lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 May 2011 19:38:35 +0200 From: Ingo Molnar <mingo@...e.hu> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: "H. Peter Anvin" <hpa@...or.com>, Dan Rosenberg <drosenberg@...curity.com>, "Rafael J. Wysocki" <rjw@...k.pl>, Tony Luck <tony.luck@...il.com>, linux-kernel@...r.kernel.org, davej@...hat.com, kees.cook@...onical.com, davem@...emloft.net, eranian@...gle.com, adobriyan@...il.com, penberg@...nel.org, Arjan van de Ven <arjan@...radead.org>, Andrew Morton <akpm@...ux-foundation.org>, Valdis.Kletnieks@...edu, pageexec@...email.hu Subject: Re: [RFC][PATCH] Randomize kernel base address on boot * Linus Torvalds <torvalds@...ux-foundation.org> wrote: > That's the _only_ difference, and it's trivial and irrelevant. Come > up with something more real, please. The advantages of dynamic per boot kernel randomization, over static per system randomization, as i see them, in order of descending importance: - A root exploit will still not give away the location of the kernel (assuming module loading has been disabled after bootup), so a rootkit cannot be installed 'silently' on the system, into RAM only, evading most offline-storage-checking tools. With static linking this is not possible: reading the kernel image as root trivially exposes the kernel's location. - We can expose RIPs to unprivileged tools. Certain users could still kernel-profile a busy server box while neither being root, nor having access to the real location of the kernel. With static linking this is not possible. - Crash & reboot & retry brute force exploits get harder: if one attempt at an exploit causes a crash and a reboot, the kernel addresses are different after the reboot so the attempt has to be retried without the advantage of any prior history. With static linking this kind of exploit is somewhat easier: every crash gives a permanent proof that the guessed RIP offet was wrong, so history can be used on subsequent retries. - It gives a way to go one step further in secure server lockdown: where even root with full access to all storage has no way to break into the kernel. Reboots, module loading and kexec can be controlled, ioperm() and iopl() can be restricted. If those are taken away then even if a root exploit allows the attacker to overwrite the kernel image, a reboot has to be waited for and if reboots do sanity checks [based on immutable storage] of the system then the exploit can be found. With static linking this is not possible: reading the kernel image as root trivially exposes the kernel's location. It's in order of importance: you probably stopped caring at item 2 or 3 but there's definitely people who'd like to go all the way to 4. So if we can do dynamic randomization sanely then why not offer it as an option? Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists