LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Calibre and setuid "works on every single linux distro"

Calibre and setuid "works on every single linux distro"

Posted Nov 7, 2011 19:18 UTC (Mon) by mpr22 (subscriber, #60784)
In reply to: Calibre and setuid "works on every single linux distro" by RogerOdle
Parent article: Calibre and setuid

If Malice's program has managed to get root on Bob's Linux environment, and part of that Linux environment (whether a driver built into the kernel, or a userspace program) is responsible for controlling the USB peripherals and authorizing requests for data from them, then she can just invoke the appropriate APIs for accessing the USB camera through "proper channels"; she doesn't need to access the USB host controller's registers. (And why would she want to? Dinking about with the USB host controller's registers would be a good way to make the system glitch in ways that induce Bob to do a clean install, at least temporarily cleansing Malice's program from the system.)

Now, if Bob is running a partitioning hypervisor (so that the Linux kernel is not absolute lord and master of his computer's MMU) with no software-based privesc bugs, and there are no privesc bugs in the underlying silicon, and the Linux partition doesn't have access to the USB host controller, then the partitioning-enhanced MMU has secured Bob's camera from Malice's programs. (Unless there's a channel for the Linux partition to send read and write requests to the partition that owns the USB host controller, in which case you're back to square one unless that partition can somehow detect that the Linux partition has been compromised - which seems likely to be a halting-complete task.)

So, unless there's something I've missed, I stand by my assertion: This is a software and wetware problem, and a fancier MMU is not really the hardware solution. (The sensible hardware solution is a physically-operable killswitch for the camera and microphone which can't be bypassed by software.)

(Log in to post comments)

Calibre and setuid "works on every single linux distro"

Posted Nov 7, 2011 19:53 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

or at the very least the OLPC solution, a LED physically wired to the camera and microphone so that when they get power the LED lights.

Calibre and setuid "works on every single linux distro"

Posted Nov 10, 2011 19:27 UTC (Thu) by jengelh (subscriber, #33263) [Link]

And then falls short because the manufacturer happened to allow changing the LED state from the kernel, or there's some other kind of hardware bug that could be exploited to not light the diode.

Calibre and setuid "works on every single linux distro"

Posted Nov 10, 2011 21:09 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

that is why I said a LED wired directly to the device in question. not something controlled by a processor.

the camera needs power to run, if you wire the LED to the power lead of the camera it will light up when the camera gets power.

yes you can have the LED fail, or a bad solder joint, but other than that there really isn't much that can go wrong with this (and there is no way that this could fail in a way where it lights for the user using the camera, but not for the attacker.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds