VED (Vault Exploit Defense): Protect the Linux kernel

Vault Labs, HardenedVault Limited

Background

In the beginning of the hacker's era, a long-term battle for control of the “CORE” in memory has been waged since Aleph One published the paper Smashing The Stack For Fun And Profit on Phrack Issue 49 in 1996. Attackers mostly targeted user space over the next decade, but as the popularity of userland mitigation became more widespread, more attackers began to shift the “CORE” to the kernel. We've been through the dark age of Linux kernel security when “one null-pointer dereference can pwned them all”. Brad Spengler, one of PaX/Grsecurity authors disclosed the situation of linux kernel security to the public by Washington Post, which led to some reactions from the megacopr of the world: Google, Red Hat, ARM and Intel launched a project called KSPP (Kernel Self-protection project) tends to solve the problem. Unfortunately, KSPP is pretty much collapsed currently due to a serveral reasons, while Linux has moved into more critical infrastructures, such as power, energy, internet of Vehicle, ICS (Industrial Control system), etc. But the issues of Linux kernel security remains unresolved.

The problem is hard to solve

Our solution: VED (Vault Exploit Defense)

To help the customers solve these problems, HardenedVault developed a Linux kernel 0day protection solution called VED. The threat model basically as follows:

Some crucial features in VED:

Situational hardening: Automotive industry

According to UPSTREAM SECURITY'S GLOBAL AUTOMOTIVE CYBERSECURITY REPORT 2020, the attacks from the cloud, infotainment and ECU/TCU/GW are 27.22%, 7.69% and 5.03%:

The proportion of Linux systems running in these systems is very high. Although there are certain requirements for Linux security protection in Requirements on Security Management for Adaptive Platform (AUTOSAR AP R20-11), but it's more like minimal requirements for the vendor. On the other hand, the vehicle is facing more serious situation in the wild:

The technical details has not kept pace with the times, and some amendments/suggestions have been proposed by HardenedVault recently.

Cloud native security architecture

The Kubernetes architecture significantly reduces the difficulty of standardizing development and operations for the business compared to on-premise and virtual machines as the primary business support infrastructure, which is a security benefit and can be reduced to three components based largely on cloud-native security architecture:

In a cloud-native security architecture, VEDs can either work well with Falco or send out logs of blocking attacks to the SIEM/ELK platform for analysis.

Real-life demo

Well, as we received many enquires about a couple of public vulnerablities lately. We demonstrated how VED can defeat a popular one found in kCTF (a Kubernetes-based infrastructure for CTF competitions)