| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55E98FD7.8020809@gmail.com>
Date: Fri, 4 Sep 2015 08:34:31 -0400
From: Austin S Hemmelgarn <ahferroin7@...il.com>
To: Stas Sergeev <stsp@...t.ru>, Chuck Ebbert <cebbert.lkml@...il.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Josh Boyer <jwboyer@...oraproject.org>,
linux-kernel@...r.kernel.org,
"Andrew Bird (Sphere Systems)" <ajb@...eresystems.co.uk>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
Kees Cook <keescook@...omium.org>,
Brian Gerst <brgerst@...il.com>
Subject: Re: stop breaking dosemu (Re: x86/kconfig/32: Rename CONFIG_VM86 and
default it to 'n')
On 2015-09-04 06:46, Stas Sergeev wrote:
> 04.09.2015 13:09, Chuck Ebbert пишет:
>> On Fri, 4 Sep 2015 00:28:04 +0300
>> Stas Sergeev <stsp@...t.ru> wrote:
>>
>>> 03.09.2015 21:51, Austin S Hemmelgarn пишет:
>>>> There are servers out there that have this enabled and _never_ use it
>>>> at all,
>>> Unless I am mistaken, servers usually use special flavour of the
>>> distro (different from desktop install), where of course this will
>>> be disabled _compile time_.
>> Many (most?) distros use just one kernel for everything, because it's
>> just too much work to have a separate flavor for servers.
> But for example menuconfig promotes CONFIG_PREEMPT_NONE for server
> and CONFIG_PREEMPT for desktop. Also perhaps server would need an
> lts version rather than latest.
> I wonder if RHEL Server offers the generic desktop-suited kernel
> with vm86() enabled?
>
> In any case, if there is some generic mechanism to selectively
> disable syscalls at run-time for server, then vm86() is of course
> a good candidate. I wonder how many other syscalls are currently
> run-time controlled? (those that are not marked as an "attack surface"
> and defaulted to Y; I suppose the "attack surface" is currently only vm86())
>
OK, I think I need to clarify something here.
The attack surface of a given system refers to the number of different
ways that someone could potentially attack that system. An individual
syscall is not in itself an attack surface, but is part of the attack
surface for the whole system. One of the core concepts of proactive
security is to minimize the attack surface, because the fewer ways
someone could possibly attack you, the less likely it is that they will
succeed.
I however, referred to vm86 as a potential attack vector, which refers
one way in which someone could attempt to attack the system (be it
through arbitrary code execution , privilege escalation, or some other
type of exploit), note that something does not need to have a known
exploit to be classified as a potential attack vector (most black hat's
out there will keep quiet about discovered exploits until they can
actually make use of them themselves). By their very definition, every
single site that userspace can call into the kernel is a _potential_
attack vector, including vm86(). vm86() is one of the more attractive
syscalls to attempt to use as an attack vector on 32-bit x86 systems
because it's relatively unaudited, significantly modifies the execution
state of the processor, and is available on a majority of 32-bit x85
systems in the wild. This does not mean that it is exploitable
directly, just that it's a possible target for an exploit.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3019 bytes)
Powered by blists - more mailing lists