Re: Security patches
On Fri, 19 Dec 2003 08:02, martin f krafft <madduck@debian.org> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent that.
Henrique sums it up pretty well.
There are kernel module root kits out there being used right now. Some are
buggy and allow experienced administrators to find them, some probably
aren't!
LSM gives access in parts of the code needed to perform access control. For
example there are cases where you can make a system call that takes pointers
and then change the data that is pointed to between the start of the system
call and when it actually does things. This is why auditing and access
control systems that just take over entries in the system call table are not
good enough.
However if all you want to do is hide a process from appearing in /proc, hide
a file in a directory, etc. Then all you have to do is to take over the
system call table entries for the relevant calls. A minor race condition
that could allow someone to see your hidden process on a SMP machine when you
have shared memory used for parameters isn't the big risk for an attacker in
terms of discovery! If the administrator thinks that an attacker has loaded
a kernel module then they can boot from a CD and run tripwire.
In summary, LSM provides features that are useful for the rightful
administrator to protect against hostile users. But those features aren't as
necessary for an attacker to protect against the administrator.
If someone can load their own code into your kernel then you've lost the game
already.
In terms of LSM protection against this, if you use SE Linux then all aspects
of file access and module loading are controlled by the policy. I am going
to write a policy that implements something similar to BSD secure levels so
that you can put a server into a mode where all kmem and module load access
is disabled. That should be all you need.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: