| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Nov 2010 15:11:04 +0100 From: Ingo Molnar <mingo@...e.hu> To: Marcus Meissner <meissner@...e.de> Cc: linux-kernel@...r.kernel.org, jason.wessel@...driver.com, fweisbec@...il.com, tj@...nel.org, mort@....com, akpm@...l.org, security@...nel.org, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking * Ingo Molnar <mingo@...e.hu> wrote: > * Marcus Meissner <meissner@...e.de> wrote: > > > On Thu, Nov 04, 2010 at 12:46:48PM +0100, Ingo Molnar wrote: > > > > > > * Marcus Meissner <meissner@...e.de> wrote: > > > > > > > Hi, > > > > > > > > Making /proc/kallsyms readable only for root makes it harder for attackers to > > > > write generic kernel exploits by removing one source of knowledge where things are > > > > in the kernel. > > > > > > Cc:-ed Linus - i think he argued in favor of such a patch in the past. > > > > > > I generally agree with such patches (i have written some myself), but there's a few > > > questions with this one, which make this limited change ineffective and which make > > > it harder to implement a fuller patch that makes it truly harder to figure out the > > > precise kernel build: > > > > > > - The real security obstruction effect is very small from this measure alone: the > > > overwhelming majority of our users are running distro kernels, so the Symbol.map > > > file (and hence 99% of /proc/kallsyms content) is well-known - unless we also > > > restrict 'uname -r' from nonprivileged users-ace. Hiding that might make sense - > > > but the two should be in one patch really. > > > > Of course. System.map and others also need to turn to mode 400. > > That is not what I meant, at all. > > It's not the System.map _on the system_. > > It's the SuSE or Fedora kernel rpm package with a System.map in it, which package > the attacker can download from a hundred mirrors on the internet, based on 'uname > -r' output. For example, on a Fedora testbox i have this version info: $ uname -r 2.6.35.6-48.fc14.x86_64 Any attacker can download that rpm from: http://download.fedora.redhat.com/pub/fedora/linux/updates/14/x86_64/kernel-2.6.35.6-48.fc14.x86_64.rpm And can extract the System.map from it, using rpm2cpio and cpio -i -d. That will include all the symbol addresses - without the attacker having any access to the System.map or /proc/kallsyms on this particular box. I.e. on distro kernel installations (which comprise the _vast_ majority of our userbase) your patch brings little security benefits. What i suggested in later parts of my mail might provide more security: to sandbox kernel version information from unprivileged user-space - if we decide that we want to sandbox kernel version information ... That is a big if, because it takes a considerable amount of work. Would be worth trying it - but feel-good non-solutions that do not bring much improvement to the majority of users IMHO hinder such efforts. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists