Trusted Path Execution - reduce attack vector

Sat 10 November 2012 by admin

TPE is a feature presented in Grsecurity, which denies users from executing programs that are not owned by root. This approach eliminates some parts of self uploaded exploits by users.  Using Grsecurity force us to prepare custom - mainly non-distribution kernel. Nowadays TPE is prepared as separate linux kernel module, which isn't complicated to test, deploy in supported linux distribution (RHEL/Centos,Ubuntu). Moreover when you using TPE-LKM you get some extra features like hiding processes which doesn't belong to user or hide from seeing linux kernel module list. Howto prepare, install and configure this module is pretty straightforward  [2]. Configuration is provided by sysctl variables described in [1]. Some of TPM-LKM extra features is duplicated by RHEL kernel extensions presented in 6.3 (hidepid parameter) [3], which also add dmesg_restrict feature [4].

[1] https://github.com/cormander/tpe-lkm

[2] https://github.com/cormander/tpe-lkm/blob/master/INSTALL

[3] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.3_Release_Notes/index.html

[4] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.3_Technical_Notes/index.html


Comments