[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110527173835.GF4356@elte.hu>
Date: Fri, 27 May 2011 19:38:35 +0200
From: Ingo Molnar <mingo@...e.hu>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Dan Rosenberg <drosenberg@...curity.com>,
"Rafael J. Wysocki" <rjw@...k.pl>, Tony Luck <tony.luck@...il.com>,
linux-kernel@...r.kernel.org, davej@...hat.com,
kees.cook@...onical.com, davem@...emloft.net, eranian@...gle.com,
adobriyan@...il.com, penberg@...nel.org,
Arjan van de Ven <arjan@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Valdis.Kletnieks@...edu, pageexec@...email.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
* Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> That's the _only_ difference, and it's trivial and irrelevant. Come
> up with something more real, please.
The advantages of dynamic per boot kernel randomization, over static
per system randomization, as i see them, in order of descending
importance:
- A root exploit will still not give away the location of the
kernel (assuming module loading has been disabled after bootup),
so a rootkit cannot be installed 'silently' on the system, into
RAM only, evading most offline-storage-checking tools.
With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.
- We can expose RIPs to unprivileged tools. Certain users could
still kernel-profile a busy server box while neither being root,
nor having access to the real location of the kernel.
With static linking this is not possible.
- Crash & reboot & retry brute force exploits get harder: if one
attempt at an exploit causes a crash and a reboot, the kernel
addresses are different after the reboot so the attempt has to be
retried without the advantage of any prior history.
With static linking this kind of exploit is somewhat easier: every
crash gives a permanent proof that the guessed RIP offet was
wrong, so history can be used on subsequent retries.
- It gives a way to go one step further in secure server lockdown:
where even root with full access to all storage has no way to
break into the kernel. Reboots, module loading and kexec can be
controlled, ioperm() and iopl() can be restricted. If those are
taken away then even if a root exploit allows the attacker to
overwrite the kernel image, a reboot has to be waited for and if
reboots do sanity checks [based on immutable storage] of the
system then the exploit can be found.
With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.
It's in order of importance: you probably stopped caring at item 2 or
3 but there's definitely people who'd like to go all the way to 4. So
if we can do dynamic randomization sanely then why not offer it as an
option?
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists