[elrepo] Anyone using Trusted Path Execution (kmod-tpe) on RHEL7?

Phil Perry phil at elrepo.org
Sun Jun 11 14:42:03 EDT 2017 

Hi Folks,

For those with an interest in security, I would like to know if anyone 
has tried our kmod-tpe package which implements Trusted Path Execution 
on RHEL7? If not, let me share with you...

Trusted Path Execution is not a new idea [1] and is probably best well 
known from it's implementation in Grsecurity. Corey Henderson has 
written an implementation of TPE [2] for the linux kernel using ftrace 
[3]. I've been working with Corey over the last couple months to package 
and test his latest work as kmod-tpe in the elrepo repository for RHEL7 
users.

Trusted Path Execution works on the principle that only binaries that 
are owned by root and writeable by root, and are located in directories 
that are owned by root and writeable by root may be executed. Under 
normal circumstances, these might be executables located in /usr/bin or 
/usr/sbin trusted paths.

So why is this useful? I think Corey's explanation is to the point:

$ gcc -o exploit exploit.c
    $ chmod 755 exploit
    $ ./exploit
    -bash: ./exploit: Permission denied

This could be a malicious user on a multi-user workstation seeking to 
try out the latest zero day escalation of privileged exploit for root 
access, or maybe someone who has gained system access and is looking to 
run their own exploits or code.

Besides pure TPE, Corey's implementation also adds a whole raft of other 
kernel-related security features which he has introduced as "extras". 
These may be enabled/disabled in the config file and including 
restricting non-root users from viewing the kernel version (uname), 
viewing loaded kernel modules (lsmod, /proc/modules) viewing the kernel 
symbol table (/proc/kallsyms), viewing processes they don't own (ps), 
and running ptrace operations.

I've been running the latest v2 kmod-tpe on RHEL7 since it's release a 
couple moths ago and can report it's extremely stable. In a server 
environment it just works with zero configuration and does what it's 
intended to do. I would suggest that for anyone running a RHEL7 server, 
kmod-tpe is pretty much a no-brainer addition to your security toolbox.

We have had a few initial teething issues with kmod-tpe in a desktop 
environment (DE) and have had to whitelist a few desktop applications 
that experienced unwanted denials. This has allowed Corey to develop 
better logging and whitelisting options to allow system administrators 
to deal with any issues that may arise in a workstation environment. In 
general, the logs will inform you of any denials that have occurred and 
how to whitelist those executables if they are trusted (much like 
SELinux does).

So if anyone would like to give kmod-tpe a try, please do so. We are 
here to support you and help with any issues that may arise, but I am 
very confident we have an excellent implementation of a fantastic piece 
of software that I believe deserves a far wider audience than it might 
otherwise be getting. Please use, discuss and share!

Phil


[1] http://phrack.org/issues/52/6.html#article
[2] http://cormander.com/2017/04/tpe-lkm-version-2-released/
[3] 
http://cormander.com/wp-content/uploads/2017/04/Distribution-Kernel-Security-Hardening.pdf

More information about the elrepo mailing list