[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58295796-9bb5-080a-4c4d-47761d0876a9@gmail.com>
Date: Wed, 31 Oct 2018 11:27:00 +0200
From: Igor Stoppa <igor.stoppa@...il.com>
To: Kees Cook <keescook@...omium.org>,
Peter Zijlstra <peterz@...radead.org>
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Matthew Wilcox <willy@...radead.org>,
Dave Chinner <david@...morbit.com>,
James Morris <jmorris@...ei.org>,
Michal Hocko <mhocko@...nel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
linux-integrity <linux-integrity@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Igor Stoppa <igor.stoppa@...wei.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Jonathan Corbet <corbet@....net>,
Laura Abbott <labbott@...hat.com>,
Randy Dunlap <rdunlap@...radead.org>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Andy Lutomirski <luto@...capital.net>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 10/17] prmem: documentation
On 30/10/2018 18:37, Kees Cook wrote:
> On Tue, Oct 30, 2018 at 8:26 AM, Peter Zijlstra <peterz@...radead.org> wrote:
>> I suppose the 'normal' attack goes like:
>>
>> 1) find buffer-overrun / bound check failure
>> 2) use that to write to 'interesting' location
>> 3) that write results arbitrary code execution
>> 4) win
>>
>> Of course, if the store of 2 is to the current cred structure, and
>> simply sets the effective uid to 0, we can skip 3.
>
> In most cases, yes, gaining root is game over. However, I don't want
> to discount other threat models: some systems have been designed not
> to trust root, so a cred attack doesn't always get an attacker full
> control (e.g. lockdown series, signed modules, encrypted VMs, etc).
Reading these points I see where I was not clear.
Maybe I can fix that. SELinux is a good example of safeguard against a
takeover of root, so it is a primary target. Unfortunately it contains
some state variables that can be used to disable it.
Other attack that comes to my mind, for executing code within the
kernel, without sweating too much with ROP is the following:
1) find the rabbit hole to write kernel data, whatever it might be
2) spray the keyring with own key
3) use the module loading infrastructure to load own module, signed with
the key at point 2)
Just to say that direct arbitrary code execution is becoming harder to
perform, but there are ways around it which rely more on overwriting
unprotected data.
They are a lower hanging fruit for an attacker.
--
igor
Powered by blists - more mailing lists