From: Kevin Wolf <kwolf@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: jcody@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com
Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
Date: Tue, 4 Nov 2014 11:32:42 +0100 [thread overview]
Message-ID: <20141104103242.GC4119@noname.redhat.com> (raw)
In-Reply-To: <87mw87l335.fsf@blackfin.pond.sub.org>
Am 04.11.2014 um 10:36 hat Markus Armbruster geschrieben:
> Kevin Wolf <kwolf@redhat.com> writes:
>
> > Am 31.10.2014 um 23:45 hat Eric Blake geschrieben:
> >> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
> >>
> >> > You either have to prevent *any* writing of the first 2048 bytes (the
> >> > part that can be examined by a bdrv_probe() method, or your have to
> >> > prevent writing anything a probe recognizes, or the user has to specify
> >> > the format explicitly.
> >> >
> >> > If you do the former, you're way outside the realm of "theoretical".
> >> >
> >> > If you do the latter, the degree of "theoreticalness" depends on the
> >> > union of the patterns you prevent. Issues:
> >> >
> >> > 1. Anthony's method of checking a few known signatures is fragile. The
> >> > only obviously robust way to test "is probing going to find something
> >> > other than 'raw'?" is running the probes. Feasible.
> >> >
> >> > 2. Whether the union of patterns qualifies as "theoretical" for all our
> >> > targets is not obvious, and whether it'll remain "theoretical" for all
> >> > future formats and target machines even less.
> >>
> >> This one scares me. The proof of concept patch you posted tests whether
> >> a write to the first sector would result in the sector matching a
> >> _currently known probe_ for the file formats that were compiled in at
> >> configure time to the currently running binary. But this is NOT the set
> >> of all possible binary formats that may be introduced in the future. By
> >> extrapolation, if we pursue write blocking, then the only SAFE way to is
> >> to reject ALL writes to the first sector, because we can't know which
> >> writes will match some theoretical future probe - but by the time you
> >> get to that point, then we no longer match bare metal (rejecting ALL
> >> writes to the first sector is ridiculous).
> >
> > There is no absolute security without forbidding raw. Who says that the
> > next format doesn't have its magic in sector 42?
>
> Correct.
>
> > You are right that if an attacker knows which new format supporting
> > backing files we'll have in the next version, and the user uses probed
> > raw despite the warning (which means they are not using libvirt), the
> > attacker can write the header of the new image format now and hope that
> > the user leaves it alone until the update happens at some point in the
> > future. Then the malicious guest can access that one file, but not
> > obtain access to the next one (because the new checks are in place
> > then).
> >
> > I don't think this is a relevant attack vector. It's probably much
> > easier to get the user to run an untrusted image than converting a
> > trusted image into a time bomb and waiting potentially for months or
> > years for it to explode.
>
> The threat from using untrusted images with embedded filenames is real.
>
> Regardless, I wouldn't discount the (different) threat from guests
> exploiting "future" probes so cavalierly. If your host is running a
> stable distro, its future is easy to know. Even the point of time when
> it gets upgraded can be predictable.
>
> In general, I recommend against leaving security holes in place just
> because you think nobody could be bothered to exploit them :)
>
> Security is not an absolute that cannot be trumped by any other
> consideration. I'm perfectly happy to consider usability and
> compatibility issues, as well as implementation complexity. I'm much
> less willing to accept a "come on, nobody is going to try *that*"
> argument.
No, I didn't mean to make a "come on, nobody is going to try *that*"
argument.
I just can think of more attacks that we won't avoid with either
approach. For example, what if another program on the host is
exploitable and you just need a file with the right content to attack
it? A raw image gives you what you need. Nobody is going to try *that*
then, if you're content with allowing this?
The only full solution is forbidding raw. We have already agreed that
this isn't an option. Now we have to draw a line somewhere.
Kevin
next prev parent reply other threads:[~2014-11-04 10:32 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-28 16:03 [Qemu-devel] [PATCH RFC 0/2] block: Warn on insecure format probing Markus Armbruster
2014-10-28 16:03 ` [Qemu-devel] [PATCH RFC 1/2] block: Factor bdrv_probe_all() out of find_image_format() Markus Armbruster
2014-10-28 16:34 ` Eric Blake
2014-10-28 16:41 ` Jeff Cody
2014-10-29 15:22 ` Stefan Hajnoczi
2014-10-28 16:03 ` [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing Markus Armbruster
2014-10-28 17:02 ` Eric Blake
2014-10-28 18:29 ` Jeff Cody
2014-10-28 18:56 ` Eric Blake
2014-10-28 19:42 ` Jeff Cody
2014-10-29 7:36 ` Markus Armbruster
2014-10-29 8:25 ` Max Reitz
2014-10-29 7:22 ` Markus Armbruster
2014-10-30 13:58 ` Jeff Cody
2014-11-03 8:07 ` Markus Armbruster
2014-10-29 7:03 ` Markus Armbruster
2014-10-28 18:33 ` Jeff Cody
2014-10-29 6:37 ` Markus Armbruster
2014-10-30 13:52 ` Jeff Cody
2014-11-03 8:11 ` Markus Armbruster
2014-10-29 1:16 ` Fam Zheng
2014-10-29 6:32 ` Markus Armbruster
2014-10-29 10:12 ` Kevin Wolf
2014-10-29 13:54 ` Markus Armbruster
2014-10-29 15:34 ` Stefan Hajnoczi
2014-10-30 9:07 ` Markus Armbruster
2014-10-30 9:24 ` Stefan Hajnoczi
2014-10-30 12:19 ` Markus Armbruster
2014-10-30 9:30 ` Kevin Wolf
2014-10-30 12:49 ` Markus Armbruster
2014-10-31 11:19 ` Stefan Hajnoczi
2014-10-31 22:45 ` Eric Blake
2014-11-03 8:15 ` Markus Armbruster
2014-11-03 11:13 ` Kevin Wolf
2014-11-04 9:36 ` Markus Armbruster
2014-11-04 10:32 ` Kevin Wolf [this message]
2014-11-05 7:58 ` Markus Armbruster
2014-11-03 11:00 ` Kevin Wolf
2014-11-04 9:39 ` Markus Armbruster
2014-11-04 16:09 ` Jeff Cody
2014-11-05 8:05 ` Markus Armbruster
2014-11-05 8:09 ` Max Reitz
2014-10-30 9:08 ` Max Reitz
2014-10-30 9:27 ` Stefan Hajnoczi
2014-10-30 9:36 ` Kevin Wolf
2014-10-31 11:24 ` Stefan Hajnoczi
2014-10-31 11:56 ` Kevin Wolf
2014-11-03 8:54 ` Markus Armbruster
2014-11-03 9:11 ` Max Reitz
2014-11-04 9:34 ` Markus Armbruster
2014-11-03 10:25 ` Kevin Wolf
2014-11-03 15:05 ` Stefan Hajnoczi
2014-11-03 15:13 ` Max Reitz
2014-11-04 9:42 ` Markus Armbruster
2014-11-04 10:11 ` Kevin Wolf
2014-11-04 15:25 ` Stefan Hajnoczi
2014-11-04 15:37 ` Kevin Wolf
2014-11-05 8:39 ` Markus Armbruster
2014-11-05 10:18 ` Eric Blake
2014-10-30 13:02 ` Markus Armbruster
2014-11-03 8:44 ` Max Reitz
2014-10-30 20:45 ` Richard W.M. Jones
2014-11-03 8:18 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141104103242.GC4119@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=armbru@redhat.com \
--cc=jcody@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).