On Sat, Sep 18, 2004 at 12:10:14PM +0200, [EMAIL PROTECTED] wrote: > > In my post I told that this is *NOT* exploitable but if somebody finds a > method? what you can say? In underground comunities it's not so rare, patching > is better than having a new exploits for freebsd. I was very deluded by > this approach to potential security problem... > (I repeat: *POTENTIAL*).
You have some different idea from ours. However, I think it might be
useful to clarify our idea.
1. A kernel must trust itself in order for it to be efficient.
It is not bad to have sanity checks, but checking it repeatly
will pose a performance pain. With this in mind, the correct
approach might be to have sanity check in the entry point,
rather than having it everywhere.
This is say, a input procedure must have everything in a
sanity state in its early stage and, in addition, same check
should not be done in elsewhere because it just repeatly
check what is guaranteed to be true, in a production kernel
this is not quite useful and even in a debug kernel it is
not perferred approach because we don't have to explicitly
have if(1==1) or something like this.
2. As many people in this discussion has pointed out, it is
necessary to have root access in order to alter a system
call. That is say, that in order to successfully exploit
this "vulnerablity" you have to be root first, and we have
infinite "exploits" in this situation, because the attacker
already got the ultimate power.
We don't need to fear someone who already killed us, right?
3. Security is determined by the weakest tach. With this in
concern, let's think about the following scenario:
Every system calls have correct sanity check in their
entry point while foo() have not.
Someone has injected foo() with another way to have some
code in kernel.
The kernel code exploited the issue you mentioned.
But is it actually wrong with the issue? Isn't it the
weakest tach within the foo() system call? Shouldn't it
be fixed?
Hope this is helpful for the debate, and hope I have expressed my idea
correctly. With these consideration, I think it is not very necessary
to have the sanity check of parameter numbers for a system call entry
because it need root access already and if the gain of root is considered
harmful, then it's not the sanity of parameter numbers check but the
actual problem should be fixed.
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
pgp2eRoGcBFKL.pgp
Description: PGP signature
