Kernel vulnerabilities: old or new?
That sort of claim requires verification; it is also amenable to being verified by a researcher with sufficient determination and pain resistance. Your editor decided to give it a try. "All" that would be required, after all, was to look at each vulnerability and figure out when it was introduced. How hard could that be?
So, the basic process followed was this: pick a CVE entry, find the patch which closed the hole, then dig through the repository history and other resources in an attempt to figure out just when the problem was first introduced into the kernel. In some cases, the answer was relatively easy to find; others were sufficiently hard that your editor eventually gave up. One especially valuable resource in the search turned out to be the Red Hat bugzilla; the developers there (and Eugene Teo in particular) go out of their way to document the particulars of vulnerabilities. Sometimes, the commit which introduced the bug was simply listed there. The "git gui blame" utility is also quite useful when doing this kind of research.
About 60 of the 80 vulnerabilities listed above were dealt with in this way before your editor's eyes crossed permanently. The results can be seen in the following table. Let it be said from the outset that there will inevitably be some errors in the data below; the most likely mistake will be assigning blame to a commit which actually just moved the vulnerability from somewhere else. That may lead to a bias that makes vulnerabilities look more recent than they really are. That said, a best effort has been made, and things should not be too far off.
Some other notes relevant to the table:
- No attempt was made to find the origin of vulnerabilities which were
present in the initial commit which began the git era during the
2.6.12 development cycle. Anything which was already present then can
certainly be said to be an old bug.
- Some parts of the code have been changed so many times that it can be
truly hard to determine when a vulnerability was introduced; places
where your editor give up are marked as "unknown" above. One could
maybe come up with a real answer by bisecting and trying exploits, but
your editor's dedication to the task was not quite that strong.
- A couple of these bugs are old in a different way - CVE-2010-1188 was fixed in 2008, but was only understood to be a security issue in 2010. Anybody running a current kernel would not be vulnerable, but bugs like this can be nicely preserved in enterprise kernels for many years.
Looking at when the vulnerabilities were introduced yields a chart like this:
So, in a sense, the above-mentioned kernel hacker was correct - an awful lot of the vulnerabilities fixed over the last year predate the git era, and are thus over five years old. It seems that security bugs can lurk in the kernel for a very long time before somebody stumbles across them - or, at least, before somebody reports them.
According to the information above, we have fixed dozens of vulnerabilities since 2.6.33 without introducing any. The latter part of that claim might be charitably described as being unlikely to stand the test of time. There were (at least) 13 vulnerabilities fixed in the 2.6.35 cycle, 21 in the 2.6.36 cycle. We can hope that fewer vulnerabilities were added in that time; it seems certain, though, that (1) the number of vulnerabilities added will not be zero, and (2) it will probably take us five years or more to find many of them.
There may be some comfort in knowing that a large proportion of 2010's known security vulnerabilities are not a product of 2010's development. Indeed, assuming that a fair number of the old vulnerabilities are a bit older yet, one can also claim that they are not a product of the "new" kernel development model adopted in the early 2.6 days. That claim could be tested by extending this research back into the BitKeeper era; that is a task for a future project.
Your editor remains concerned, though, that it is too easy to put
insecure code into the kernel and too hard to discover the vulnerabilities
that are created. Analysis tools can help, but there really is no
substitute for painstaking and meticulous code review when it comes to
keeping vulnerabilities out of the kernel. At times, it is clear that the
amount of review being done is not what it should be.
There may well come a day when we'll wish we had found a
way to be a bit more careful.
Index entries for this article | |
---|---|
Kernel | Security/Vulnerabilities |
Security | Linux kernel |
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 0:24 UTC (Wed)
by martinfick (guest, #4455)
[Link] (3 responses)
Posted Oct 20, 2010 0:24 UTC (Wed) by martinfick (guest, #4455) [Link] (3 responses)
Hmm, I am not sure that is comforting. Could it not simply mean that we are doing a really poor job of finding the new bugs (and have thus not found them yet)?
This whole article while interesting, just seems a little bit silly. It really is impossible to make any valuable conclusions whatsoever about the rate of introduction vs fixing from any of this data since it ignores all the potentially unknown/unfixed bugs. The only thing that could be concluded is that many bugs lurk for a LONG time unfixed.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 1:49 UTC (Wed)
by bfields (subscriber, #19510)
[Link] (2 responses)
Posted Oct 20, 2010 1:49 UTC (Wed) by bfields (subscriber, #19510) [Link] (2 responses)
Could it not simply mean that we are doing a really poor job of finding the new bugs (and have thus not found them yet)?
So, say we want to determine the age distribution of kernel bugs. Given infinite time, we could find every kernel bug, then determine the age of each bug we find, and get an exact answer to our question. But of course we can only afford to investigate a sample of the kernel bugs.
So one way to phrase your criticism is: the sample chosen (of kernel vulnerabilities found this year) is biased towards older bugs, because it takes time for kernel bugs to be found.
So the problem is to find a sample that we think is more representative.
One approach might be to look just at bugs discovered by one new technique. If we believe the technique is sufficiently novel that very few of the bugs it discovers would have been discovered without it, then we could hope that set of bugs it discovers might have the characteristics of a random sample. (And perhaps we could test the novelty of the technique by looking through previously discovered bugs to see if any of them would have been caught by the new technique.)
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 3:27 UTC (Wed)
by martinfick (guest, #4455)
[Link] (1 responses)
Posted Oct 20, 2010 3:27 UTC (Wed) by martinfick (guest, #4455) [Link] (1 responses)
No, my criticism is that the sample is biased towards the known bugs. It is not very useful to attempt to compare the known to the unknown. There could be an infinite amount of bugs being introduced, we have no idea. Each "fix" could even introduce more bugs than it fixes. The discovery rate is unrelated to the introductory rate! Looking at a subset of the possible bugs tells you nothing conclusive about the total except that the total includes the subset. It's like trying to determine when we will have mastered intergalactic space travel from the rate of scientific papers published during the 20th century. :)
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 8:36 UTC (Wed)
by nix (subscriber, #2304)
[Link]
Posted Oct 20, 2010 8:36 UTC (Wed) by nix (subscriber, #2304) [Link]
(for the record this is a rather unlikely scenario -- 'digital kuru' if you will -- but it is a valid interpretation of the data, I think.)
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 0:30 UTC (Wed)
by kees (subscriber, #27264)
[Link] (9 responses)
Posted Oct 20, 2010 0:30 UTC (Wed) by kees (subscriber, #27264) [Link] (9 responses)
It may be a while before the tide turns. Since there are so many vulnerabilities, and their exposure frequency is increasing, it would make sense for the kernel to adopt some more defensive behaviors to make vulnerability exploitation harder. As a start, if we assume an unprivileged user will eventually have arbitrary write access to kernel memory, we can make choices about what is important to defend against within the kernel itself.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 2:18 UTC (Wed)
by spender (guest, #23067)
[Link] (8 responses)
Posted Oct 20, 2010 2:18 UTC (Wed) by spender (guest, #23067) [Link] (8 responses)
It's worse than just 80 for this year. You called 80 the "known issues", but really it's just the problems for which CVEs have been allocated. Dan Rosenberg had a huge collection of information leak vulnerabilities that still haven't received CVEs despite numerous requests. If you follow oss-sec (I know Kees follows it, but this is directed to the other readers), you'll notice Eugene often sends kernel vulnerability information to the list with a message of "I'm not requesting a CVE for this as it does not affect any Red Hat-supported kernels". Often this means the vulnerability was introduced in newer kernels. This mostly explains why there are suspiciously no CVEs for recent kernels: simply that nobody bothers to ask for CVEs for recently introduced vulnerabilities.
And again it demonstrates the problem of silent vulnerability fixing. The editor is left to gauge vulnerability risk by allocated CVEs -- a biased metric which ultimately biases any conclusions derived purely from the dataset. How different would it look if Dan Rosenberg didn't mail repeatedly to make sure the vulnerabilities he discovered were assigned CVEs? It might end up like my http://grsecurity.net/~spender/64bit_dos.c which after over 2 months now still has no CVEs or committed fixes.
The sad thing is nobody has any clue how bad it really is. The scary thing is we're finding evidence that blackhats have developed exploits for vulns months or years ahead of the reactive vuln fixing going on. Look at how Microsoft changed strategy years ago in response to these systemic problems, or how Adobe recently has been taking some defensive steps (hardening their JIT and sandboxing the next version of Reader). Linux is in dire need of a similar change, but it's unlikely to ever occur in mainline unless starts with the leadership.
-Brad
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 5:18 UTC (Wed)
by error27 (subscriber, #8346)
[Link]
I've used Smatch to fix a bunch of buffer range checking bugs (at least 50 since January). But I didn't get any CVEs. Actually most of them weren't exploitable.
Posted Oct 20, 2010 5:18 UTC (Wed) by error27 (subscriber, #8346) [Link]
But yeah. I don't think the fixes on this list were found with static analysis tools. Vasiliy Kulikov just posted a list of eight information leaks and people assumed he used a tool but he did it with grep. It seems to me like you could find a bunch of information leaks automatically but no one has done that yet.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 8:28 UTC (Wed)
by mjthayer (guest, #39183)
[Link] (5 responses)
Posted Oct 20, 2010 8:28 UTC (Wed) by mjthayer (guest, #39183) [Link] (5 responses)
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 17:16 UTC (Wed)
by bronson (subscriber, #4806)
[Link] (1 responses)
Posted Oct 20, 2010 17:16 UTC (Wed) by bronson (subscriber, #4806) [Link] (1 responses)
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 12:29 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Oct 21, 2010 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]
Spender writing for LWN.net
Posted Oct 22, 2010 19:57 UTC (Fri)
by promotion-account (guest, #70778)
[Link]
Posted Oct 22, 2010 19:57 UTC (Fri) by promotion-account (guest, #70778) [Link]
Kernel vulnerabilities: old or new?
Posted Oct 25, 2010 9:01 UTC (Mon)
by dany (guest, #18902)
[Link]
Posted Oct 25, 2010 9:01 UTC (Mon) by dany (guest, #18902) [Link]
Rate of introduction vs removal
Posted Oct 25, 2010 21:28 UTC (Mon)
by man_ls (guest, #15091)
[Link]
For starters, how about concocting a different metric which shows what our esteemed editor was trying to discover here: what is the rate of introduction and removal of security holes in the kernel. His own approach for this article was arguably thin. I am sure spender must have a couple of ideas.
Posted Oct 25, 2010 21:28 UTC (Mon) by man_ls (guest, #15091) [Link]
Kernel vulnerabilities: old or new?
Posted Oct 26, 2010 21:38 UTC (Tue)
by spender (guest, #23067)
[Link]
Posted Oct 26, 2010 21:38 UTC (Tue) by spender (guest, #23067) [Link]
http://seclists.org/oss-sec/2010/q4/78
It's 12 new CVEs, bringing the count to 92, 15% higher, from just one guy with grep and a few days in his spare time (and some of the CVEs cover multiple vulnerabilities).
-Brad
Is it possible to track before 2.6.12?
Posted Oct 20, 2010 0:44 UTC (Wed)
by smoogen (subscriber, #97)
[Link] (4 responses)
Posted Oct 20, 2010 0:44 UTC (Wed) by smoogen (subscriber, #97) [Link] (4 responses)
Is it possible to track before 2.6.12?
Posted Oct 20, 2010 1:33 UTC (Wed)
by bfields (subscriber, #19510)
[Link] (3 responses)
Posted Oct 20, 2010 1:33 UTC (Wed) by bfields (subscriber, #19510) [Link] (3 responses)
git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Before 2.4.0:
git://git.kernel.org/pub/scm/linux/kernel/git/davej/history.git
Is it possible to track before 2.6.12?
Posted Oct 20, 2010 8:17 UTC (Wed)
by smurf (subscriber, #17840)
[Link] (2 responses)
Posted Oct 20, 2010 8:17 UTC (Wed) by smurf (subscriber, #17840) [Link] (2 responses)
$ cat .git/info/grafts
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 e7e173af42dbf37b1d946f9ee00219cb3b2bea6a
7a2deb32924142696b8174cdf9b38cd72a11fc96 379a6be1eedb84ae0d476afbc4b4070383681178
$
Incidentally, the first history doesn't contain the rest of the v2.4 data (the part that came after the v2.5 branchpoint).
Anyway, does anybody remember what happened to the history of 2.4.25? Pre-patch 1 thru 3 are missing from kernel.org.
Is it possible to track before 2.6.12?
Posted Oct 23, 2010 20:47 UTC (Sat)
by bfields (subscriber, #19510)
[Link] (1 responses)
Posted Oct 23, 2010 20:47 UTC (Sat) by bfields (subscriber, #19510) [Link] (1 responses)
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
cd linux-2.6.git
git remote add -f post-2.4 git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
git remote add -f pre-2.4 git://git.kernel.org/pub/scm/linux/kernel/git/davej/history.git
cat >.git/info/grafts <<EOF
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 e7e173af42dbf37b1d946f9ee00219cb3b2bea6a
7a2deb32924142696b8174cdf9b38cd72a11fc96 379a6be1eedb84ae0d476afbc4b4070383681178
EOF
Is it possible to track before 2.6.12?
Posted Oct 24, 2010 8:50 UTC (Sun)
by smurf (subscriber, #17840)
[Link]
Posted Oct 24, 2010 8:50 UTC (Sun) by smurf (subscriber, #17840) [Link]
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 0:46 UTC (Wed)
by timn (subscriber, #57854)
[Link]
Posted Oct 20, 2010 0:46 UTC (Wed) by timn (subscriber, #57854) [Link]
Have there been more efforts recently to look out for security related bugs?
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 0:56 UTC (Wed)
by BenHutchings (subscriber, #37955)
[Link]
Posted Oct 20, 2010 0:56 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]
drm/i915: Sanity check pread/pwrite (CVE-2010-2962)
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
RDS sockets: remove unsafe kmap_atomic optimization (CVE-2010-3904)
v4l: disable dangerous buggy compat function (CVE-2010-2963)
sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
x86-64, compat: Retruncate rax after ia32 syscall entry tracing; Test %rax for the syscall number, not %eax (CVE-2010-3301)
irda: Correctly clean up self->ias_obj on irda_bind() failure. (CVE-2010-2954)
GFS2: Fix up system xattrs (CVE-2010-2525)
tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
KGDB: don't needlessly skip PAGE_USER test for Fsl booke (CVE-2010-1446)
futex: Handle futex value corruption gracefully. (CVE-2010-0623)
KVM: PIT: control word is write-only (CVE-2010-0309)
KVM: Add IOPL/CPL checks to emulator, to prevent privilege escalation within a guest. (CVE-2010-0298, CVE-2010-0306)
untangle the do_mremap() mess (CVE-2010-0291)
kernel/signal.c: fix kernel information leak with print-fatal-signals=1 (CVE-2010-0003)
netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). (CVE-2010-0006)
What about 2.4 security
Posted Oct 20, 2010 7:25 UTC (Wed)
by Alterego (guest, #55989)
[Link] (1 responses)
Posted Oct 20, 2010 7:25 UTC (Wed) by Alterego (guest, #55989) [Link] (1 responses)
1/ How many security vulnerabilties were discovered and fixed during deep maintenance period? when?
2/ who is (was) using it?
I hope our editor can enlight us on this topic too.
What about 2.4 security
Posted Oct 20, 2010 15:01 UTC (Wed)
by spender (guest, #23067)
[Link]
Posted Oct 20, 2010 15:01 UTC (Wed) by spender (guest, #23067) [Link]
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4...
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4...
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4...
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4...
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4...
I count about 24 vulnerabilities fixed, counting each line involving a vulnerability in the changelog as a separate vulnerability (even if multiple things were fixed at once in the same file, see: netlink). I also counted some of the infoleaks that weren't worthy of CVEs in 2.6. At least half of the vulnerabilities were information leaks.
Most of these vulnerabilities were also present in 2.6 kernel (and deemed important enough to check how far the vulns went back so that they could be backported). So it too is a biased dataset, but it's also a much more stable codebase that avoids all the issues introduced in 2.6.
It's not possible to run a 2.4 kernel with any modern distro I'm aware of (you'll get a "kernel too old" death on boot, even for running old 2.6 kernels). I imagine it would have to be some custom supported/maintained distro. The users would have to be updating their userland as well if they wanted to match their security intent in upgrading to newer versions of 2.4 kernels, so it's unclear who would be bothering to do that and how they're doing it.
-Brad
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 8:33 UTC (Wed)
by intgr (subscriber, #39733)
[Link] (11 responses)
Posted Oct 20, 2010 8:33 UTC (Wed) by intgr (subscriber, #39733) [Link] (11 responses)
Is this true?
Why aren't relevant grsec patches moving to mainline? It can't be just that nobody bothers to submit them to mainline. One would think that even if grsec developers aren't interested, then other security-conscious devs would review and cherry-pick patches from the grsec tree and submit them for the mainline. But I get the impression that no cooperation is happening at all.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 18:35 UTC (Wed)
by kees (subscriber, #27264)
[Link] (7 responses)
Posted Oct 20, 2010 18:35 UTC (Wed) by kees (subscriber, #27264) [Link] (7 responses)
The main difficulty with getting PaX and grsec protections into mainline is that the patchset is hard to separate into individual pieces. Additionally, many of the protections are done in a way that mainline folks do not like for various technical reasons. I suspect the only way to get these protections into mainline is to have someone (or better yet, a group of people) fighting for them that:
a) understands the code
b) understands why it is important
c) have the time to advocate for it and revise patches until they get in
So far, no one has really had all 3. Plenty of people get "b" (even if they don't have "a"), and "c" is insanely frustrating given the attitudes of the mainline maintainers towards security.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 21:14 UTC (Wed)
by clugstj (subscriber, #4020)
[Link] (2 responses)
Posted Oct 20, 2010 21:14 UTC (Wed) by clugstj (subscriber, #4020) [Link] (2 responses)
d) are not so hardheaded that they will actually listen to what other people say.
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 23:42 UTC (Wed)
by jamesmrh (guest, #31622)
[Link] (1 responses)
Posted Oct 20, 2010 23:42 UTC (Wed) by jamesmrh (guest, #31622) [Link] (1 responses)
I'm not sure what the solution is.
Users can request the protections be added to their distros, which will at least get them better protected, and possibly help make a stronger case for upstream inclusion.
Another possibility is for a company with a strong involvement in Linux to hire someone with the traits a & b above, to act as a system-wide security coordinator / advocate. i.e. make it someone's paid job to work on kernel hardening.
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 9:15 UTC (Thu)
by patrick_g (subscriber, #44470)
[Link]
>>> Another possibility is for a company with a strong involvement in Linux to hire someonePosted Oct 21, 2010 9:15 UTC (Thu) by patrick_g (subscriber, #44470) [Link]
Why not the Linux foundation ? Perhaps they can sponsors a few security experts ?
There is a "Linux fellow program" here => https://www.linuxfoundation.org/programs/developer/fellowship
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 11:30 UTC (Thu)
by mjthayer (guest, #39183)
[Link] (2 responses)
Posted Oct 21, 2010 11:30 UTC (Thu) by mjthayer (guest, #39183) [Link] (2 responses)
Would you be able elaborate on that, or provide a couple of pointers? (Sorry for lazily asking rather than researching myself!)
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 11:34 UTC (Thu)
by mjthayer (guest, #39183)
[Link] (1 responses)
Posted Oct 21, 2010 11:34 UTC (Thu) by mjthayer (guest, #39183) [Link] (1 responses)
> Would you be able elaborate on that, or provide a couple of pointers? (Sorry for lazily asking rather than researching myself!)
Replying to myself - probably http://userweb.kernel.org/~jmorris/lss2010_slides/out-of-... will be one of the pointers.
Kernel vulnerabilities: old or new?
Posted Oct 24, 2010 12:09 UTC (Sun)
by vonbrand (guest, #4458)
[Link]
Posted Oct 24, 2010 12:09 UTC (Sun) by vonbrand (guest, #4458) [Link]
Sorry, but "widely used" isn't really an argument... the saying here goes "10,000,000,000,000 flies eat sh*t, so should you"
Kernel vulnerabilities: Promoting protection
Posted Oct 29, 2010 20:43 UTC (Fri)
by jageorge (guest, #61413)
[Link]
Posted Oct 29, 2010 20:43 UTC (Fri) by jageorge (guest, #61413) [Link]
In the case of kernel hackers there is a tendency to use excuses which boil down to shooting down solutions which don't have a perfect "model" for resolving an exploit or class of exploits. (AppArmor) Also, kernel hackers tend to hate large patches which actually address a bunch of conceptually separate issues to the point where the aggregate gets blown off. (GrSec)
Security hackers on the other hand will legitimately discover bugs, but don't like Linus's attitude that their presumably security compromising exploit bugs are no more worthy of special recognition than any other kernel bug. Furthermore, there is a tendency to provide "fixes" which simply shift the point of exploitable failure from a current failure to a future or even concurrent failure point. This is sometimes combined with with creating solutions to a bunch of small kernel vulnerabilities in combination with larger frameworks which make them harder to apply to the root cause problems and to audit. There is sometimes a lack of consideration of balancing of performance, scalability, and complexity considerations against quick and dirty or overly complex framework solutions. Finally, there is often a desire to re-invent the wheel rather than understanding and working with existing robustness models.
The Solution (tm):
1. Preview solutions with key kernel developers who are interested in security.
2. Request reviews from other key kernel developers who can help with feedback.
3. Treat different conceptual problems with different patch sets. Debugging, tracing, simple patches, class of exploit preventions, etc.
4. Performance matters.
5. Compatibility matter even more. Breaking X.org, FTP, SSH, procfs, udev, or Apache is not OK. :-)
6. We already have SELinux and AppArmor - don't reinvent the wheel - invent the tire instead.
7. Document your work... When has this been a problem? Why should people care now? What is the design of the solution? Why couldn't it be simpler? Are there benchmarks? What issues were identified in review and how were they addressed?
I really wish that security (and performance) were addressed in a more rigorous fashion, but the best we can hope for is learning how to work together and maybe getting a corporate sponsor. :-)
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 18:36 UTC (Wed)
by spender (guest, #23067)
[Link] (2 responses)
Posted Oct 20, 2010 18:36 UTC (Wed) by spender (guest, #23067) [Link] (2 responses)
Often, we turn vulnerabilities that can be exploited for privilege elevation into DoSes. The reason is that we've detected something that shouldn't have happened that we know can be abused, so it's not safe to allow the system to continue running.
Some vulnerabilities are prevented completely, like those of the form:
buf = kmalloc(attacker_controlled_size * something, GFP_ANYTHING);
instead of overflowing and allowing exploitation, we detect the overflow and cause buf to be set to NULL. We also add additional bounds checking to copy_*_user calls, both against the kernel stack and kernel heap.
Other features of grsecurity prevent exploitation of certain bugs by reducing attack surface. For example, GRKERNSEC_MODHARDEN prevents attackers from auto-loading an unused kernel module just so that it can be exploited. This reduces the risk from numerous obscure driver vulnerabilities (like the recent RDS vulnerability).
Finally, a number of features of grsecurity and PaX work together to make exploitation of the remaining vulnerabilities quite difficult in many cases. Symbol hiding, PAX_KERNEXEC, and PAX_UDEREF all work together to make the kernel a hostile environment to attackers. In general, memory corruption exploits should require an arbitrary read bug in addition to whatever vulnerability is being exploited. Any exploits have to be written considerably different as the ring-0 payload to execute can no longer be located in userland (as it is with every public exploit in existence).
Since we have a couple more people now writing exploits (Kees, Tavis, Dan) I'd actually like to see a memory corruption exploit that works against a grsec kernel with a writeup about the process involved.
-Brad
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 16:51 UTC (Thu)
by ccurtis (guest, #49713)
[Link] (1 responses)
Posted Oct 21, 2010 16:51 UTC (Thu) by ccurtis (guest, #49713) [Link] (1 responses)
Their biggest problem (in recent history) has always been in 3rd party drivers, but I hear less and less about these being exploited lately. Have they sufficiently hardened their DDK to prevent the majority of these problems? Is there something about their driver architecture - some microkernel-esque fault isolation perhaps - that prevents wider system compromise?
I don't see how you could prevent a driver from, say, dereferencing a NULL pointer, but it seems like it would be a nice feature to have a lower barrier to entry for device driver writers. Specifically: can the Linux driver model be crafted such that a hardware manufacturer can provide a driver (in source code form or otherwise) that is sloppily written yet not expose the kernel to further breach? Would running drivers in ring1 instead of ring0 achieve this?
Requiring perfect code in order to support a device, while ideal, seems like a long-term losing proposition. One could make the same argument for network protocols or file systems.
Is this a reasonable goal or is it overkill? Is it anything other than a microkernel architecture that's been dismissed out of hand since Linux 0.01? And perhaps philosophically, is it reasonable to even consider killing and respawning a misbehaving driver?
-
It seems like what I'm really thinking of is a [fixed] kernel API for drivers, but I expect this has already been discussed and rejected many times over. But for example, when descending the drivers/ directory, the 'kmalloc' symbol can be #defined to something invalid, forcing drivers to use ddk_malloc() which has grsec-style checking built-in. (This "kernel API" would be a family of ddk_xxxx() calls.)
Alternately, for code paths where it's deemed more important to be fast than safe (scheduler, SL*B allocators, other "core" code), there can be an audited/ tree as the only place where code has access to versions of the system calls that aren't encumbered by security restrictions. (The ddk_xxxx() calls would naturally live here.)
Or is this just not seen as a problem?
Kernel vulnerabilities: old or new?
Posted Oct 21, 2010 17:27 UTC (Thu)
by tzafrir (subscriber, #11501)
[Link]
Posted Oct 21, 2010 17:27 UTC (Thu) by tzafrir (subscriber, #11501) [Link]
What would happen in a VM?
And why are you using a crappy out-of-tree driver anyway? (yeah, I know, I shouldn't be writing that specific comment).
Kernel vulnerabilities: old or new?
Posted Oct 20, 2010 9:19 UTC (Wed)
by ballombe (subscriber, #9523)
[Link]
Posted Oct 20, 2010 9:19 UTC (Wed) by ballombe (subscriber, #9523) [Link]
What would be informative is to take an old kernel (says 2.6.18) and to
look at the report date of all reported vulnerabilities that affect it.
This way we would know how much time it takes to find vulnerabilities.