|
|
Subscribe / Log in / New account

Security

Sanitizing kernel memory

By Jake Edge
May 27, 2009

The contents of memory consist of vast quantities of useless—to an attacker at least—data, along with a small amount that would be of interest. Cryptographic keys, passwords, and the like are probable targets of those with malicious intent. Normally, the kernel guards memory from access by unprivileged processes, but, various kernel bugs have sometimes allowed memory information to leak. A recently proposed patch would eliminate a specific subset of those kinds of leaks by "sanitizing" pages as they are freed.

Larry Highsmith adapted code from the PaX project to add a flag to kernel pages marking them as "sensitive" pages. The pages would then be cleared as they were freed, so that any information leak from those pages would be useless. As part of the justification for the change, Highsmith noted Stanford University paper entitled "Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation" as well as the "cold boot" attacks to recover memory from powered-down systems.

Highsmith's patch would eliminate cases where freed memory contents leak, either via a kernel bug or some other means, by clearing the page as it is freed, but only for memory marked as sensitive. The four additional patches in his original series then applied the sensitive flag to various kernel subsystems (crypto, audit, and key handling).

While the kernel hackers were generally agreeable to the idea of sanitizing memory, there were a number of objections to Highsmith's first attempt. A trivial one, which was fixed in later patches, was a Signed-off-by line that didn't give his full name (just "Larry H."). As the PaX project is developed by the pseudonymous "PaX Team"—thus not able to fulfill the requirements for a kernel sign off—several folks were quick to point out that a full name was required. More substantive objections were heard about using up a scarce resource in the form of a page flag. Alan Cox pointed out that a virtual memory area (VMA) flag would work as well, or that places in the patch that set the flag could just clear the memory instead:

[...] page flags are very precious, very few and if we run out will cost us a vast amount of extra kernel memory. If page flags were free the question would be trivial - but they are not. Thus it is worth asking whether its actually harder to remember to zap the buffer or set and clear the flag correctly.

There was a bit of a digression into the security issues surrounding suspend and hibernate, with Highsmith claiming that security conscious users just disabled that functionality altogether. Cox and Pavel Machek disagreed, noting the ability to encrypt the images that get written to disk with today's hibernate code. Cox was also concerned that marking things as sensitive makes an attacker's job easier:

If you've got a rogue module you already lost, except that by marking what is sensitive you made the bad guys job easier. Bit like the way people visually overlay maps and overhead shots from multiple sources and the 'scrubbed' secret locations stand out for you and are easier to find than if they were left.

In the end, any memory the kernel handles is potentially sensitive. Some applications—notably GPG—take great pains to try to ensure that their memory is not swapped and is cleared of keys and other sensitive data when they are no longer needed. As Ingo Molnar put it: "The whole kernel contains data that 'should not be leaked'." This led to a new approach: for users who want sanitized pages—based on the sanitize_mem boot time parameter—simply clear all pages when they are freed. A much smaller patch that implemented that scheme was then posted by Highsmith.

In addition, there are kernel allocations that are for objects smaller than a page which could contain sensitive data. Highsmith has also submitted changes to kfree() and kmem_cache_free() that would clear these objects as they are freed. In the end, with both of these patches applied in a kernel with sanitize_mem enabled, all free kernel memory will be cleared. But, of course, as several folks pointed out, in many cases the memory of interest will still be in use.

Certainly a kernel with sanitized memory is more resistant to leaking memory contents, but depending on the threat one is trying to defend against, it may not be enough. The physical attacks against memory contents (i.e. "cold boot") are still likely to be effective—though free memory won't be recoverable—and other kinds of bugs could still leak memory in use. Highsmith presented an analysis of kernel information leaks, which was partially based on this interesting list of CVEs and git commits that fixed them. In it, there were a half-dozen examples of information leaks that would have been prevented by his changes.

No further objections have been noted, and the patches are not terribly intrusive, so it would seem there is some chance they might make their way into 2.6.31.

Comments (13 posted)

Brief items

Walsh: Introducing the SELinux Sandbox

Dan Walsh and Eric Paris have been working on an SELinux "sandbox" which Walsh describes on his weblog. The basic idea is to use SELinux to restrict the kinds of actions a user application can perform. This would allow users to run untrusted programs or handle untrusted input in a more secure manner. "The discussions brought up an old Bug report of [mine] about writing policy for the 'little things'. SELinux does a great job of confining System Services, but what about applications executed by users. The bug report talked about confining grep, awk, ls ... The idea was couldn't we stop the grep or the mv command from suddenly opening up a network connection and copying off my /etc/shadow file to parts unknown." Paris also posted an introduction to the sandbox on linux-kernel.

