Garrett: Subverting security with kexec
Garrett: Subverting security with kexec
[Security] Posted Dec 4, 2013 14:44 UTC (Wed) by corbet
Matthew Garrett demonstrates how to use the
kexec() system call to change parameters in a running kernel.
"The beauty of this approach is that it doesn't rely on any kernel
bugs - it's using kernel functionality that was explicitly designed to let
you do this kind of thing (ie, run arbitrary code in ring 0). There's not
really any way to fix it beyond adding a new system call that has rather
tighter restrictions on the binaries that can be loaded. If you're using
signed modules but still permit kexec, you're not really adding any
additional security.
"