1 |
On Mon, Dec 5, 2016 at 12:39 AM, Andrew Savchenko <bircoph@g.o> wrote: |
2 |
> Hi all, |
3 |
> |
4 |
> I'd like to know is there any way to protect from kernel |
5 |
> vulnerabilities like CVE-2016–5195 (mad COW) using hardened |
6 |
> technologies. (I'm not talking about how to fix this exact CVE, but |
7 |
> how to protect from similar failures in future.) |
8 |
> |
9 |
|
10 |
In the strictest interpretation of your question, no, as once write |
11 |
permission to arbitrary memory is gained it would in principle be |
12 |
possible to subvert any other security mechanisms in place. |
13 |
Randomizing the address space goes a long way to making such attempts |
14 |
intractable, but if nothing is done to limit the number of attempts |
15 |
success is inevitable. |
16 |
|
17 |
> Based on exploit published I can think of the following approaches: |
18 |
> |
19 |
> 1) Exploit runs enormous amounts of madvise() calls, any way to |
20 |
> rate limit it or block after some threshold is reached? I doubt |
21 |
> there is any legitimate use case for calling madvise() that often. |
22 |
> |
23 |
|
24 |
Yes. They all involve SELinux/RBAC and grsecurity extensions. Every |
25 |
facet of the kernel dealing with permissions, real hardware, and |
26 |
memory management has been instrumented and some default safeguards |
27 |
added. It can't be foolproof but the goal isn't to be foolproof. It is |
28 |
to construct as tortuous a path as possible for any potential |
29 |
attacker. |
30 |
|
31 |
With SELinux/RBAC, most exploits cease to have any effect - |
32 |
permissions can be elevated but potential accesses would be against |
33 |
policy and are so denied. |
34 |
|
35 |
> 2) Exploits uses huge rate of write() calls and most the fails due |
36 |
> to access restrictions. This is definitely suspicious. Can such |
37 |
> behaviour be spotted and blocked by some security feature? |
38 |
> |
39 |
|
40 |
Yes, see above (this is probably the easier choice as it is more general). |
41 |
|
42 |
> 3) Can some hardware features like Intel TSX be used to protect |
43 |
> from such race conditions? |
44 |
> |
45 |
|
46 |
Yes, but this would require code to take advantage of such mechanisms |
47 |
and for that code to be properly written - and since we're talking |
48 |
about mitigating bugs, we're back to square one. There are some |
49 |
features in this vein that could be used in critical sections of the |
50 |
kernel and the problem would be over and done. On the other hand, an |
51 |
exploit could target the interaction of two kernel mechanisms which |
52 |
could not be synchronized in any reasonable way. |
53 |
|
54 |
> Best regards, |
55 |
> Andrew Savchenko |
56 |
|
57 |
In addition to instrumenting your kernel, you need to actually *look* |
58 |
at the information that that instrumentation produces. Monitoring your |
59 |
system for suspicious activity is probably the best thing you can do. |