From: Ingo Molnar <mingo@elte.hu>
To: Marcus Meissner <meissner@suse.de>
Cc: linux-kernel@vger.kernel.org, jason.wessel@windriver.com,
fweisbec@gmail.com, tj@kernel.org, mort@sgi.com, akpm@osdl.org,
security@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking
Date: Thu, 4 Nov 2010 20:08:04 +0100 [thread overview]
Message-ID: <20101104190804.GA16099@elte.hu> (raw)
In-Reply-To: <20101104143322.GL25118@suse.de>
* Marcus Meissner <meissner@suse.de> wrote:
> > For example, on a Fedora testbox i have this version info:
> >
> > $ uname -r
> > 2.6.35.6-48.fc14.x86_64
> >
> > Any attacker can download that rpm from:
> >
> > http://download.fedora.redhat.com/pub/fedora/linux/updates/14/x86_64/kernel-2.6.35.6-48.fc14.x86_64.rpm
> >
> > And can extract the System.map from it, using rpm2cpio and cpio -i -d. That will
> > include all the symbol addresses - without the attacker having any access to the
> > System.map or /proc/kallsyms on this particular box.
> >
> > I.e. on distro kernel installations (which comprise the _vast_ majority of our
> > userbase) your patch brings little security benefits.
> >
> > What i suggested in later parts of my mail might provide more security: to
> > sandbox kernel version information from unprivileged user-space - if we decide
> > that we want to sandbox kernel version information ...
> >
> > That is a big if, because it takes a considerable amount of work. Would be worth
> > trying it - but feel-good non-solutions that do not bring much improvement to
> > the majority of users IMHO hinder such efforts.
>
> Hiding the OS version is really quite hard I think.
Yes. Hard but it would be useful - especially if we start adding things like known
exploit honeypots. Forcing attackers to probe the kernel by actually running a
kernel exploit, and risking an alarm would be a very powerful security feature.
Removing version info will upset some tools/libraries that rely on kernel version
information for quirks though.
> I mean the kernel could hide it from uname, but lsb_release, /etc/redhat-release,
> /etc/SuSE-release etc still exist and then you can still use the fixed address
> list table inside your exploit. But an exploits needs to have such a list, making
> it harder to write.
>
> If we avoid exploits being able to just do open("/boot/System.map") it would make
> it a useful step harder for exploit writers.
Dunno. It's a very low 'barrier'.
> (This will end up a arms race between us and the exploit toolkit writers of
> course, but hopefully not a longer one than fixing all actual problems ;)
That's not really an arms race. It's more like a 'throwing a feather in the path of
a tornado' kind of defense. Sure, it has some effect.
> I also briefly thought about kernel ASLR, but my knowledge of the kernel loading
> is too limited whether this is even possible or at all useful.
Now ASLR for kernel addresses would be _very_ useful. We could still 'expose' useful
debug and instrumentation info like /proc/kallsyms, but the kernel internal offset
would be a per bootup secret.
_That_ is a real statistical defensive security measure which would help everyone
and everywhere. Not hiding public info on that system and still leaving the link to
the public info (the version) available.
(Isn't such a feature available in one of the security patches? Porting that to
distros and moving it upstream would add some real defense.)
Thanks,
Ingo
next prev parent reply other threads:[~2010-11-04 19:08 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-04 10:09 [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking Marcus Meissner
2010-11-04 10:11 ` Tejun Heo
2010-11-05 0:11 ` [Security] " Eugene Teo
2010-11-04 11:46 ` Ingo Molnar
2010-11-04 12:29 ` Marcus Meissner
2010-11-04 13:58 ` Ingo Molnar
2010-11-04 14:11 ` Ingo Molnar
2010-11-04 14:33 ` Marcus Meissner
2010-11-04 14:38 ` Tejun Heo
2010-11-04 14:43 ` H. Peter Anvin
2010-11-04 14:48 ` Tejun Heo
2010-11-04 19:08 ` Ingo Molnar [this message]
2010-11-04 21:29 ` [Security] " Willy Tarreau
2010-11-04 21:51 ` Ingo Molnar
2010-11-04 22:35 ` Willy Tarreau
2010-11-04 23:46 ` Willy Tarreau
2010-11-07 8:50 ` Ingo Molnar
2010-11-07 9:08 ` Ingo Molnar
2010-11-07 9:49 ` Willy Tarreau
2010-11-07 11:27 ` Ingo Molnar
2010-11-07 11:41 ` Willy Tarreau
2010-11-07 11:47 ` Ingo Molnar
2010-11-07 11:56 ` Willy Tarreau
2010-11-07 12:12 ` Ingo Molnar
2010-11-07 12:22 ` Willy Tarreau
2010-11-07 12:25 ` Ingo Molnar
2010-11-07 12:39 ` Willy Tarreau
2010-11-07 12:32 ` Ingo Molnar
2010-11-07 12:51 ` Willy Tarreau
2010-11-07 15:27 ` Alan Cox
2010-11-08 6:29 ` Ingo Molnar
2010-11-07 11:42 ` Ingo Molnar
2010-11-07 11:51 ` Willy Tarreau
2010-11-07 12:37 ` Ingo Molnar
2010-11-07 12:55 ` Willy Tarreau
2010-11-07 8:56 ` Ingo Molnar
2010-11-07 9:03 ` Ingo Molnar
[not found] ` <20101104215157.GA25128@ <20101107090805.GA27983@elte.hu>
2010-11-13 13:06 ` Gilles Espinasse
2010-11-07 18:02 ` Andi Kleen
2010-11-07 18:32 ` H. Peter Anvin
2010-11-10 8:53 ` Ingo Molnar
2010-11-11 2:51 ` H. Peter Anvin
2010-11-11 7:05 ` Ingo Molnar
2010-11-05 2:38 ` Frank Rowand
2010-11-10 20:58 ` Jesper Juhl
2010-11-05 0:20 ` Jesper Juhl
-- strict thread matches above, loose matches on Subject: below --
2010-11-16 10:46 Marcus Meissner
2010-11-17 5:07 ` Kyle McMartin
2010-11-18 7:48 ` Ingo Molnar
2010-11-20 3:18 ` Kees Cook
2010-11-26 7:51 ` Ingo Molnar
2010-11-17 5:40 ` Kyle Moffett
2010-11-17 5:41 ` Kyle Moffett
2010-11-17 5:58 ` Linus Torvalds
2010-11-17 6:19 ` Willy Tarreau
2010-11-18 7:31 ` Ingo Molnar
2010-11-23 17:24 ` Pavel Machek
2010-11-26 7:38 ` Ingo Molnar
2010-11-29 19:03 ` H. Peter Anvin
2010-11-20 11:32 ` Avi Kivity
2010-11-19 19:19 ` Sarah Sharp
2010-11-19 19:54 ` Linus Torvalds
2010-11-19 19:58 ` david
2010-11-19 20:04 ` Linus Torvalds
2010-11-19 20:16 ` Willy Tarreau
2010-11-19 20:55 ` david
2010-11-26 7:48 ` Ingo Molnar
2010-11-29 16:33 ` Sarah Sharp
2010-11-29 18:04 ` Ingo Molnar
2010-11-29 19:05 ` H. Peter Anvin
2010-11-29 19:21 ` Eric Paris
2010-11-29 19:38 ` H. Peter Anvin
2010-11-29 21:49 ` Willy Tarreau
2010-11-29 23:31 ` Alan Cox
2010-11-30 11:58 ` Ingo Molnar
2010-11-20 11:05 ` Richard W.M. Jones
2010-11-19 21:12 Andy Walls
2010-11-19 23:22 ` Linus Torvalds
2010-11-20 2:40 ` Kees Cook
2010-11-20 19:47 ` Henrique de Moraes Holschuh
2010-11-29 22:58 ` Kevin Easton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101104190804.GA16099@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=akpm@osdl.org \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=linux-kernel@vger.kernel.org \
--cc=meissner@suse.de \
--cc=mort@sgi.com \
--cc=security@kernel.org \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox