Re: Security-What can be done in kernel to disable forever executable memory modificaton

Thu, 17 Jan 2019 01:27:33 -0800

What you probably want, is something similar to Windows VBS HVCI, which is usually achieved via underlying hypervisor.
It forces you to pass the security boundary of the hypervisor, even if security boundary between user/kernel is bypassed. 


Have a look at Bromium or QubeOS for a full solution (not even sure they 
offer HVCI, but maybe)


Note you'll need to disable things like kprobe and BPF JIT.

I guess you can hack something with standalone Xen.



I'm far from expert, and can consult if other solutions are available. 
Also have a look at grx, which offer hardening in general and maybe have 
VBS-like solutions. Ping me in private if you need additional help, I 
can refer you to relevant people.



On 13/01/2019 21:22, Shachar Shemesh wrote:

On 12/01/2019 15:19, Lev Olshvang wrote:

Hi All,



The fact that the text segment could be modified is bad news from the security 
standpoint.
For example, in order to set a breakpoint GDB should map a text segment with 
MAP_PRIVATE flag which allows kernel to ignore the dirty bit that MMU  sets on 
this page.

Somewhere in the middle of this mapping,  perhaps in mprotect,  permission bits 
of  page's PTE entry are modified as well from their original RO+X   to RWX
I am not sure whether it is actually happening, perhaps instead new pages are 
allocated, sort of COW (copy on write).

And here I am getting to the point :

Is there any way to disable the change of permission bits of PTE? Is it 
possible in the hardware (ARM) or should kernel be patched?

Regards to  All,

Happy new year.

Lev.



I am 86.3%^1 certain that this change will not bring about what you 
want this change to do. For example, if protecting against ptrace is 
what you're after, please note that fakeroot-ng completely changes 
what a process is running without making any changes to the text 
segment at all.




Anyways, it is not the kernel that maps the text segment into memory 
using private mapping. It is the dynamic linker. If you need to change 
that to shared mapping, change the dynamic linker.



Shachar



1- Following the 80% rule, which states that 92.7% of statistics 
people quote are made up on the spot.



_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il






















					Reply via email to