Comments (84 posted)

New vulnerabilities

apache: local privilege escalation

Package(s):httpd apache CVE #(s):CVE-2009-1195
Created:May 27, 2009 Updated:September 14, 2010
Description: Apache has a flaw in its handling of the Options and AllowOverride directives. In certain specific configurations, local users may be allowed to execute commands from server-side-include scripts despite configuration to the contrary.
Alerts:
rPath rPSA-2010-0056-1 httpd 2010-09-13
Mandriva MDVSA-2009:323 apache 2009-12-07
Fedora FEDORA-2009-8812 httpd 2009-08-20
Slackware SSA:2009-214-01 httpd 2009-08-03
Red Hat RHSA-2009:1156-01 httpd 2009-07-14
Gentoo 200907-04 apache 2009-07-12
Mandriva MDVSA-2009:124-1 apache 2009-07-08
Debian DSA-1816-1 apache2 2009-06-16
SuSE SUSE-SA:2009:050 apache2,libapr1 2009-10-26
Ubuntu USN-787-1 apache2 2009-06-12
rPath rPSA-2009-0142-1 httpd 2009-11-12
rPath rPSA-2009-0142-2 httpd 2009-11-12
Mandriva MDVSA-2009:124 apache 2009-05-31
CentOS CESA-2009:1075 httpd 2009-05-28
Red Hat RHSA-2009:1075-01 httpd 2009-05-27

Comments (none posted)

cscope: arbitrary code execution

Package(s):cscope CVE #(s):CVE-2009-0148
Created:May 25, 2009 Updated:June 19, 2009
Description:

From the Debian advisory:

Matt Murphy discovered that cscope, a source code browsing tool, does not verify the length of file names sourced in include statements, which may potentially lead to the execution of arbitrary code through specially crafted source code files.

Alerts:
CentOS CESA-2009:1102 cscope 2009-06-19
CentOS CESA-2009:1101 cscope 2009-06-16
Red Hat RHSA-2009:1102-01 cscope 2009-06-15
Red Hat RHSA-2009:1101-01 cscope 2009-06-15
Gentoo 200905-02 cscope 2009-05-24
Debian DSA-1806-1 cscope 2009-05-24

Comments (none posted)

cscope: arbitrary code execution

Package(s):cscope CVE #(s):CVE-2009-1577
Created:May 25, 2009 Updated:June 16, 2009
Description:

From the Gentoo advisory:

Multiple stack-based buffer overflows were reported in the putstring function when processing an overly long function name or symbol in a source code file (CVE-2009-1577).

Alerts:
CentOS CESA-2009:1101 cscope 2009-06-16
Red Hat RHSA-2009:1101-01 cscope 2009-06-15
Gentoo 200905-02 cscope 2009-05-24

Comments (none posted)

Jetty: directory traversal, cross-site scripting

Package(s):jetty CVE #(s):CVE-2009-1523 CVE-2009-1524
Created:May 26, 2009 Updated:November 24, 2009
Description: From the CVE entries:

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote attackers to access arbitrary files via directory traversal sequences in the URI. (CVE-2009-1523)

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.

Alerts:
Mandriva MDVSA-2009:291 jetty5 2009-10-29
SuSE SUSE-SR:2009:019 cups, jetty5, libqt4/dbus-1-qt, opera, puretls/jessie, kdegraphics3-pdf, qemu 2009-11-24
Fedora FEDORA-2009-5509 jetty 2009-05-26
Fedora FEDORA-2009-5513 jetty 2009-05-26
Fedora FEDORA-2009-5500 jetty 2009-05-26

Comments (none posted)

openssl: multiple vulnerabilities

Package(s):openssl CVE #(s):CVE-2009-1377 CVE-2009-1378
Created:May 21, 2009 Updated:March 2, 2010
Description: Openssl has two vulnerabilities, from the Mandriva alert:

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of future epoch DTLS records that are buffered in a queue, aka DTLS record buffer limitation bug. (CVE-2009-1377)

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka DTLS fragment handling memory leak. (CVE-2009-1378)

Alerts:
Slackware SSA:2010-060-02 openssl 2010-03-02
Mandriva MDVSA-2009:310 openssl 2009-12-03
Gentoo 200912-01 openssl 2009-12-01
Debian DSA-1888-1 openssl 2009-09-15
CentOS CESA-2009:1335 openssl 2009-09-15
Red Hat RHSA-2009:1335-02 openssl 2009-09-02
Ubuntu USN-792-1 openssl 2009-06-25
Fedora FEDORA-2009-5423 openssl 2009-05-25
Fedora FEDORA-2009-5412 openssl 2009-05-25
Fedora FEDORA-2009-5452 openssl 2009-05-25
SuSE SUSE-SR:2009:011 java, realplayer, acroread, apache2-mod_security2, cyrus-sasl, wireshark, ganglia-monitor-core, ghostscript-devel, libwmf, libxine1, net-snmp, ntp, openssl 2009-06-09
Mandriva MDVSA-2009:120 openssl 2009-05-21

Comments (none posted)

pidgin: buffer/integer overflows

Package(s):pidgin CVE #(s):CVE-2009-1373 CVE-2009-1376
Created:May 22, 2009 Updated:January 18, 2010
Description: From the Red Hat advisory:

A buffer overflow flaw was found in the way Pidgin initiates file transfers when using the Extensible Messaging and Presence Protocol (XMPP). If a Pidgin client initiates a file transfer, and the remote target sends a malformed response, it could cause Pidgin to crash or, potentially, execute arbitrary code with the permissions of the user running Pidgin. This flaw only affects accounts using XMPP, such as Jabber and Google Talk. (CVE-2009-1373)

It was discovered that on 32-bit platforms, the Red Hat Security Advisory RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin client receives a specially-crafted MSN message, it may be possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-1376)

Alerts:
Ubuntu USN-886-1 pidgin 2010-01-18
Mandriva MDVSA-2009:321 pidgin 2009-12-06
Mandriva MDVSA-2009:230 pidgin 2009-09-11
Debian DSA-1870-1 pidgin 2009-08-19
SuSE SUSE-SR:2009:013 memcached, libtiff/libtiff3, nagios, libsndfile, gaim/finch, open-, strong, freeswan, libapr-util1, websphere-as_ce, libxml2 2009-08-11
Mandriva MDVSA-2009:173 pidgin 2009-07-29
Gentoo 200910-02 pidgin 2009-10-22
Mandriva MDVSA-2009:147 pidgin 2009-06-30
Mandriva MDVSA-2009:140 gaim 2009-06-25
Ubuntu USN-781-2 gaim 2009-06-03
Ubuntu USN-781-1 pidgin 2009-06-03
Fedora FEDORA-2009-5583 pidgin 2009-05-28
Fedora FEDORA-2009-5597 pidgin 2009-05-28
Fedora FEDORA-2009-5552 pidgin 2009-05-28
Slackware SSA:2009-146-01 pidgin 2009-05-27
Gentoo 200905-07 pidgin 2009-05-25
Debian DSA-1805-1 pidgin 2009-05-22
CentOS CESA-2009:1060 pidgin 2009-05-22
CentOS CESA-2009:1059 pidgin 2009-05-22
Red Hat RHSA-2009:1060-02 pidgin 2009-05-22
Red Hat RHSA-2009:1059-02 pidgin 2009-05-22

Comments (none posted)

pidgin: data corruption

Package(s):pidgin CVE #(s):CVE-2009-1374 CVE-2009-1375
Created:May 22, 2009 Updated:December 7, 2009
Description: From the Red Hat advisory:

A denial of service flaw was found in Pidgin's QQ protocol decryption handler. When the QQ protocol decrypts packet information, heap data can be overwritten, possibly causing Pidgin to crash. (CVE-2009-1374)

A flaw was found in the way Pidgin's PurpleCircBuffer object is expanded. If the buffer is full when more data arrives, the data stored in this buffer becomes corrupted. This corrupted data could result in confusing or misleading data being presented to the user, or possibly crash Pidgin. (CVE-2009-1375)

Alerts:
Mandriva MDVSA-2009:321 pidgin 2009-12-06
SuSE SUSE-SR:2009:013 memcached, libtiff/libtiff3, nagios, libsndfile, gaim/finch, open-, strong, freeswan, libapr-util1, websphere-as_ce, libxml2 2009-08-11
Mandriva MDVSA-2009:173 pidgin 2009-07-29
Mandriva MDVSA-2009:147 pidgin 2009-06-30
Ubuntu USN-781-1 pidgin 2009-06-03
Fedora FEDORA-2009-5583 pidgin 2009-05-28
Fedora FEDORA-2009-5597 pidgin 2009-05-28
Fedora FEDORA-2009-5552 pidgin 2009-05-28
Slackware SSA:2009-146-01 pidgin 2009-05-27
Gentoo 200905-07 pidgin 2009-05-25
Debian DSA-1805-1 pidgin 2009-05-22
CentOS CESA-2009:1060 pidgin 2009-05-22
Red Hat RHSA-2009:1060-02 pidgin 2009-05-22

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds