Skip to content

Latest commit

 

History

History
107 lines (95 loc) · 16.2 KB

system_hardening_features.md

File metadata and controls

107 lines (95 loc) · 16.2 KB

Introduction

This is a list of current and planned Chrome OS security features. Each feature is listed together with its rationale and status. This should serve as a checklist and status update on Chrome OS security.

Details

General Linux features

Feature Status Rationale Tests Bug More thoughts or work needed?
No Open Ports implemented Reduce attack surface of listening services. security_NetworkListeners Runtime test has to whitelist test-system-only "noise" like sshd. See Issue 22412 (on Google Code) and ensure_* for offsetting tests ensuring these aren't on Release builds.
Password Hashing When there is no TPM, scrypt is used. Frustrate brute force attempts at recovering passwords.
SYN cookies needs functional test In unlikely event of SYN flood, act sanely. kernel_ConfigVerify
Filesystem Capabilities runtime use only allow root privilege segmentation security_Minijail0
Firewall needs functional test Block unexpected network listeners to frustrate remote access. Issue 23089 (on Google Code)
PR_SET_SECCOMP needs functional test Available for extremely restricted sandboxing. kernel_ConfigVerify Issue 23090 (on Google Code)
AppArmor not used
SELinux not used
SMACK not used
Encrypted LVM not used
eCryptFS implemented Keep per-user data private. login_Cryptohome*
glibc Stack Protector needs functional test Block string-buffer-on-stack-overflow attacks from rewriting saved IP. Issue 23101 (on Google Code) -fstack-protector-strong is used for almost all packages
glibc Heap Protector needs functional test Block heap unlink/double-free/etc corruption attacks. Issue 23101 (on Google Code)
glibc Pointer Obfuscation needs functional test Frustrate heap corruption attacks using saved libc func ptrs. Issue 23101 (on Google Code) includes FILE pointer managling
Stack ASLR needs functional test Frustrate stack memory attacks that need known locations.
Libs/mmap ASLR needs functional test Frustrate return-to-library and ROP attacks.
Exec ASLR needs functional test Needs PIE, used to frustrate ROP attacks.
brk ASLR needs functional test Frustrate brk-memory attacks that need known locations. kernel_ConfigVerify
VDSO ASLR needs functional test Frustrate return-to-VDSO attacks. kernel_ConfigVerify
Built PIE needs functional test Take advantage of exec ASLR. platform_ToolchainOptions
Built FORTIFY_SOURCE needs functional test Catch overflows and other detectable security problems.
Built RELRO needs functional test Reduce available locations to gain execution control. platform_ToolchainOptions
Built BIND_NOW needs functional test With RELRO, really reduce available locations. platform_ToolchainOptions
Non-exec memory needs functional test Block execution of malicious data regions. kernel_ConfigVerify
/proc/PID/maps protection needs functional test Block access to ASLR locations of other processes.
Symlink restrictions implemented Block /tmp race attacks. security_SymlinkRestrictions.py Issue 22137 (on Google Code)
Hardlink restrictions implemented Block hardlink attacks. security_HardlinkRestrictions.py Issue 22137 (on Google Code)
ptrace scoping implemented Block access to in-process credentials. security_ptraceRestrictions.py Issue 22137 (on Google Code)
0-address protection needs functional test Block kernel NULL-deref attacks. kernel_ConfigVerify
/dev/mem protection needs functional test Block kernel root kits and privacy loss. kernel_ConfigVerify Issue 21553 (on Google Code) crash_reporter uses ramoops via /dev/mem
/dev/kmem protection needs functional test Block kernel root kits and privacy loss. kernel_ConfigVerify
disable kernel module loading how about module signing instead? Block kernel root kits and privacy loss.
read-only kernel data sections needs functional test Block malicious manipulation of kernel data structures. kernel_ConfigVerify
kernel stack protector needs functional test Catch character buffer overflow attacks. kernel_ConfigVerify
kernel module RO/NX needs functional test Block malicious manipulation of kernel data structures. kernel_ConfigVerify
kernel address display restriction needs config and functional test Frustrate kernel exploits that need memory locations. Was disabled by default in 3.x kernels.
disable debug interfaces for non-root users needs config and functional test Frustrate kernel exploits that depend on debugfs Issue 23758 (on Google Code)
disable ACPI custom_method needs config and functional test Frustrate kernel exploits that depend on root access to physical memory Issue 23759 (on Google Code)
unreadable kernel files needs config and functional test Frustrate automated kernel exploits that depend access to various kernel resources Issue 23761 (on Google Code)
blacklist rare network modules needs functional test Reduce attack surface of available kernel interfaces.
syscall filtering needs functional testing Reduce attack surface of available kernel interfaces. Issue 23150 (on Google Code)
vsyscall ASLR medium priority Reduce ROP target surface.
Limited use of suid binaries implemented Potentially dangerous, so minimize use. security_SuidBinaries

Chrome OS specific features

  • We use minijail for sandboxing:
  • Current sandboxing status:
Exposure Privileges Sandbox
Service/daemon Overall status Usage Comments Network traffic User input DBus Hardware (udev) FS (config files, etc.) Runs as Privileges needed? uid
udevd Low pri Listens to udev events via netfilter socket No No No Yes No root Probably No
session-manager P2 Launched from /sbin/session_manager_setup.sh No No Yes No No root Probably No
rsyslogd Low pri Logging No No No No Yes root Probably No
dbus-daemon Low pri IPC Listens on Unix domain socket Unix domain socket Yes messagebus Yes Yes
powerm P2 Suspend to RAM and system shutdown. Handles input events for hall effect sensor (lid) and power button. No No Yes Yes Yes root Probably No
wpa_supplicant Low pri WPA auth Yes Via flimflam Yes No Yes, exposes management API through FS wpa Yes Yes
shill P0 Connection manager Yes Yes Yes Yes Yes root Probably No
X P1 No (-nolisten tcp) Yes No GPU Yes root x86: no, ARM: yes No
htpdate Low pri Setting date and time Yes No No No No ntp Yes Yes
cashewd Low pri Network usage tracking No No Yes No No cashew Yes Yes
chapsd Low pri PKCS#11 implementation No No Yes No No chaps Yes Yes
cryptohomed P1 Encrypted user storage No Yes Yes No No root Probably No
powerd Low pri Idle or video activity detection. Dimming the backlight or turning off the screen, adjusting backlight intensity. Monitors plug state (on ac or on battery) and battery state-of-charge. No Yes Yes Yes Yes powerd Probably Yes
modem-manager P1 Manages 3G modems Indirectly Yes Yes Yes No root Probably not No
gavd P2 Audio/video events and routing No Yes Yes Yes No gavd Yes Yes
dhcpcd Low pri DHCP client Yes Indirectly No No No dhcp Yes Yes
metrics_daemon P2 Metrics collection and uploading Yes, but shouldn't listen No Yes No No root Probably not No
cros-disks/disks P1 Removable media handling No Yes Yes Yes No root Launches minijail No
avfsd Low pri Compressed file handling Launched from cros-disks, uses minijail Not in Chrome OS Yes No No Yes avfs Yes Yes
update_engine P0 System updates Yes No Yes No No root Probably No
cromo Low pri Supports Gobi 3G modems Indirectly Yes Yes Yes Probably cromo Yes Yes
bluetoothd Low pri Yes Yes Yes Yes Yes bluetooth Yes Yes
unclutter Low pri Hides cursor while typing Yes chronos Yes Yes (via sudo)
cras P2 Audio server No Yes Yes Yes No cras Yes Yes
tcsd P2 Portal to the TPM device driver No Yes Yes Yes Yes tss Yes Yes
keyboard_touchpad_helper P1 Disables touchpad when typing Yes root Probably not No
logger Low pri Redirects stderr for several daemons to syslog Indirectly Indirectly No No No syslog Yes Yes
login P2 Helps organize Upstart events No Indirectly Yes No Yes root Probably No
wimax-manager P1 Includes third-party library Yes Indirectly Yes Yes Yes root Probably not No
mtpd P2 Manages MTP devices Includes third-party library No Yes Yes Yes No mtp Yes Yes
Service/daemon Overall status Usage Comments Network traffic User input DBus Hardware (udev) FS (config files, etc.) Runs as Privileges needed? uid
Exposure Privileges Sandbox

Enforced by security_SandboxedServices

References