Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752476Ab0KDTIS (ORCPT ); Thu, 4 Nov 2010 15:08:18 -0400 Received: from mx3.mail.elte.hu ([157.181.1.138]:41161 "EHLO mx3.mail.elte.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751465Ab0KDTIQ (ORCPT ); Thu, 4 Nov 2010 15:08:16 -0400 Date: Thu, 4 Nov 2010 20:08:04 +0100 From: Ingo Molnar To: Marcus Meissner Cc: linux-kernel@vger.kernel.org, jason.wessel@windriver.com, fweisbec@gmail.com, tj@kernel.org, mort@sgi.com, akpm@osdl.org, security@kernel.org, Andrew Morton , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , "H. Peter Anvin" Subject: Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking Message-ID: <20101104190804.GA16099@elte.hu> References: <20101104100914.GC25118@suse.de> <20101104114648.GA23381@elte.hu> <20101104122906.GH25118@suse.de> <20101104135802.GA31416@elte.hu> <20101104141104.GA31753@elte.hu> <20101104143322.GL25118@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101104143322.GL25118@suse.de> User-Agent: Mutt/1.5.20 (2009-08-17) X-ELTE-SpamScore: -2.0 X-ELTE-SpamLevel: X-ELTE-SpamCheck: no X-ELTE-SpamVersion: ELTE 2.0 X-ELTE-SpamCheck-Details: score=-2.0 required=5.9 tests=BAYES_00 autolearn=no SpamAssassin version=3.2.5 -2.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3284 Lines: 74 * Marcus Meissner wrote: > > For example, on a Fedora testbox i have this version info: > > > > $ uname -r > > 2.6.35.6-48.fc14.x86_64 > > > > Any attacker can download that rpm from: > > > > http://download.fedora.redhat.com/pub/fedora/linux/updates/14/x86_64/kernel-2.6.35.6-48.fc14.x86_64.rpm > > > > And can extract the System.map from it, using rpm2cpio and cpio -i -d. That will > > include all the symbol addresses - without the attacker having any access to the > > System.map or /proc/kallsyms on this particular box. > > > > I.e. on distro kernel installations (which comprise the _vast_ majority of our > > userbase) your patch brings little security benefits. > > > > What i suggested in later parts of my mail might provide more security: to > > sandbox kernel version information from unprivileged user-space - if we decide > > that we want to sandbox kernel version information ... > > > > That is a big if, because it takes a considerable amount of work. Would be worth > > trying it - but feel-good non-solutions that do not bring much improvement to > > the majority of users IMHO hinder such efforts. > > Hiding the OS version is really quite hard I think. Yes. Hard but it would be useful - especially if we start adding things like known exploit honeypots. Forcing attackers to probe the kernel by actually running a kernel exploit, and risking an alarm would be a very powerful security feature. Removing version info will upset some tools/libraries that rely on kernel version information for quirks though. > I mean the kernel could hide it from uname, but lsb_release, /etc/redhat-release, > /etc/SuSE-release etc still exist and then you can still use the fixed address > list table inside your exploit. But an exploits needs to have such a list, making > it harder to write. > > If we avoid exploits being able to just do open("/boot/System.map") it would make > it a useful step harder for exploit writers. Dunno. It's a very low 'barrier'. > (This will end up a arms race between us and the exploit toolkit writers of > course, but hopefully not a longer one than fixing all actual problems ;) That's not really an arms race. It's more like a 'throwing a feather in the path of a tornado' kind of defense. Sure, it has some effect. > I also briefly thought about kernel ASLR, but my knowledge of the kernel loading > is too limited whether this is even possible or at all useful. Now ASLR for kernel addresses would be _very_ useful. We could still 'expose' useful debug and instrumentation info like /proc/kallsyms, but the kernel internal offset would be a per bootup secret. _That_ is a real statistical defensive security measure which would help everyone and everywhere. Not hiding public info on that system and still leaving the link to the public info (the version) available. (Isn't such a feature available in one of the security patches? Porting that to distros and moving it upstream would add some real defense.) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/