Linux Kernel Exploit — Part 2

Configure And Build Your Own Secure Linux Kernel

One of the best ways to get a feeling for the Linux kernel internals and security features is to configure its settings and then compile it. Most GNU/Linux users and administrators use kernels configured and provided by the community (free and open source distributions) or corporate sponsors

(e.g. Red Hat Enterprise Linux, SUSE Linux Enterprise, Canonical Ubuntu).

The goal of the article is to give you an idea of how to configure a kernel with customized and/or fewer features, which will reduce the chances of an attacker breaking into your systems. For that purpose we will be using 32-bit Ubuntu 12.04 LTS (Long Term Support) distribution.

Lab configuration:

* 2-bit Ubuntu 12.04 LTS virtual machine running on:

* VMware Fusion 5.0.1 installed on Mac OS X 10.7.4 (2.66 GHz Intel Core i7 MacBook Pro with 8 GB RAM).

The Stock Kernel (aka Vanilla or Mainline or Linus Linux Kernel)

The stock kernel (aka vanilla or mainline or Linux Linux kernel) is the generic kernel developed and maintained by the kernel.org (The Linux Kernel Archives) repository. Kernel.org developers associated with The Linux Kernel Organization constantly keep adding features to the kernel, including security improvements and patches.

For the purpose of this article, we will recompile the stock kernel. Linus Torvalds began work on Linux in April 1991 and announced it on August 25 1991, in a message to the comp.os.minix Usenet newsgroup. Linus is one of the Linux Kernel Organization board members and the owner of Linux Registered Trademark. In his blog, he explains that his life is glamorous and that these days he usually writes code in the mail reader mostly telling people â€˜do it like this rather than actually writing real code

http://torvalds-family.blogspot.ca/2011/02/pearls-before-swine.html

Linus Explains Linux Trademark Issues:

http://slashdot.org/story/00/01/19/0828245/linus-explains-linux-trademark-issues

https://lkml.org/lkml/2005/8/20/95

The current maintainers of the -stable branch of the Linux kernel are Greg Kroah-Hartman and Chris Wright. Kernels that are close to release but not yet ready are called Release Candidate and have -rc suffix.

-rw-r — r — 1 root root 144K Apr 10 19:17 config-3.2.0–23-generic-pae

-rw-r — r — 1 root root 144K Sep 7 10:50 config-3.2.0–31-generic-pae

cp /boot/config-3.2.0–23-generic-pae ~/config-3.2.0–23-generic-pae.backup

cp /boot/config-3.2.0–31-generic-pae ~/config-3.2.0–31-generic-pae.backup

Stock Kernel Security Updates

The Linux Kernel developers communicate via The Linux Kernel Mailing List:

https://lkml.org/

http://www.tux.org/lkml/

This is a high-traffic list with the average of around 400 messages per day so you might choose other sources for Linux kernel related news, including security related updates:

Kernel Coverage at LWN.net (weekly news) http://lwn.net/Kernel/

LinuxSecurity.com â€” The Communityâ€™s Center for Security http://www.linuxsecurity.com/
Distribution-Specific Kernel Security Updates

The command to update packages on Red Hat and Red Hat derived systems is yum update.

yum update includes the latest Linux kernel versions. When updating production systems, system administrators often exclude kernel updates until they test them on test systems first. To ignore kernel updates, use the yum — exclude=kernel-* option: Listing 4.

Listing 4. Exclude kernel updates on Red Hat based systems

yum update — exclude=kernel-*

On Ubuntu and Ubuntu based systems, the command to update packages is

apt-get update

This will download lists of new available packages from all repositories to find out whether any of the packages needs update. To actually upgrade the system, use apt-get upgrade, which will download and install actual packages. Thus, to install all packages, including kernel, run the both apt-get update and apt-get upgrade commands: Listing 5.

Listing 5. Update all packages, including kernel, on Ubuntu based systems

apt-get update && apt-get upgrade

Kernel Development Software

We need to make sure that the system has C language libraries and compilers, kernel header files and related development tools (Listing 6).

Listing 6. Ensure that the system has necessary development software

apt-get install fakeroot kernel-package build-essential ccache libncurses5 libncurses5-dev

Good Practice

After testing it and making sure that new kernel works, you should remove kernel development software from a production system.
Download The Stock Linux Kernel and Verify Its Digital Signature

Visit the Linux Kernel Archive and check which release is the latest: https://kernel.org.

As of time of this writing (September 22, 2012), the latest release is 3.5.4. Download the latest release and the corresponding PGP signature (Listing 7 â€” 10). Note the â€œkey IDâ€ and download this key from the key servers (Listing 11). At this point you can follow instructions from the Linux kernel releases PGP signatures page: Listing 12.

Listing 7. Download the most recent kernel source

wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.5.4.tar.xz

Listing 17. Getting familiar with make utility

make help | less

After that, use make menuconfig kernel configuration tool. Itâ€™s a menu-driven user-interface, which allows you to choose the features of the Linux kernel that will be compiled (Figure 1).

How the kernel talks to the BIOS, whether to support PCI or PCMCIA, â€¦. Options whether the system is embedded, kernel compression modes, etc.
Except the â€œAutomatically append version information to the version stringâ€ option (see the Tip! box below the table) and, if you would like to enable it, the â€œEnable access to .config through /proc/config.gzâ€ option, most likely you will not change any options in this section.

Listing 18. Build the kernel

HOSTCC arch/x86/tools/relocs

Found linux image: /boot/vmlinuz-3.5.4

HOSTCC arch/x86/tools/relocs