LWN.net Logo

Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

KASLR: An Exercise in Cargo Cult Security (grsecurity blog)

[Posted March 27, 2013 by jake]

Over at the grsecurity blog, Brad Spengler and the PaX Team have co-written a lengthy look at kernel address space layout randomization (KASLR) and its failures. "KASLR is an easy to understand metaphor. Even non-technical users can make sense of the concept of a moving target being harder to attack. But in this obsession with an acronym outside of any context and consideration of its limitations, we lose sight of the fact that this moving target only moves once and is pretty easy to spot. We forget that the appeal of ASLR was in its cost/benefit ratio, not because of its high benefit, but because of its low cost."
(Log in to post comments)

Making distribution files readable only by root is pointless

Posted Mar 27, 2013 17:08 UTC (Wed) by epa (subscriber, #39769) [Link]

I particularly liked the part towards the end of the article where the author notes that Ubuntu has made /boot/vmlinuz* and /boot/System.map* readable only by root, to make it harder to find addresses for an exploit, but this is completely pointless - since all the Ubuntu kernel images are freely downloadable. It would seem to be a general principle that standard system files should be readable to all users, and if you think that making them root-readable only will help security, you need to reconsider what exactly you are trying to do.

Making distribution files readable only by root is pointless

Posted Mar 27, 2013 17:28 UTC (Wed) by arjan (subscriber, #36785) [Link]

well it kind of goes both ways.
Why WOULD they need to be readable?
The paradigm of "least privilege" as a general guiding principle has been around for a long time.

I am not going to argue that there is a huge value in making these things non-root, but at the same time, you can't really argue the other way.
While it's relatively easy to get the data from other sources.... it's not zero difference in effort (esp forward looking). Barring any need for these files to be world readable.. they're better off not.
Again not for the huge gain, but because there is no reason for them to be.

Making distribution files readable only by root is pointless

Posted Mar 28, 2013 0:04 UTC (Thu) by nix (subscriber, #2304) [Link]

It's zero difference in effort. Effective exploit authors will either be writing attack tools, in which case they *have* to download various distros to customize their attacks for those distros -- they're not going to be looking at files on the target system at all except under automation -- or they'll be targetting it at a particular target, in which case the 'extra' effort spent to customize for the distro the target is used is required anyway, and is drowned in the effort spent on the rest of the targetted attack.

Making distribution files readable only by root is pointless

Posted Mar 27, 2013 20:32 UTC (Wed) by NAR (subscriber, #1313) [Link]

The user can install his/her own kernel, in that case it makes sense to make these files readable only for root. As the system should work in this case too, by setting access mode of the default files to 600 the rest of the system is tested that nothing is broken if these files are only readable by the user. So it might be pointless from a strict security point of view, it is useful from software testing point of view.

Making distribution files readable only by root is pointless

Posted Apr 5, 2013 10:03 UTC (Fri) by dsommers (subscriber, #55274) [Link]

> The user can install his/her own kernel, in that case it makes sense to make these files readable only for root.

In bigger data centres this will most likely be a no-go. The reason is that these environments heavily depend on automated update routines. If you need to recompile the kernel to ensure the address space is unpredictable, that will just add more maintenance complexity and also add another possible place where things can go wrong. Which again will make most sys-admins ignore this threat.

In addition, with commercial Linux distros it might even make it more difficult to use of their support services. As they most likely won't support "home brewed" software packages, even if it's based on their sources.

Making distribution files readable only by root is pointless

Posted Mar 27, 2013 21:23 UTC (Wed) by dvdeug (subscriber, #10998) [Link]

It's not completely pointless. If you're dealing with a dedicated attacker, that won't slow them down. If you're dealing with a bot, reading those files from disk was trivial, but downloading the kernel is quite a bit louder, and figuring out where to download it from would get pretty complex; how many download systems would you need to figure out to get a bot to download the kernel image for most systems?

Making distribution files readable only by root is pointless

Posted Mar 28, 2013 0:04 UTC (Thu) by nix (subscriber, #2304) [Link]

The bot wouldn't do it. The author of the bot would do it, and embed the appropriate offsets in the bot.

Making distribution files readable only by root is pointless

Posted Mar 29, 2013 11:06 UTC (Fri) by madscientist (subscriber, #16861) [Link]

If the offsets are embedded in the bot rather than dynamically discovered then the bot begins to go obsolete the minute a new kernel update is released... which happens pretty often. Changing permissions might not be a huge benefit but it is SOME benefit, and with virtually zero cost. I'm not sure this particular change warrants being called out as an example of useless security gestures.

Making distribution files readable only by root is pointless

Posted Mar 29, 2013 12:02 UTC (Fri) by spender (subscriber, #23067) [Link]

If everyone's done with their armchair theorizing about why the feature isn't just pointless obfuscation for distributions and doesn't provide a false sense of security due to its complete lack of qualifications for efficacy, I'd like to point out the existence of https://github.com/jonoberheide/ksymhunter since 2011. The thing about techniques like these is they only have to be written once.

-Brad

Making distribution files readable only by root is pointless

Posted Mar 29, 2013 23:07 UTC (Fri) by etienne (subscriber, #25256) [Link]

Are you saying that, for security reasons, we shall all have *another* kernel with that name in that directory?

Making distribution files readable only by root is pointless

Posted Mar 28, 2013 1:11 UTC (Thu) by xanni (subscriber, #361) [Link]

The malware author could just include the offsets for the commonly used kernels right in the bot code.

Making distribution files readable only by root is pointless

Posted Mar 28, 2013 1:13 UTC (Thu) by xanni (subscriber, #361) [Link]

Whoops, nix beat me to it. Now I'm sorry LWN doesn't have the ability to delete your own comments like Google+. :)

Making distribution files readable only by root is pointless

Posted Mar 28, 2013 16:12 UTC (Thu) by nix (subscriber, #2304) [Link]

It just goes to show, always hit refresh before commenting if you've had the page open for a while.

Making distribution files readable only by root is pointless

Posted Mar 29, 2013 0:17 UTC (Fri) by xanni (subscriber, #361) [Link]

Indeed. Lesson learned!

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds