Re: [RFC][PATCH] Randomize kernel base address on boot

From: Ingo Molnar
Date: Fri May 27 2011 - 13:40:13 EST

Next message: David Miller: "Re: Kernel crash after using new Intel NIC (igb)"
Previous message: Andy Lutomirski: "[PATCH 2/5] x86-64: Give vvars their own page"
In reply to: Linus Torvalds: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Next in thread: Kees Cook: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> That's the _only_ difference, and it's trivial and irrelevant. Come
> up with something more real, please.

The advantages of dynamic per boot kernel randomization, over static
per system randomization, as i see them, in order of descending
importance:

- A root exploit will still not give away the location of the
kernel (assuming module loading has been disabled after bootup),
so a rootkit cannot be installed 'silently' on the system, into
RAM only, evading most offline-storage-checking tools.

With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.

- We can expose RIPs to unprivileged tools. Certain users could
still kernel-profile a busy server box while neither being root,
nor having access to the real location of the kernel.

With static linking this is not possible.

- Crash & reboot & retry brute force exploits get harder: if one
attempt at an exploit causes a crash and a reboot, the kernel
addresses are different after the reboot so the attempt has to be
retried without the advantage of any prior history.

With static linking this kind of exploit is somewhat easier: every
crash gives a permanent proof that the guessed RIP offet was
wrong, so history can be used on subsequent retries.

- It gives a way to go one step further in secure server lockdown:
where even root with full access to all storage has no way to
break into the kernel. Reboots, module loading and kexec can be
controlled, ioperm() and iopl() can be restricted. If those are
taken away then even if a root exploit allows the attacker to
overwrite the kernel image, a reboot has to be waited for and if
reboots do sanity checks [based on immutable storage] of the
system then the exploit can be found.

With static linking this is not possible: reading the kernel image
as root trivially exposes the kernel's location.

It's in order of importance: you probably stopped caring at item 2 or
3 but there's definitely people who'd like to go all the way to 4. So
if we can do dynamic randomization sanely then why not offer it as an
option?

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Miller: "Re: Kernel crash after using new Intel NIC (igb)"
Previous message: Andy Lutomirski: "[PATCH 2/5] x86-64: Give vvars their own page"
In reply to: Linus Torvalds: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Next in thread: Kees Cook: "Re: [RFC][PATCH] Randomize kernel base address on boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]