Kolman another focus

Securing Linux OS by hardening GRUB boot loader

1

Index

Serial No.

TITLE Securing Your Linux Box

Page No. 3 3 3 4 4 6 6 7 7 8 9 10 12 13 13 13 13 14 14 14 14 15 17

1 2 3 4 5 6 7 8 9 10 11

Introduction Types of Bootloader s for Linux Booting process for GRUB Booting process after GRUB How to Hack Method 1 How to secure Method 2 How to secure Problems with GRUB Method 3Understanding GRUB

1 2 3 4 5 6 7 8 9 10

Aim Design Architecture of GRUB Flow of execution Our required area Important files associated with Stage2 Files to be scrutinize d Procedure Implement ation Conclusion

2

SECURING YOUR LINUX BOX
INTRODUCTION
A running server is prone to various types of security threats. We categorize them as
• •

Local Security threats Remote/Network Securitythreats

While there are many articles that have explained in great detail the Networking security threats and mechanisms to deal with it, there are a few that have also dealt with the local security aspect. These types of attacks primarily entail gaining illegal root access to an unattended system by running a brute-force password cracking program or by simply rebooting the system and passingsome standard arguments to the boot loader program. One of the frequently used methods to gain the superuser or root access is through the default boot loader that is used to initialize the main OS. In case of Linux, this can be either LILO (Linux Loader) or GRUB (Grand Unified Boot Loader). The objective of this article is to give an insight into GRUB boot loader particularly from the security pointof view. The initial part of the article talks the same while the latter part deals with the analysis and implementation of a patch to GRUB, with which one of the security breaches could be overcome. The GRUB version 0.93 has been considered in this study and we have been able to successfully create and test the patch on it.

TYPES OF BOOTLOADERS FOR LINUX
Basically, Linux can be loaded by twotypes of bootloaders. These are : 1. LILO - Linux Loader 2. GRUB - Grand Unified Bootloader In this paper we will be mainly focusing on GRUB.

3

BOOTING PROCESS FOR GRUB
The GRUB needs the following 4 files for its execution : 1. Stage 1 file 2. Stage 1.5 (optional) 3. Stage 2 file 4. grub.conf file Once BIOS finishes its POST, the control is passed over to stage 1. The source code forstage 1 will be in assembly language as it is the first program to be executed on the system. After stage 1 initializes the GRUB and completes its tasks, the control goes to stage 2, with an intermediate stage of stage 1.5. Stage 2 is completely responsible for loading the image of our Linux kernel. It retrieves the commands to be executed from the file /boot/GRUB/grub.conf. This file containssufficient information for stage 2 to load the kernel. It is this file which provides the path for the kernel image to be loaded, which should be in /boot. It then loads an initial ram disk image with which it can load the kernel. The path for this program, namely initrd, could be found in the grub.conf. Obviously, all the files needed by stage 2 will be located in /boot in the file system hierarchy.After loading the kernel, the GRUB reaches its end .

BOOTING PROCESS AFTER GRUB
Now we will see how processes are executed on their way to the shell. Once GRUB is executed, we are in the kernel. The kernel mounts the init-rd image (it would be quite puzzling to be calling this process 'mounting' since it is not commonly known around, inspite of being a fact) and gives the control to init-rdimage, whose function is described below. The second shell used after the GRUB shell by the system is the NASH shell. It is the smallest shell with a minimal set of commands needed to execute the initial ram-disk image, namely init-rd. The essential routines done by the init-rd are : 1. To insmod the ext3.o module 2. Then loading the VFS of linux

4

3. Ultimately mounting the root file system...