Originally posted by OneTimeShot
View Post
Announcement
Collapse
No announcement yet.
Linux 4.16 Is Tightening Up Access To /dev/mem By Default
Collapse
X
-
Originally posted by some_canuckWhat ever happened to "security people are f$cking morons" (1*), "don't break users" (2*), and "I don't trust security people to do sane things"(3*)?
Originally posted by LTAs long as you see your hardening efforts primarily as a "let me kill
the machine/process on bad behavior", I will stop taking those shit patches.
I'm deadly serious about this.
Some security people have scoffed at me when I say that security problems are primarily "just bugs".
Those security people are f*cking morons.
3) Same context as 1)
People who take issue specific insults from rants, misquote them to use them to support their own narrative context in ad hominem attacks are fucking morons. And I don't mean it in general, just for you.
Obvious trolls are obvious, I suppose that Insidejob guy is gonna soon join my ignore list as well.Last edited by Guest; 30 January 2018, 09:37 AM.
- Likes 2
Comment
-
“there are no ways for root to read arbitrary memory without kernel help”
True. The Kernel will help in many ways...
insmod is an obvious one.
Hexdump /dev/sda will show some stuff if you fill up ram or hibernate...
cp mykernel /boot/linuz-xxx and reboot.
Plus us lots of other ways I cannot think of at the moment.
Comment
-
Originally posted by some_canuck View PostWhat ever happened to "security people are f$cking morons", "don't break users", and "I don't trust security people to do sane things"?
The rant they were excerpted from are for either that time he had to give root password to add a printer (or add a wifi network), or the other time when he flamed the whole software security industry because it works waay too similarly to journalism and is not actually helping making things really secure.
Comment
-
Originally posted by OneTimeShot View Post“there are no ways for root to read arbitrary memory without kernel help”
True. The Kernel will help in many ways...
insmod is an obvious one.
Hexdump /dev/sda will show some stuff if you fill up ram or hibernate...
cp mykernel /boot/linuz-xxx and reboot.
Plus us lots of other ways I cannot think of at the moment.
What this feature does is blocking unauthorized access, so malware, and low-skill hacking attempts.
insmod can't be used to insert unsigned modules (to relax security for example) when the kernel is booted in Secure Boot mode in UEFI, nor you can just change the kernel without also signing it again if you have Secure Boot enabled.
swap can be encrypted, just like any other partition. If you use a swapfile in an encrypted root partition the end result is also the same.
Comment
-
“You are looking at this from the wrong angle”
not 100% convinced by that. Root can do anything. SELinux extends that to “root and ability to load different SELinux Policy”. UEFI extends to “can pay Microsoft for a signing certificate” or “can find an existing signed module with a vulnerability”.
I’m not saying that this a bad idea, but pretending that you are stopping the attack is pointless. Root access is usually one small step away from owning kernel space.
- Likes 1
Comment
-
Originally posted by OneTimeShot View Post“You are looking at this from the wrong angle”
not 100% convinced by that. Root can do anything. SELinux extends that to “root and ability to load different SELinux Policy”. UEFI extends to “can pay Microsoft for a signing certificate” or “can find an existing signed module with a vulnerability”.
I’m not saying that this a bad idea, but pretending that you are stopping the attack is pointless. Root access is usually one small step away from owning kernel space.
In this case, instead of just using some shell script escalating privileges and then reading from /dev/mem you suddenly need to be able to do a privilege escalation from an application that by default does not have access to 100% stuff could exploit because of SELinux locking down all unnecessary access for it, then find a UEFI exploit that allows you to bypass somehow SecureBoot (because people using SecureBoot to secure their linux system WILL purge the other keys so the Windows one won't work anymore), and then you can either load a compromised kernel or kernel module so you have access.
I'm not saying it's impossible, UEFI is a piece of shit, so some way can be found.
But that's still more complex.
Again assuming all the things I mentioned are employed and configured properly. SELinux usually isn't terribly hardcore on Linux distros. It's used hardcore on Android.Last edited by starshipeleven; 29 January 2018, 11:37 AM.
Comment
-
“instead of just using some shell script escalating privileges and then reading from /dev/mem”
agreed, but again, if I have root access with a script I’ll be too busy messing with /etc/passwd and ssh stuff to worry about /dev/mem. And an attacker with the skills to look into /dev/mem will certainly not be slowed down by any of these obfuscations...
so - yeah, I don’t disagree with /dev/mem not being mounted in a production install. But... Meh... don’t run bad stuff as root, I guess...
Comment
-
Originally posted by OneTimeShot View Postagreed, but again, if I have root access with a script I’ll be too busy messing with /etc/passwd and ssh stuff to worry about /dev/mem.
It's a bit different (far more powerful and subtle) than just having ssh access and console root, you can extract info or inject stuff into programs with that. Root can't do that unless the kernel allows him to.
And an attacker with the skills to look into /dev/mem will certainly not be slowed down by any of these obfuscations...
I'm not saying it can't be done, just that it becomes much harder.
Comment
Comment