| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200609201947.k8KJltUC014016@turing-police.cc.vt.edu>
Date: Wed, 20 Sep 2006 15:47:55 -0400
From: Valdis.Kletnieks@...edu
To: Brian Eaton <eaton.lists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: AFS - The Ultimate Sulution?
On Wed, 20 Sep 2006 13:33:48 EDT, Brian Eaton said:
> For some reason I think one or more of the *BSD variants has support
> for restricting the actions that root can take, which presumably
> includes preventing root from modifying the BIOS. I can't recall the
> name of the feature, though, and I doubt you could teach Windows 2000
> a similar trick.
It's called "Secure levels", and it's a help but has been proven to be not as
bulletproof as you might wish - there's a few corner case breaks that have been
found in it (for instance, it prevents attempts to turn the system clock
backwards, but there isn't much it can do against kicking the clock forward to
a few seconds before it's 2038 rollover, let it wrap, then warp the clock
forwards again from 1970 to 10 minutes ago). In particular, it's useful
against stopping some attacks that would otherwise be allowed to a program that
had already gotten root - but it doesn't help much if you have an exploit to
subvert the kernel.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists