| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Mar 2013 09:30:33 -0500 From: Theodore Ts'o <tytso@....edu> To: Vojtech Pavlik <vojtech@...e.cz> Cc: Matthew Garrett <mjg59@...f.ucam.org>, Jiri Kosina <jkosina@...e.cz>, David Howells <dhowells@...hat.com>, Linus Torvalds <torvalds@...ux-foundation.org>, jwboyer@...hat.com, pjones@...hat.com, vgoyal@...hat.com, keescook@...omium.org, keyrings@...ux-nfs.org, linux-kernel@...r.kernel.org, Greg KH <gregkh@...uxfoundation.org>, Florian Weimer <fw@...eb.enyo.de>, Paolo Bonzini <pbonzini@...hat.com> Subject: Re: [GIT PULL] Load keys from signed PE binaries On Fri, Mar 01, 2013 at 11:00:52AM +0100, Vojtech Pavlik wrote: > > Mr. Blackhat then can load his i_own_your_ring0.ko module signed by his > key on your system, having obtained root access previously. The question will be what does Mr. Blackhat do with this i_own_your_ring0.ko module. The FUD that has been flung about is that it would be possible for Mr. Blackhat to create a small, tight partition containing a signed Linux kernel (from Red Hat or SuSE, doesn't reallly matter), and enough of a initrd which would include said i_own_your_ring0.ko module. This would then be used in a bootkit that would boot Linux and get ring0 access, and then use that to create malware that would be used to infect Windows systems in a way that wouldn't be detected by users. It would essentially be the same as the bootsector virus, except it would take 2 or 3 orders of magnitude more disk space, and probably add one or two orders of magnitude more time to the boot time. Whether this could be done in an undetectable fashion is an interesting question, but the assertion is that it can be done, and so we need to pour all sorts of unspeaking gunk into the kernel and disable Systemtap to prevent this from happening. > You call Microsoft, telling them what Mr. Blackhat has done. > > They now can: > > a) Do what you want: Disable Mr. Blackhat's account and revoke the hash > of his binary. > > But also: > > b) Say, "oh well, we're sorry this kills your security model, but it's > enough for us that you already fully booted Linux to worry about Windows > security, this affects only your distribution and we don't care". > > c) Decide your security model is flawed, because you're abusing their > signature process to mean something else from what they intended and > revoke your shim hash instead. Well, if this is being used to attack Windows machines (assuming that it is possible to create a bootkit using a Linux kernel, and initrd, and the signed i_pown_your_ring0.ko odule), it's unlikely that (b) would be a likely outcome. Both (a) and (c) would solve Microsoft's security problem. They could do (c), but that would result in the PR and Legal morass resulting from the accusatoin that they are abusing their monopoly position. I'm not an expert in how much backbone the European anti-trust folks have, so I can't really comment on how likely they would pursue this, or whether they would be successful in the end, but more importantly, I suspect Microsoft wouldn't be sure either. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists