will implement a hook that will attach execute Whenever a nice Nice nice is a system call that is used to change the priority of the process as such So what we can do is we can enforce some policies that particular Like as a security policy like every every application every process should not be able to change the priority It's for other any other process. So this policies can be ensured by implementing the by implementing the BPF program and Writing and tracing The hooks putting the hooks at the nice system. So this is an example of a nice system call as such So here in this case, this is this is the program basically What we're doing is Like if you look at this This is the main application program. The one part is the BPF program that is another and another one is the do go and load that BPF program as such So this is doing the work of loading the BPF program Into the memory as such attaching to the hooks the related to the nice system call as such So here the These are the library functions that have been used to perform that operation. So here this This API basically does is loading Opening and loading the BPF program as such and attaching that BPF program to that particular hook And that says once this is done It is just waiting till that hook gets removed as such. Okay So other than that Let's look at the actual BPF Program that would do some enforcement as such Okay, so so this is this is the framework that has been used to tell us that Yeah, this is the hook that is to be implemented attached to the lsm as such so here you here The API is the set task set nice api where the BPF program would be attached and you're Basically, it's it's a dummy function Not doing much like if the nice value in the nice value that is used to set the priority If it is minus minus means if you're setting to a higher priority Value as such then that should not be permanent permitted So you're just checking the value if it is less than zero then return an error as such By default when you do a set when you do nice or re nice The process priority can be changed by any any any user as such Right. So if the if that Some enforcement has to be done Some policies has to be implemented then it can be done and here this is a very simple example as such Okay, so what we have to do is we have to compile this BPF program And the main application will do the work of loading that into the memory and what we'll do is We'll just look at the BPF trace pipe to see how this operations happen as such Let me see if I have compiled this All right, let me do it. I'll compile actually this I've taken Okay, so it is already there So here it has done attach the BPF program to the set nice. So what we'll do is in another This is the pipe that is there that's to that What to say We get all the BPF traces that comes from the BPF programs as such Okay, just like something the kernel log which what we get as such just bear with me My system needs Okay, so here in this case Oh, this is all about the LSM using the BPF framework as such our BPF been Used to implement the LSM or Linux kernel security modules as such So that's That's all I have for this talk as such any questions Okay, thank you guys