Re: Security patches

To: martin f krafft <madduck@debian.org>, debian-security@lists.debian.org
Subject: Re: Security patches
From: Russell Coker <russell@coker.com.au>
Date: Fri, 19 Dec 2003 12:29:39 +1100
Message-id: <[🔎] 200312191229.39439.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031218210222.GA8939@piper.madduck.net>
References: <20031129032129.GA1372@eriador> <200311302324.43920.russell@coker.com.au> <[🔎] 20031218210222.GA8939@piper.madduck.net>

On Fri, 19 Dec 2003 08:02, martin f krafft <madduck@debian.org> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent that.

Henrique sums it up pretty well.

There are kernel module root kits out there being used right now.  Some are 
buggy and allow experienced administrators to find them, some probably 
aren't!

LSM gives access in parts of the code needed to perform access control.  For 
example there are cases where you can make a system call that takes pointers 
and then change the data that is pointed to between the start of the system 
call and when it actually does things.  This is why auditing and access 
control systems that just take over entries in the system call table are not 
good enough.

However if all you want to do is hide a process from appearing in /proc, hide 
a file in a directory, etc.  Then all you have to do is to take over the 
system call table entries for the relevant calls.  A minor race condition 
that could allow someone to see your hidden process on a SMP machine when you 
have shared memory used for parameters isn't the big risk for an attacker in 
terms of discovery!  If the administrator thinks that an attacker has loaded 
a kernel module then they can boot from a CD and run tripwire.

In summary, LSM provides features that are useful for the rightful 
administrator to protect against hostile users.  But those features aren't as 
necessary for an attacker to protect against the administrator.

If someone can load their own code into your kernel then you've lost the game 
already.

In terms of LSM protection against this, if you use SE Linux then all aspects 
of file access and module loading are controlled by the policy.  I am going 
to write a policy that implements something similar to BSD secure levels so 
that you can put a server into a mode where all kmem and module load access 
is disabled.  That should be all you need.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Security patches
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: Security patches
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Security patches
Next by Date: Re: Security patches
Previous by thread: Re: Security patches
Next by thread: Re: Security patches
Index(es):
- Date
- Thread