lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201101270942.07689.sgrubb@redhat.com>
Date:	Thu, 27 Jan 2011 09:42:07 -0500
From:	Steve Grubb <sgrubb@...hat.com>
To:	"Serge E. Hallyn" <serge.hallyn@...onical.com>
Cc:	Eric Paris <eparis@...hat.com>,
	"Andrew G. Morgan" <morgan@...nel.org>,
	"Serge E. Hallyn" <serge@...onical.com>,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] System Wide Capability Bounding Set

Hi Serge,

On Thursday, January 27, 2011 09:02:55 am Serge E. Hallyn wrote:
> What is the attack vector you're actually envisioning?  Does some
> trojan come in and overwrite a program which which it hopes the
> kernel will execute?  Or is there just an existing vuln in such
> a program?  Are there other ways we can address these?  Can we find
> a way to classify the kernel-spawned userspace programs?  Perhaps
> based on the selinux context assigned to the program, we can assign
> some level of trust that noone could have modified the source?


I think that what is causing the confusion is that we are considering a different 
threat model than the normal, historic view. The way its normally viewed, if you have 
root, you can do anything you want to a machine. The threat model revolves around 
becoming root on a machine and defense rests on splitting root so a complete system 
compromise might not occur.

Today, people want to have multi-tenant hosting using virtual machines whereby they 
give away root control of the guest VM. If you were renting system space, you would 
expect root access. That would make a nice juicy hacking target because you don't know 
who else is sharing the physical machine with you and they might have something in 
their VM worth stealing.

So, the threat model becomes how do we prevent one guest from attacking another? We 
have sVirt which prevents resource based attacks from occurring. Its pretty effective 
for that. However, what if the bad guy wants to start attacking the hypervisor 
directly in effort to start attacking the host OS? 

They need to be able to run arbitrary code in ring 0 of the VM. That means the hosting 
provider might want to eliminate some capabilities from the whole kernel so that they 
have some assurance that a root user cannot get arbitrary code running in ring 0 
without knowing a kernel level exploit. Also assume that the root user has no control 
over the kernel or modules or initrd which are kept on a read only partition enforced 
by the hypervisor. And the hosting provider will make kernel updates as kernel 
security releases are made.

This kind of turns around some of the threat modeling that people have always made. 
There are not a whole lot of changes that need to be made. I think there was one other 
patch that we needed to prevent arbitrary code injection. Eric's initial patch was 
overly generous in my opinion. It allowed further modification of the global bounding 
set after boot had finished and could probably be used for mischief as pointed out. 
Perhaps the setting should be immutable after any change to it - which is really how 
its intended to be used. Or maybe even only a subset of the bounding set is modifiable.

Using a wrapper program is a NOGO because the admin renting the machine would be able 
to overwrite the wrapper and then they have arbitrary code running with full privs and 
we trust it will do the right thing. We need all modification to the running kernel out 
of reach from root in that VM.

-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