[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rep:Re: Rep:Re: Rep:Re: Rep:Re: [f-cpu] TLB resume

On Mon, Aug 12, 2002 at 07:30:45AM +0000, Nicolas Boulay wrote:
> Thats really funny openBSD have currently a bug in it's system call :
> they didn't verify the boundary of the adresse (like i have explain it).
> A local user could gain access root by executing what ever kernel code
> he want.
> 
> That's exactly our discution. 

See what I mean? :)

> The real and only danger is to given a kernel page to a kernel function.
> I don't understand the problem of using software verification of it. If
> the kernel is bad written it's is problem !

If the hardware sucks, chances are good that kernel security will also
suck. And not only security - you'll have to work around lots of nasty
things (like a write protect bit that only works in user mode, as seen
on old Intel CPUs).

[...]
> > *Because* the kernel ist trusted, it is one of the main targets for
> > attacks. If you manage to hack the kernel, you can do everything
> > (compare root kits and `trojan' kernel modules).
> 
> What you speak about is the use of kernel modules of linux used to
> hijack os call to hide a back door or something like. It's possible
> because this module run in kernel space : that not the case in
> microkernel os. And this module could only be loaded if you gain the
> root access. So before puting a kernel code, you must have root access.

As the OpenBSD example shows, it also works the other way round.

> > Therefore, the kernel
> > needs *more* protection than a (user) process with root privileges,
> > not less.
> 
> Because the kernel (or the tiny part of the microkernel that have all
> the right : VM and scheduling) must have all the right. It's a conceptal
> point. How could you restricit the right of a kernel that have all the
> right : it's like setting rwx specific right for root in a unix file
> system. For me, it does not make a sense.

There are rights that a kernel doesn't need (and therefore shouldn't
have).  For example, there is no reason for the kernel to write to its
own code segment, or to directly execute code from a processes pages.

> All the danger you speak about could only be done at the design of the
> OS. It's a story of right management. F-cpu could provide means for
> that. But rwx bit for superuser mode...
> 
> Kernel will avoid to read or write in specific pages and trap in kernel
> and make a kernel_core_dump ? I really need the opinion of Christophe.

If the access was caused by the kernel itself, it will probably panic
and die.  Otherwise, the kernel will catch the error and either kill the
process that caused it, or return EINVAL or EFAULT or something like that.

-- 
 Michael "Tired" Riepe <Michael.Riepe@stud.uni-hannover.de>
 "All I wanna do is have a little fun before I die"
*************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe f-cpu       in the body. http://f-cpu.seul.org/