LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Reactive vs. pro-active kernel security

By Jake Edge
July 13, 2011

Security patches are almost always a question of tradeoffs. Sometimes the protection offered outweighs the negative effects that a security-oriented fix brings—and sometimes it doesn't. In addition, pro-active security fixes often face an uphill battle to get into the kernel, especially if they cause performance or other problems, because many kernel developers are skeptical of "solutions" for theoretical problems. In many cases, these changes come under the heading of "kernel hardening", and don't correspond to a particular known security hole; instead they address a class of potential problems, which can be much harder to sell.

A good example of this can be found in Vasiliy Kulikov's recent RFC patch to implement some checks in the functions that copy data to and from user space. Copying the wrong amount of data to or from user space can lead to security problems, like code execution or disclosing the contents of kernel memory, so checking to ensure that copies are not larger than the expected data structure is certainly beneficial. But the copy_to/from_user() functions are performance-critical. In typical fashion, Linus Torvalds doesn't mince words in his reply to Kulikov:

That patch is entirely insane. No way in hell will that ever get merged.

copy_to/from_user() is some of the most performance-critical code, and runs a *lot*, often for fairly small structures (ie 'fstat()' etc).

Adding random ad-hoc tests to it is entirely inappropriate. Doing so unconditionally is insane.

He does go on to suggest that a cleaned up version which is configurable so that only those distributions or users who want the extra checking will pay the price for it might be acceptable. To Torvalds, the patch is more evidence of the "craziness" of the security community: "It's exactly the kind of 'crazy security people who don't care about anything BUT security' crap that I refuse to see." That, of course, is something of a recurring theme in terms of Torvalds and other kernel hackers' reactions to pro-active security fixes.

Ingo Molnar had a similar concern in the discussion of another of Kulikov's patches: an effort to remove control characters from log file output. Molnar is skeptical of the patch, partly because there are no specific threats that it addresses:

Yes, but there's a world of a difference between alleged harm and actual demonstrated harm.

That is a not so fine distinction that is often missed in security circles! :-)

When an actual flaw is found in the kernel, especially if there are exploits for it in the wild, fixes are made quickly—no surprise. But theoretical flaws, or fixes that protect badly written user-space programs often have a tougher path into the kernel. Over the years, we have seen numerous examples of these kinds of patches, often coming from hardened kernel projects like grsecurity/PaX and Openwall. But, to some extent anyway, those projects are more concerned with security than they are with things like performance, and are willing to sacrifice performance to reduce or eliminate entire classes of security threats.

There is clearly a kernel (so to speak) of truth to Torvalds's complaint about "security crap", but there is also room for different kinds of kernels. It is reminiscent of the situation with SELinux in some ways. SELinux offers protections that can sometimes mitigate security problems before they come to light—exactly what pro-active security measures are meant to do—but SELinux is disabled by numerous administrators and by most distributions other than Red Hat's. For some, the extra protection that SELinux provides is not worth the overhead and problems that it can cause. Others may be more concerned about zero-day exploits and enable SELinux or run hardened kernels.

Another example of a fix that didn't make it into the kernel, though it would have eliminated a common security problem, is Kees Cook's attempt to disallow symbolic links in "sticky" directories—to stop /tmp symlink bugs (like this one from July 12). That particular fix was controversial, as some kernel hackers didn't think it appropriate to change core VFS code to fix buggy user-space programs. But moving the fix into a Linux Security Module (LSM)—along with a handful of other unrelated security fixes—didn't pass muster either.

There have also been various efforts to remove sources of information in /proc and elsewhere that can make it easier for exploits to function. Things like hiding kernel addresses from unprivileged processes, restricting page access to read-only and no-execute, protecting /proc/slabinfo, and lots of others have been proposed—sometimes adopted—over the last year or two. These kinds of fixes are often greeted with a level of skepticism (which is not so different from other kinds of patches really), and sometimes find their path into the mainline to be fairly difficult—sometimes impossible. That's not to say that any of those that were rejected should be in the kernel, but in most cases they do add some level of protection that very security-conscious users might be very happy to have.

The risk of keeping many of these pro-active hardening features out of the mainline is probably small, but it certainly isn't non-existent. There is a balance to be found; performance, maintainability, and less intrusiveness of patches are often more important to Torvalds and the kernel community than fixes that could, but might not, catch security exploits that aren't yet known. Essentially, making most users pay a performance penalty over and over again, potentially untold trillions of times, is too high a price. Fixing the problems that are found, when they are found, is the course that the mainline has (largely) chosen.

