[uml-devel] Module exploits into the host?

[uml-devel] Module exploits into the host?

[Robin Green]

[-- Attachment #1: Type: text/plain, Size: 205 bytes --]

Even with the skas patch, is it possible for an insmod to allow an attacker to
break out of a UML?

If not, why not?

If so, are there any configurations that are not vulnerable to this?
-- 
Robin

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [uml-devel] Module exploits into the host?

[Henrik Nordstrom]

On Wed, 3 Mar 2004, Robin Green wrote:

> Even with the skas patch, is it possible for an insmod to allow an attacker to
> break out of a UML?

Yes.

kernel code has full access as the user the kernel runs as, skas or not. 
This is required for UML to work as the UML kernel needs to access 
numerous resources on the host to be able to do anything.

If you want to minimize this, run the UML chrooted (and absolutely not as 
root). The use of process capabilities can also be used to limit the 
possible damage, or any of the security extensions to Linux.

Regards
Henrik



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

[uml-devel] More security questions (was: Module exploits into the host?)

[Robin Green]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

On Wed, Mar 03, 2004 at 10:29:59PM +0100, Henrik Nordstrom wrote:
> On Wed, 3 Mar 2004, Robin Green wrote:
> > Even with the skas patch, is it possible for an insmod to allow an attacker to
> > break out of a UML?
> 
> Yes.

OK thanks.

Two more security questions:

1. Has the lcall vulnerability been fixed? By a change in the mainline kernel?

2. I read on some mailing list (not this one) that in tt mode, processes within
a UML instance can read and write to each other's memory! Ah, here we are,
from last year:

http://www.paul.sladen.org/vserver/archives/200305/0074.html

Is this true, or just a rumour?

I have a security proposal to post next, but first I want to understand the
current state of play of UML security.

-- 
Robin

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [uml-devel] Module exploits into the host?

[Cameron Patrick]

Henrik Nordstrom wrote:

| If you want to minimize this, run the UML chrooted (and absolutely not as 
| root). The use of process capabilities can also be used to limit the 
| possible damage, or any of the security extensions to Linux.

Also, don't build module support into the kernel, and edit drivers/char/mem.c
to disable writes to /dev/mem and /dev/kmem.

Cameron.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [uml-devel] Module exploits into the host?

[Peter]

And disable hostfs on your UML kernel (even if you're not passing a hostfs to the UML instance on its command line).
----- Original Message ----- 
From: "Cameron Patrick" <cameron@patrick.wattle.id.au>
To: <user-mode-linux-devel@lists.sourceforge.net>
Sent: Thursday, March 04, 2004 10:36 PM
Subject: Re: [uml-devel] Module exploits into the host?


> Henrik Nordstrom wrote:
> 
> | If you want to minimize this, run the UML chrooted (and absolutely not as 
> | root). The use of process capabilities can also be used to limit the 
> | possible damage, or any of the security extensions to Linux.
> 
> Also, don't build module support into the kernel, and edit drivers/char/mem.c
> to disable writes to /dev/mem and /dev/kmem.
> 
> Cameron.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&opÌk
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

[uml-devel] CFP workshop on UML Security (was: Module exploits into the host?)

[Goetz Bock]

Sorry for the crosspost, and beeing slightly off-topic (but at last it's
related to the thread)

As the CCC (www.ccc.de/muc.ccc.de) is doing the easterheg in
Munich/Germany I wanted to ask if any UML-poweruser/-developer is living
in/near Munich/Germany and willing to do/help on a UML workshop?

Focussing on the added security by using UML. Part of the workshop
should be breaking out of UML.

Unfortuntely I don't have any experience doing so, only the
ideas/gotchas presented in this thread.

Please reply offline to: ehegg@blacknet.de
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /                     (c) 2003 as GNU FDL 1.1
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [uml-devel] More security questions (was: Module exploits into the host?)

[BlaisorBlade]

Alle 00:14, giovedì 4 marzo 2004, Robin Green ha scritto:
> On Wed, Mar 03, 2004 at 10:29:59PM +0100, Henrik Nordstrom wrote:
> > On Wed, 3 Mar 2004, Robin Green wrote:
> > > Even with the skas patch, is it possible for an insmod to allow an
> > > attacker to break out of a UML?
> >
> > Yes.
>
> OK thanks.
>
> Two more security questions:
>
> 1. Has the lcall vulnerability been fixed? By a change in the mainline
> kernel?
>
> 2. I read on some mailing list (not this one) that in tt mode, processes
> within a UML instance can read and write to each other's memory! Ah, here
> we are, from last year:
>
> http://www.paul.sladen.org/vserver/archives/200305/0074.html
>
> Is this true, or just a rumour?
>
> I have a security proposal to post next, but first I want to understand the
> current state of play of UML security.
I think it can be true if you do not enable the "jail" mode. At least, in TT 
mode, without jail mode, any process can read the kernel memory; actually I 
don't think it can also read the other process memory *directly*, but it is 
possible if you can read the kernel datas you can get to do this (however not 
very simply).
-- 
Paolo Giarrusso, aka Blaisorblade
Linux registered user n. 292729



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id\x1470&alloc_id638&opÌk
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [uml-devel] More security questions (was: Module exploits into the host?)

[Jeff Dike]

greenrd@greenrd.org said:
> 1. Has the lcall vulnerability been fixed? By a change in the mainline
> kernel?

No.  It's easy enough to do - I just haven't got around to it yet.

> 2. I read on some mailing list (not this one) that in tt mode,
> processes within a UML instance can read and write to each other's
> memory!

Yes, they can do that through the UML kernel memory, which is mapped writeable
into each process.

This is impossible in skas mode.

				Jeff



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [uml-devel] More security questions (was: Module exploits into the host?)

[Robin Green]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

On Mon, Mar 08, 2004 at 04:33:42PM -0500, Jeff Dike wrote:
> greenrd@greenrd.org said:
> > 1. Has the lcall vulnerability been fixed? By a change in the mainline
> > kernel?
> 
> No.  It's easy enough to do - I just haven't got around to it yet.

OK, thanks. I've summarised the info in this thread, and added some more,
on the UML wiki at

http://uml.harlowhill.com/index.php/Security

Please go ahead and make any corrections/additions you think appropriate.

Please could you also add a link to this on the main UML sf site?

-- 
Robin

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]