Re: SecurityFocus Article

From: linux-os (Dick Johnson)
Date: Thu May 11 2006 - 11:47:14 EST

Next message: Jörn Engel: "Re: fix compiler warning in ip_nat_standalone.c"
Previous message: Alan Cox: "Re: [PATCH] ide_cs: Add IBM microdrive to known IDs"
In reply to: Alan Cox: "Re: SecurityFocus Article"
Next in thread: Ingo Oeser: "Re: SecurityFocus Article"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 May 2006, Ed White wrote:

> A researcher of the french NSA discovered a scary vulnerability in modern x86 cpus and chipsets that expose the kernel to direct tampering.
>
> http://www.securityfocus.com/print/columnists/402
>
> The problem is that a feature called System Management Mode could be used to bypass the kernel and execute code at the highest level possible: ring zero.
>
> The big problem is that the attack is possible thanks to the way X Windows is designed, and so the only way to eradicate it is to redesign it, moving video card driver into the kernel, but it seems that this cannot be done also for missing drivers and documentation!
>
> I would like to hear developers opinion about it...
>
>
> ------------------------------------------------------------------------
>
> The quest for ring 0
>
> by Federico Biancuzzi
> 2006-05-10
>
> Federico Biancuzzi interviews French researcher Loïc Duflot to learn about the System Management Mode attack, how to mitigate it, what hardware is vulnerable, and why we should be concerned with recent X Server bugs.
> http://www.securityfocus.com/columnists/402
>

If the SMRAM control register exists, the D_LCK bit can be set
in 16-bit mode during the boot sequence. This makes the SMRAM
register read/only so the long potential compromise sequence
that Mr. Duflot describes would not be possible. If the control
register doesn't exist, then the vulnerably doesn't exist.

The writer doesn't like the fact that a root process can execute
iopl(3) and then be able to read/write ports. He doesn't like
the fact that the X-server can read/write ports from user-mode.

Sorry, the X-server is too large to go into the kernel. It's
a lot easier to modify the boot-loader to set the D_LCK bit
if the security compromise turns out to be real.

Cheers,
Dick Johnson
Penguin : Linux version 2.6.16.4 on an i686 machine (5592.89 BogoMips).
New book: http://www.lymanschool.com
_

****************************************************************
The information transmitted in this message is confidential and may be privileged. Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to DeliveryErrors@xxxxxxxxxxxx - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jörn Engel: "Re: fix compiler warning in ip_nat_standalone.c"
Previous message: Alan Cox: "Re: [PATCH] ide_cs: Add IBM microdrive to known IDs"
In reply to: Alan Cox: "Re: SecurityFocus Article"
Next in thread: Ingo Oeser: "Re: SecurityFocus Article"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]