It is probably somewhat disheartening for Kulikov, Cook, and others to continually have their patches rejected for the mainline, but they do tend to be used elsewhere. Many of Cook's patches have been picked up in Ubuntu, where he is a member of the security team, and Kulikov is a student in the Google Summer of Code for Openwall specifically tasked with hardening both the Openwall kernel and upstream (to the extent he can anyway). Their efforts are certainly not being wasted, and security-conscious administrators may want to choose their distribution or kernel carefully to find the one that best matches their needs.

Comments (31 posted)

Brief items

Security quotes of the week

So, with this increasing proliferation of eavesdrop-thwarting encryption built in to our infrastructure, we might expect law enforcement wiretap rooms to have become quiet, lonely places.

But maybe not: the latest wiretap report identifies a total of just six (out of 3194) cases in which encryption was encountered, and that prevented recovery of evidence a grand total of ... (drumroll) ... zero times. Not once. Previous wiretap reports have indicated similarly minuscule numbers.

-- Matt Blaze

The FBI got a search warrant for Ardolf's house and computer, and found reams of evidence, including copies of data swiped from the Kostolniks' computer, and hacking manuals with titles such as "Cracking WEP Using Backtrack: A Beginner's Guide;" "Tutorial: Simple WEP Crack Aircrack-ng" and "Cracking WEP with BackTrack 3 - Step by Step instructions." They also found handwritten notes laying out Ardolf's revenge plans, and a cache of snail mail that Ardolf had apparently stolen from the Kostolniks' mail box and stashed under his bed.
-- Wired on the "WiFi-Hacking Neighbor From Hell"

Israeli intelligence unfortunately doesn't send us any reports. There was a lot of talk -- on the Internet and in the media -- that Stuxnet was a joint US-Israeli project. I think that's probably the most likely scenario. It was highly professional work, by the way, and one that commands a lot of respect from me. It cost several million dollars and had to be orchestrated by a team of highly trained engineers over several months. These were no amateurs; these were total professionals who have to be taken very seriously. You don't get in a fight with them; they don't mess around.
-- Evgeny Kaspersky in an interview in Der Spiegel

The whole post was about whether or not anyone had a legitimate copyright claim on the photos, noting that the photographer, David Slater, almost certainly did not have a claim, seeing as he did not take the photos, and even admits that the images were an accident from monkeys who found the camera (i.e., he has stated publicly that he did not "set up" the shot and let the monkeys take it). And yet, Caters News Agency has a copyright notice on two of the images, claiming to hold the rights to them. We doubted that the monkeys -- who might have the best "claim" to copyright on these photos, if there is one, had licensed the images.
-- Mike Masnick on a DMCA claim takedown notice

Comments (4 posted)

New vulnerabilities

apt: incorrect signature validation

Package(s):apt CVE #(s):CVE-2011-1829
Created:July 13, 2011 Updated:July 13, 2011
Description: The apt utility does not correctly check GPG signatures, enabling a man-in-the-middle attacker to force the installation of malicious packages.
Alerts:
Ubuntu USN-1169-1 2011-07-13

Comments (none posted)

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2011-2529 CVE-2011-2535
Created:July 11, 2011 Updated:July 13, 2011
Description: From the Debian advisory:

Paul Belanger reported a vulnerability in Asterisk identified as AST-2011-008 (CVE-2011-2529) through which an unauthenticated attacker may crash an Asterisk server remotely. A package containing a null char causes the SIP header parser to alter unrelated memory structures.

Jared Mauch reported a vulnerability in Asterisk identified as AST-2011-009 through which an unauthenticated attacker may crash an Asterisk server remotely. If a user sends a package with a Contact header with a missing left angle bracket (<) the server will crash. A possible workaround is to disable chan_sip.

The vulnerability identified as AST-2011-010 (CVE-2011-2535) reported about an input validation error in the IAX2 channel driver. An unauthenticated attacker may crash an Asterisk server remotely by sending a crafted option control frame.

Alerts:
Gentoo 201110-21 2011-10-24
Fedora FEDORA-2011-8983 2011-07-02
Fedora FEDORA-2011-8914 2011-06-30
Debian DSA-2276-2 2011-07-11
Debian DSA-2276-1 2011-07-10

Comments (none posted)

blender: embedded code execution

Package(s):blender CVE #(s):CVE-2009-3850
Created:July 13, 2011 Updated:October 31, 2012
Description: Back in 2009, it was reported that arbitrary Python code could be embedded in .blend files; that code would then be executed by the blender application. It is, thus, a remote code execution bug exploitable by a malicious .blend file. As of this writing, the vulnerability is still not fully fixed upstream; see this analysis by Sebastian Pipping for lots of details.
Alerts:
Fedora FEDORA-2011-8424 2011-06-21
Fedora FEDORA-2011-8474 2011-06-21
Mageia MGASA-2012-0319 2012-10-30

Comments (none posted)

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2011-2200
Created:July 12, 2011 Updated:August 23, 2012
Description: From the Pardus advisory:

It was found that D-BUS message bus service / messaging facility did not update the byte-order flag of the message properly by swapping the byte order of incoming messages into their native endiannes. A local, authenticated user could use this flaw to send a specially-crafted message to a system service (like Avahi or NetworkManager), using the system bus, potentially leading to disconnect of such a service from system bus (denial of service).

Alerts:
Gentoo 201110-14 2011-10-21
CentOS CESA-2011:1132 2011-09-22
Scientific Linux SL-dbus-20110809 2011-08-09
Fedora FEDORA-2011-9817 2011-07-31
Red Hat RHSA-2011:1132-01 2011-08-09
openSUSE openSUSE-SU-2011:0880-1 2011-08-08
Fedora FEDORA-2011-9891 2011-07-31
Ubuntu USN-1176-1 2011-07-26
Pardus 2011-93 2011-07-11
Mageia MGASA-2012-0233 2012-08-23
Oracle ELSA-2012-1261 2012-09-14

Comments (none posted)

fabric: symlink attack

Package(s):fabric CVE #(s):CVE-2011-2185
Created:July 12, 2011 Updated:July 13, 2011
Description: From the Red Hat bugzilla:

It was found that fabric, a simple Pythonic remote deployment tool, used insecure way for creation of temporary files, when uploading template text files and project files to a remote system. A local attacker could use this flaw to conduct symlink attacks to upload sensitive information to remote host or to overwrite certain local system files.

Alerts:
Fedora FEDORA-2011-8964 2011-07-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-2497 CVE-2011-2517
Created:July 12, 2011 Updated:September 13, 2011
Description: From the kernel patch by Dan Rosenberg:

A remote user can provide a small value for the command size field in the command header of an l2cap configuration request, resulting in an integer underflow when subtracting the size of the configuration request header. This results in copying a very large amount of data via memcpy() and destroying the kernel heap. Check for underflow. (CVE-2011-2497)

From the Red Hat bugzilla:

In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloc'ed, the check was always failing and SSID with over 32 characters were allowed to go through. (CVE-2011-2517)

Alerts:
Red Hat RHSA-2011:1813-01 2011-12-13
Ubuntu USN-1286-1 2011-12-03
Ubuntu USN-1285-1 2011-11-29
Ubuntu USN-1281-1 2011-11-24
Ubuntu USN-1279-1 2011-11-24
Ubuntu USN-1278-1 2011-11-24
Ubuntu USN-1269-1 2011-11-21
Ubuntu USN-1274-1 2011-11-21
Ubuntu USN-1272-1 2011-11-21
Ubuntu USN-1256-1 2011-11-09
Ubuntu USN-1246-1 2011-10-25
Ubuntu USN-1245-1 2011-10-25
Ubuntu USN-1244-1 2011-10-25
Ubuntu USN-1241-1 2011-10-25
Ubuntu USN-1240-1 2011-10-25
Ubuntu USN-1239-1 2011-10-25
Ubuntu USN-1228-1 2011-10-12
Ubuntu USN-1227-1 2011-10-11
Ubuntu USN-1225-1 2011-10-04
Ubuntu USN-1220-1 2011-09-29
Ubuntu USN-1219-1 2011-09-29
CentOS CESA-2011:1212 2011-09-22
Debian DSA-2310-1 2011-09-22
Ubuntu USN-1253-1 2011-11-08
Red Hat RHSA-2011:1253-01 2011-09-12
Debian DSA-2303-2 2011-09-10
Scientific Linux SL-kern-20110906 2011-09-06
Debian DSA-2303-1 2011-09-08
Red Hat RHSA-2011:1212-01 2011-09-06
Scientific Linux SL-kern-20110823 2011-08-23
Red Hat RHSA-2011:1189-01 2011-08-23
Fedora FEDORA-2011-11103 2011-08-18
SUSE SUSE-SU-2011:0832-1 2011-07-25
SUSE SUSE-SA:2011:031 2011-07-25
Fedora FEDORA-2011-9130 2011-07-08
Oracle ELSA-2012-0150 2012-03-07
openSUSE openSUSE-SU-2012:0799-1 2012-06-28
openSUSE openSUSE-SU-2012:1439-1 2012-11-05

Comments (none posted)

libpng: denial of service

Package(s):libpng CVE #(s):CVE-2011-2501
Created:July 12, 2011 Updated:October 17, 2011
Description: From the Pardus advisory:

The fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle. The original flaw could be used to cause a denial of service via a carefully-crafted PNG image.

Alerts:
Mandriva MDVSA-2011:151 2011-10-17
Fedora FEDORA-2011-10954 2011-08-17
Fedora FEDORA-2011-10928 2011-08-17
openSUSE openSUSE-SU-2011:0915-1 2011-08-17
Fedora FEDORA-2011-9336 2011-07-15
Scientific Linux SL-libp-20110728 2011-07-28
Red Hat RHSA-2011:1105-01 2011-07-28
Debian DSA-2287-1 2011-07-28
Ubuntu USN-1175-1 2011-07-26
Fedora FEDORA-2011-8867 2011-06-29
Fedora FEDORA-2011-8844 2011-06-29
Fedora FEDORA-2011-9343 2011-07-15
Fedora FEDORA-2011-8868 2011-06-29
Fedora FEDORA-2011-8874 2011-06-29
Pardus 2011-96 2011-07-11
Oracle ELSA-2012-0317 2012-02-21
Gentoo 201206-15 2012-06-22

Comments (none posted)

libvirt: denial of service

Package(s):libvirt CVE #(s):CVE-2011-2511
Created:July 12, 2011 Updated:September 23, 2011
Description: From the Red Hat bugzilla:

It has been found that calling VirDomainGetVcpus with bogus parameters can lead to integer overflow and subsequent heap corruption. A remote attacker could use this flaw to crash libvirtd (DoS).

Alerts:
CentOS CESA-2011:1019 2011-09-22
Scientific Linux SL-libv-20110823 2011-08-23
Scientific Linux SL-libv-20110721 2011-07-21
Red Hat RHSA-2011:1197-01 2011-08-23
openSUSE openSUSE-SU-2011:0900-1 2011-08-15
Ubuntu USN-1180-1 2011-07-28
Fedora FEDORA-2011-9062 2011-07-06
Red Hat RHSA-2011:1019-01 2011-07-21
Debian DSA-2280-1 2011-07-19
Fedora FEDORA-2011-9091 2011-07-06
Gentoo 201202-07 2012-02-27

Comments (none posted)

openoffice.org: code execution

Package(s):openoffice.org CVE #(s):
Created:July 8, 2011 Updated:July 13, 2011
Description:

From the Debian advisory:

Will Dormann and Jared Allar discovered that the Lotus Word Pro import filter of OpenOffice.org, a full-featured office productivity suite that provides a near drop-in replacement for Microsoft(R) Office, is not properly handling object ids in the ".lwp" file format. An attacker can exploit this with a specially crafted file and execute arbitrary code with the rights of the victim importing the file.

Alerts:
Debian DSA-2275-1 2011-07-07

Comments (none posted)

oprofile: privilege escalation/file overwrite

Package(s):oprofile CVE #(s):CVE-2011-2471 CVE-2011-2472
Created:July 11, 2011 Updated:July 13, 2011
Description: From the CVE entries:

utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to gain privileges via shell metacharacters in the (1) --vmlinux, (2) --session-dir, or (3) --xen argument, related to the daemonrc file and the do_save_setup and do_load_setup functions, a different vulnerability than CVE-2011-1760. (CVE-2011-2471)

Directory traversal vulnerability in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to overwrite arbitrary files via a .. (dot dot) in the --save argument, related to the --session-dir argument, a different vulnerability than CVE-2011-1760. (CVE-2011-2472)

Alerts:
Ubuntu USN-1166-1 2011-07-11

Comments (none posted)

vte: memory exhaustion

Package(s):vte CVE #(s):CVE-2011-2198
Created:July 12, 2011 Updated:July 25, 2011
Description: From the Pardus advisory:

An memory exhaustion flaw was found in the way VTE, a terminal emulator widget, processed certain character sequences. A remote attacker could provide a specially-crafted file, which once opened in a terminal using the VTE terminal emulator could lead to excessive memory and CPU consumption.

Alerts:
Fedora FEDORA-2011-9330 2011-07-15
Fedora FEDORA-2011-9330 2011-07-15
Pardus 2011-94 2011-07-11
openSUSE openSUSE-SU-2012:0931-1 2012-08-01

Comments (none posted)

xml-security-c: arbitrary code execution

Package(s):xml-security-c CVE #(s):CVE-2011-2516
Created:July 11, 2011 Updated:August 1, 2011
Description: From the Debian advisory:

It has been discovered that xml-security-c, an implementation of the XML Digital Signature and Encryption specifications, is not properly handling RSA keys of sizes on the order of 8192 or more bits. This allows an attacker to crash applications using this functionality or potentially execute arbitrary code by tricking an application into verifying a signature created with a sufficiently long RSA key.

Alerts:
Fedora FEDORA-2011-9501 2011-07-18
Fedora FEDORA-2011-9494 2011-07-18
Debian DSA-2277-1 2011-07-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds