Re: Linux Kernel Audit Project?

From: John Richard Moser
Date: Mon Jan 17 2005 - 02:44:05 EST

Next message: John Richard Moser: "Re: Linux Kernel Audit Project?"
Previous message: Prasanna Meda: "Re: /proc/<pid>/maps API addition - seek to address"
In reply to: John Richard Moser: "Re: Linux Kernel Audit Project?"
Next in thread: Diego Calleja: "Re: Linux Kernel Audit Project?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On the same line, I've been graphing Ubuntu Linux Security Notices for a
while. I've noticed that in the last 5, the number of kernel-related
vulnerabilities has doubled (3 more). This disturbs me.

I categorized the vulns I'd found into fairly arbitrary categories; upon
looking at a graph, I noticed that some bars were short and others were
unbelievably long (duh). Reordering things, I came up with what looks
suspiciously like a standard normal distribution.

Kernel vulnerabilities appear to be falling within the first two
standard distributions now, at a glance. 95% of vulnerabilities land
here; 8.3% (kernel vulns excluding buffer overflows) fall within this
range, I'm guessing about . . . well, 8.3% chance. Total I have 10% of
the vulnerabilities graphed as being from the kernel.

Every time a new kernel vulnerability is made (whether I see it or not),
that bar moves towards the center. Every time a userspace vulnerability
is made, that bar moves outwards. I can only graph what I can see, but
I'm very worried; if that bar keeps moving the way it's going, faster
than US vulns, then the probability of KS exploits is probably genuinely
increasing in probability.

Kernel space exploits can never be sanely protected against. Even if
you can catch and kill them, you cause a system crash (major DoS), which
is hardly a good solution. At least in userspace when SSP or PaX kills
something, the user either restarts it, or init is running it as a
daemon and just auto-restarts it immediately. And at least it only
causes a small burp.

SELinux won't help either. If you exploit the kernel, you're in.
Sometimes this is root access and you get lucky because SE doesn't know
who you think you want to be; other times this is arbitrary code
execution from inside the kernel and it doesn't matter who the kernel
thinks you are, you're in control.

Oh well, at least they still get fixed when they're seen.

John Richard Moser wrote:
> Is there an official Linux Kernel Audit Project to actively and
> aggressively security audit all patches going into the Linux Kernel, or
> do they just get a cursory scan for bugs and obvious screwups?

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB62vUhDd4aOud5P8RAlNDAJ91Om3VdcNXpHJ/Yamm9cG3JyYMugCfaSzb
Ngq2bR/PtAC+q0wASg5frng=
=xsfz
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: John Richard Moser: "Re: Linux Kernel Audit Project?"
Previous message: Prasanna Meda: "Re: /proc/<pid>/maps API addition - seek to address"
In reply to: John Richard Moser: "Re: Linux Kernel Audit Project?"
Next in thread: Diego Calleja: "Re: Linux Kernel Audit Project?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]