From: Andi Kleen <andi@firstfloor.org>
To: Hajime Inoue <hinoue@ccsl.carleton.ca>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>, linux-kernel@vger.kernel.org
Subject: Re: System call interposition/unprotecting the table
Date: 14 Aug 2007 21:50:03 +0200 [thread overview]
Message-ID: <p73zm0tnbf8.fsf@bingen.suse.de> (raw)
In-Reply-To: <46C1E5F5.9050702@ccsl.carleton.ca>
Hajime Inoue <hinoue@ccsl.carleton.ca> writes:
> Just protecting the table does not stop rootkits. A highly referenced
> phrack article explains how to bypass the table.
During .23-pre for some time the kernel text was protected too (that
would have likely stopped that particular attack), but it was
removed because it caused too many problems.
Ultimatively it is useless for security anyways because the page
tables cannot be protected (because there are valid reasons to change
them). If they're not protected any protection can be undone by
changing them or simply creating an alias mapping. Also the Linux
kernel has function pointers in read-write data structures which could
also be used to inject code.
So even with Alan's hypervisor support the whole thing would be still
quite holey. The argument of raising the bar also doesn't seem very
convincing to me, because attackers reuse code too and it's enough
when someone publishes such code once, then they can cut'n'paste
it into any exploits forever.
In general the .data protection is only considered a debugging
feature. I don't know why Fedora enables it in their production
kernels.
BTW I tested your test case and it works for me on 2.6.23rc3 with
DEBUG_RODATA enabled on i386/PAE. Without DEBUG_RODATA it BUGs,
but that's because the c_p_a interface is somewhat clumpsy
and expects balanced changes.
-Andi
next prev parent reply other threads:[~2007-08-14 18:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-13 22:05 System call interposition/unprotecting the table hinoue
2007-08-13 23:09 ` Alan Cox
2007-08-14 5:12 ` Avi Kivity
2007-08-14 11:34 ` Alan Cox
2007-08-14 14:22 ` James Morris
2007-08-14 17:27 ` Hajime Inoue
2007-08-14 17:48 ` Alan Cox
2007-08-14 17:57 ` Arjan van de Ven
2007-08-14 19:50 ` Andi Kleen [this message]
2007-08-14 21:09 ` Jan Engelhardt
2007-08-14 22:42 ` Alan Cox
2007-08-14 22:48 ` Andi Kleen
2007-08-17 14:19 ` Dave Jones
2007-08-18 10:37 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=p73zm0tnbf8.fsf@bingen.suse.de \
--to=andi@firstfloor.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=hinoue@ccsl.carleton.ca \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox