Re: [Bug 759725] Re: The kernel is no longer readable by non-root users
On Tue, Apr 26, 2011 at 09:49:25PM -, Kees Cook wrote: > But because the symbols can be extracted in the way you point out is > why the kernel image itself needs to be unreadable. This change is > to block the class of attacks carried out by script kiddies and > automated systems that expect to be able to look up symbols locally > and make exploits totally portable to all kernel versions. You didn't appear to understand the code that I wrote: it gets out the symbols from any version of the kernel by simply reading the kernel *runtime memory*. So the attacker now has two alternative methods: (a) fire up a web browser or (b) inject shell code into the kernel which greps through physical memory to find the symbol tables, and note method (b) works with any kernel version without reference to the original vmlinuz file. > It changes the nature of future attacks, at least forcing attackers > to take additional steps. Yes, firing up a web browser or injecting an extra small piece of shell code into the kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/759725 Title: The kernel is no longer readable by non-root users -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 759725] Re: The kernel is no longer readable by non-root users
On Tue, Apr 26, 2011 at 05:25:33PM -, Kees Cook wrote: > On Tue, Apr 26, 2011 at 11:21:38AM -, Richard W.M. Jones wrote: > > What is being protected by this mode change? This kernel is distributed > > on hundreds of mirrors -- there is no secret in here. > > The mode changes do not protect a system from any dedicated attacker (for > the reason you state), but it does have real-world benefits against > simplistic kernel exploitation (keeping kernel symbols away from non-root > users). It is absolutely a trade-off. This non-root user that we imagine has no access to the world wide web? This is absolutely nuts, sorry. Rich. -- Richard Jones Red Hat -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/759725 Title: The kernel is no longer readable by non-root users -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 759725] Re: The kernel is no longer readable by non-root users
On Tue, Apr 26, 2011 at 11:21:38AM -, Richard W.M. Jones wrote: > What is being protected by this mode change? This kernel is distributed > on hundreds of mirrors -- there is no secret in here. The mode changes do not protect a system from any dedicated attacker (for the reason you state), but it does have real-world benefits against simplistic kernel exploitation (keeping kernel symbols away from non-root users). It is absolutely a trade-off. > When we install libguestfs, we need to boot using this kernel. What change > do I need to make to libguestfs so that when a sysadmin installs it, it will > change the permissions back to 0644 automatically? Shipping a pair of files in /etc/kernel/postinst.d/ and /etc/kernel/postrm.d/ to call dpkg-statoverride --add and --remove respectively is likely the cleanest approach to handling this. -- Kees Cook Ubuntu Security Team -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/759725 Title: The kernel is no longer readable by non-root users -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs