From: Ingo Molnar <mingo@elte.hu>
To: Willy Tarreau <w@1wt.eu>
Cc: Marcus Meissner <meissner@suse.de>,
security@kernel.org, mort@sgi.com,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
fweisbec@gmail.com, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org, jason.wessel@windriver.com,
tj@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking
Date: Thu, 4 Nov 2010 22:51:57 +0100 [thread overview]
Message-ID: <20101104215157.GA25128@elte.hu> (raw)
In-Reply-To: <20101104212920.GA31256@1wt.eu>
* Willy Tarreau <w@1wt.eu> wrote:
> On Thu, Nov 04, 2010 at 08:08:04PM +0100, Ingo Molnar wrote:
> >
> > * Marcus Meissner <meissner@suse.de> wrote:
> >
> > > > For example, on a Fedora testbox i have this version info:
> > > >
> > > > $ uname -r
> > > > 2.6.35.6-48.fc14.x86_64
> > > >
> > > > Any attacker can download that rpm from:
> > > >
> > > > http://download.fedora.redhat.com/pub/fedora/linux/updates/14/x86_64/kernel-2.6.35.6-48.fc14.x86_64.rpm
> > > >
> > > > And can extract the System.map from it, using rpm2cpio and cpio -i -d. That will
> > > > include all the symbol addresses - without the attacker having any access to the
> > > > System.map or /proc/kallsyms on this particular box.
> > > >
> > > > I.e. on distro kernel installations (which comprise the _vast_ majority of our
> > > > userbase) your patch brings little security benefits.
> > > >
> > > > What i suggested in later parts of my mail might provide more security: to
> > > > sandbox kernel version information from unprivileged user-space - if we decide
> > > > that we want to sandbox kernel version information ...
> > > >
> > > > That is a big if, because it takes a considerable amount of work. Would be worth
> > > > trying it - but feel-good non-solutions that do not bring much improvement to
> > > > the majority of users IMHO hinder such efforts.
> > >
> > > Hiding the OS version is really quite hard I think.
> >
> > Yes. Hard but it would be useful - especially if we start adding things like known
> > exploit honeypots. Forcing attackers to probe the kernel by actually running a
> > kernel exploit, and risking an alarm would be a very powerful security feature.
> >
> > Removing version info will upset some tools/libraries that rely on kernel
> > version information for quirks though.
>
> Quite honnestly, it's the worst idea I've ever read to protect the kernel. Kernel
> version is needed at many places, when building some code which relies on presence
> of syscall X or Y depending on a version, etc... [...]
Actually that's not true, since we have a kernel ABI, and since there's many
backports of newer kernel features into older kernels that it's generally not
needed nor meaningful to know the kernel version for syscalls.
Returning -ENOSYS is the general standard we use to communicate syscall
capabilities.
In fact using kernel version to switch around library functionality is a bug i'd
argue.
> [...] If our kernel is so buggy that we can only rely on its version to be kept
> secret, then we have already failed.
That mischaracterises my suggestion rather heavily - which makes me suspect that you
misunderstood it. Here's the relevant section of what i suggested here:
> > Hard but it would be useful - especially if we start adding things like known
> > exploit honeypots. Forcing attackers to probe the kernel by actually running a
> > kernel exploit, and risking an alarm would be a very powerful security feature.
An 'exploit honeypot' would be some small amount of 'detection' code for the
exploitable pattern of parameters (most attacks come via ioctls so we can add
detection for known holes without any performance hit), and the kernel would warn
the sysadmin that an exploit attempt has occured.
The point is to make it riskier to run exploits - not to 'hide version because we
are so buggy'. Unprivileged attackers wont be able to know whether a kernel is
unpatched and wont know whether trying an actual exploit triggers a silent alarm or
not.
I.e. i think the only true break-through in kernel security will be to add credible
and substantial 'strike back' functionality - to increase the risks of detection
(which necessiates the removal of the information whether a kernel is patched or
not).
As i said it's hard - but it would be a rather break-through security feature for
Linux. Not an 'arms race' thing where we just put obstruction in the road of
attackers - but some real, unavoidable risk not detectable by attackers - running on
most stock distro kernels. (so there would be a real economy of scale)
The kerneloops client could also collect exploit attempt stats.
Thanks,
Ingo
next prev parent reply other threads:[~2010-11-04 21:53 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-04 10:09 [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking Marcus Meissner
2010-11-04 10:11 ` Tejun Heo
2010-11-05 0:11 ` [Security] " Eugene Teo
2010-11-04 11:46 ` Ingo Molnar
2010-11-04 12:29 ` Marcus Meissner
2010-11-04 13:58 ` Ingo Molnar
2010-11-04 14:11 ` Ingo Molnar
2010-11-04 14:33 ` Marcus Meissner
2010-11-04 14:38 ` Tejun Heo
2010-11-04 14:43 ` H. Peter Anvin
2010-11-04 14:48 ` Tejun Heo
2010-11-04 19:08 ` Ingo Molnar
2010-11-04 21:29 ` [Security] " Willy Tarreau
2010-11-04 21:51 ` Ingo Molnar [this message]
2010-11-04 22:35 ` Willy Tarreau
2010-11-04 23:46 ` Willy Tarreau
2010-11-07 8:50 ` Ingo Molnar
2010-11-07 9:08 ` Ingo Molnar
2010-11-07 9:49 ` Willy Tarreau
2010-11-07 11:27 ` Ingo Molnar
2010-11-07 11:41 ` Willy Tarreau
2010-11-07 11:47 ` Ingo Molnar
2010-11-07 11:56 ` Willy Tarreau
2010-11-07 12:12 ` Ingo Molnar
2010-11-07 12:22 ` Willy Tarreau
2010-11-07 12:25 ` Ingo Molnar
2010-11-07 12:39 ` Willy Tarreau
2010-11-07 12:32 ` Ingo Molnar
2010-11-07 12:51 ` Willy Tarreau
2010-11-07 15:27 ` Alan Cox
2010-11-08 6:29 ` Ingo Molnar
2010-11-07 11:42 ` Ingo Molnar
2010-11-07 11:51 ` Willy Tarreau
2010-11-07 12:37 ` Ingo Molnar
2010-11-07 12:55 ` Willy Tarreau
2010-11-07 8:56 ` Ingo Molnar
2010-11-07 9:03 ` Ingo Molnar
[not found] ` <20101104215157.GA25128@ <20101107090805.GA27983@elte.hu>
2010-11-13 13:06 ` Gilles Espinasse
2010-11-07 18:02 ` Andi Kleen
2010-11-07 18:32 ` H. Peter Anvin
2010-11-10 8:53 ` Ingo Molnar
2010-11-11 2:51 ` H. Peter Anvin
2010-11-11 7:05 ` Ingo Molnar
2010-11-05 2:38 ` Frank Rowand
2010-11-10 20:58 ` Jesper Juhl
2010-11-05 0:20 ` Jesper Juhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101104215157.GA25128@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=linux-kernel@vger.kernel.org \
--cc=meissner@suse.de \
--cc=mort@sgi.com \
--cc=security@kernel.org \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox