| 1 |
On Mon, Dec 5, 2016 at 12:39 AM, Andrew Savchenko <bircoph@g.o> wrote: |
| 2 |
> Hi all, |
| 3 |
> |
| 4 |
> I'd like to know is there any way to protect from kernel |
| 5 |
> vulnerabilities like CVE-2016–5195 (mad COW) using hardened |
| 6 |
> technologies. (I'm not talking about how to fix this exact CVE, but |
| 7 |
> how to protect from similar failures in future.) |
| 8 |
> |
| 9 |
|
| 10 |
In the strictest interpretation of your question, no, as once write |
| 11 |
permission to arbitrary memory is gained it would in principle be |
| 12 |
possible to subvert any other security mechanisms in place. |
| 13 |
Randomizing the address space goes a long way to making such attempts |
| 14 |
intractable, but if nothing is done to limit the number of attempts |
| 15 |
success is inevitable. |
| 16 |
|
| 17 |
> Based on exploit published I can think of the following approaches: |
| 18 |
> |
| 19 |
> 1) Exploit runs enormous amounts of madvise() calls, any way to |
| 20 |
> rate limit it or block after some threshold is reached? I doubt |
| 21 |
> there is any legitimate use case for calling madvise() that often. |
| 22 |
> |
| 23 |
|
| 24 |
Yes. They all involve SELinux/RBAC and grsecurity extensions. Every |
| 25 |
facet of the kernel dealing with permissions, real hardware, and |
| 26 |
memory management has been instrumented and some default safeguards |
| 27 |
added. It can't be foolproof but the goal isn't to be foolproof. It is |
| 28 |
to construct as tortuous a path as possible for any potential |
| 29 |
attacker. |
| 30 |
|
| 31 |
With SELinux/RBAC, most exploits cease to have any effect - |
| 32 |
permissions can be elevated but potential accesses would be against |
| 33 |
policy and are so denied. |
| 34 |
|
| 35 |
> 2) Exploits uses huge rate of write() calls and most the fails due |
| 36 |
> to access restrictions. This is definitely suspicious. Can such |
| 37 |
> behaviour be spotted and blocked by some security feature? |
| 38 |
> |
| 39 |
|
| 40 |
Yes, see above (this is probably the easier choice as it is more general). |
| 41 |
|
| 42 |
> 3) Can some hardware features like Intel TSX be used to protect |
| 43 |
> from such race conditions? |
| 44 |
> |
| 45 |
|
| 46 |
Yes, but this would require code to take advantage of such mechanisms |
| 47 |
and for that code to be properly written - and since we're talking |
| 48 |
about mitigating bugs, we're back to square one. There are some |
| 49 |
features in this vein that could be used in critical sections of the |
| 50 |
kernel and the problem would be over and done. On the other hand, an |
| 51 |
exploit could target the interaction of two kernel mechanisms which |
| 52 |
could not be synchronized in any reasonable way. |
| 53 |
|
| 54 |
> Best regards, |
| 55 |
> Andrew Savchenko |
| 56 |
|
| 57 |
In addition to instrumenting your kernel, you need to actually *look* |
| 58 |
at the information that that instrumentation produces. Monitoring your |
| 59 |
system for suspicious activity is probably the best thing you can do. |
Archives