Mitch Bradley wrote: > At some point, when these fairly obvious loopholes that we have known > about since forever are closed, we plan to change the key so new > machines will only run the more secure OS versions. Old machines will > continue to be vulnerable until they are upgraded to new firmware with > the new key, and some old machine may always be vulnerable. > > Meanwhile, I reiterate my earlier claim that a no-modules kernel will be > easier to secure. Even if you require signed modules, the extra > complexity creates attack opportunities. Each additional door is a > ingress opportunity. >
Anything you build into the kernel similarly increases attack opportunity. For example, an IPv6 and IPv4 kernel and the networking infrastructure. You might load IPv6 to support a 6bone network, and load net; then find there's an IPv4 stack bug and you can kill iptables and get a kernel level exploit. Not vulnerable, of course, since you're running IPv6 and not IPv4. Of course, with everything built in, you have IPv6 and IPv4 all the time, and a worm can use IPv6 to spread to its nearest neighbor and then crawl out from there even if there's no real routing. This is an absurd claim, I know (though Linux has had an IPv4 flaw, and OpenBSD has had an IPv6 remote exploit); but claiming module loading itself provides an attack opportunity is just as absurd if not moreso when dealing with signed modules. Your most likely attack opportunity is by far a flawed hashing algorithm or implementation; it's likely the same algorithm as in OFW, possibly implemented off the same reference code, and the attack for it (generating a collision by tweaking a modified binary) is going to work either way. So in short, yes, even with signed modules you still have module loading itself to wonder about; but the potential attack opportunity here is as absurdly small as finding a way to alter PGP signed messages (which was done once; implementation flaw in how GPG checks signatures, allowing an attacker to append unsigned content to a signed message while GPG reported the whole message as signed). > Asheesh Laroia wrote: >> On Thu, 3 Jan 2008, John Richard Moser wrote: >> >> >>> I did not address the mass of other crap you could do to the system with >>> root. I was only addressing evading the OFW security implementation for >>> only booting signed OSes. >>> >> Here's another vector: >> >> 1. On a laptop that comes from the factory with the above security holes >> fixed, install a current (as of Jan 2 2008) signed release (which is >> signed with the same key, and therefore okay according to the XO) >> >> 2. Notice that it has (at least) the security holes described in this >> thread. >> >> 3. kexec or modprobe your way to a different OS! >> >> (4. Profit!) >> >> -- Asheesh. >> >> > > _______________________________________________ > Devel mailing list > Devel@lists.laptop.org > http://lists.laptop.org/listinfo/devel > -- Bring back the Firefox plushy! http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good https://bugzilla.mozilla.org/show_bug.cgi?id=322367 _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
