|
|
Subscribe / Log in / New account

Security

The OLPC and BIOS upgrades

The One Laptop Per Child project will, if successful, place special laptop computers into the hands of millions of children all over the world. Most of these children will have never worked with a computer before. The consequences of providing Linux-based systems to this many children are likely to be huge. If this project is done right, these kids will grow up seeing free software as the preferred thing to use. Done wrong, it could turn them (and the adults around them) against Linux in a big way.

Many aspects of the OLPC systems are interesting; one of those is that they will use LinuxBIOS as their onboard, boot-time firmware. LinuxBIOS will bring a high degree of flexibility to the system, and some complexity as well. There is a real possibility that, as the result of some late bug or security problem, an in-field upgrade to LinuxBIOS will be called for. In addition, some users may want to hack on the firmware and install their own version - after all, the source is available. For both reasons, the OLPC systems will be able to rewrite their BIOS on demand.

There is a potential problem there, however. If it is too easy to rewrite the BIOS, no end of unpleasant things could happen. In the worst case, some sort of OLPC-based worm could, over a brief period, turn all online systems into expensive bricks. Or, perhaps even worse, the mass implantation of a low-level back door could be performed. For this reason, the OLPC design requires the user to give explicit permission before the BIOS can be rewritten. In particular, a specific sequence of keys on the keyboard must be held down before rewriting the BIOS will be possible.

Ivan Krstić has recently been thinking about the BIOS issue; in particular, he is worried that the keyboard-based interlock still leaves the system open to phishing attacks. The target user base for the OLPC, remember, will be very young. If something pops up on their screen telling them to push a certain set of keys, some of them may well do it. Adults may be immune to this sort of attack, but children need to be treated with more care.

So Ivan floated a proposal for a different way of doing things. It does away with the keyboard interlock; instead, the operating system is always forbidden to rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so upon finding a new BIOS image in a specific place in the filesystem. That image would have to be cryptographically signed, however, so attackers would, presumably, be unable to get a new BIOS image written. Ivan says:

Voila. This is now a completely secure BIOS solution which requires no TPM, allows fully automatic upgrades without the user's cooperation (such as pressing keys), and fully protects both against phishing and automated attacks -- in fact, it's vector-independent.

Some who responded were not entirely happy with this approach, however. The potential for performing BIOS upgrades (even if properly signed) without the user's knowledge or consent is troubling. If a bug is found in the signature verification code, the fully automated mass bricking scenario becomes real again. Users who want to put in their own version of the BIOS will be frustrated - they cannot be given the signing key without compromising the entire mechanism (though this problem can be mitigated through the addition of a unique key for each system). Some countries may be unwilling to buy and distribute the OLPC systems without the ability to create and install their own BIOS images. And so on; see the list archive for the full discussion thread.

There was no obvious consensus reached on the list - and no immediate decision to change the OLPC hardware design. It is an issue requiring some additional thought, however. The OLPC systems are designed, in general, to be easy to fix when a user breaks things - they are meant to be experimented with. A BIOS-level bricking, however, is decidedly not easy to fix; it is not a scenario which can be allowed to come about. So it will be interesting to see what solution the OLPC designers arrive at in the end.

(Update: the OLPC project has decided to implement the new mechanism as originally described in the article).

Comments (18 posted)

New vulnerabilities

AlsaPlayer: multiple buffer overflows

Package(s):alsaplayer CVE #(s):CVE-2006-4089
Created:August 28, 2006 Updated:September 19, 2006
Description: AlsaPlayer contains three buffer overflows: in the function that handles the HTTP connections, the GTK interface, and the CDDB querying mechanism. An attacker could exploit the first vulnerability by enticing a user to load a malicious URL resulting in the execution of arbitrary code with the permissions of the user running AlsaPlayer.
Alerts:
Debian DSA-1179-1 alsaplayer 2006-09-19
Gentoo 200608-24 alsaplayer 2006-08-26

Comments (none posted)

gtetrinet: buffer overflows

Package(s):gtetrinet CVE #(s):CVE-2006-3125
Created:August 30, 2006 Updated:September 6, 2006
Description: A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code.
Alerts:
Gentoo 200609-02 gtetrinet 2006-09-06
Debian DSA-1163-1 gtetrinet 2006-08-30

Comments (none posted)

lesstif: libXm library privilege escalation

Package(s):lesstif CVE #(s):CVE-2006-4124
Created:August 29, 2006 Updated:August 30, 2006
Description: The libXm library in LessTif 0.95.0 and earlier allows local users to gain privileges via the DEBUG_FILE environment variable, which is used to create world-writable files when libXm is run from a setuid program.
Alerts:
Mandriva MDKSA-2006:154 lesstif 2006-08-28

Comments (none posted)

libmusicbrainz: buffer overflows

Package(s):libmusicbrainz-2.0 CVE #(s):CVE-2006-4197
Created:August 30, 2006 Updated:October 23, 2006
Description: Several buffer overflows have been discovered in the libmusicbrainz CD index library.
Alerts:
Gentoo 200610-09 musicbrainz 2006-10-22
Ubuntu USN-363-1 libmusicbrainz 2006-10-11
Mandriva MDKSA-2006:157-1 musicbrainz 2006-09-28
rPath rPSA-2006-0161-1 libmusicbrainz 2006-08-30
Mandriva MDKSA-2006:157 musicbrainz 2006-08-30
Debian DSA-1162-1 libmusicbrainz-2.0 2006-08-30

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 mysql 2008-07-24
Red Hat RHSA-2008:0364-01 mysql 2008-05-21
Red Hat RHSA-2007:0152-01 mysql 2007-04-03
Red Hat RHSA-2007:0083-01 MySQL 2007-02-19
Fedora FEDORA-2006-1298 mysql 2006-11-27
Fedora FEDORA-2006-1297 mysql 2006-11-27
Ubuntu USN-338-1 mysql-dfsg-5.0 2006-09-05
Mandriva MDKSA-2006:149 MySQL 2006-08-24

Comments (none posted)

streamripper: buffer overflow

Package(s):streamripper CVE #(s):CVE-2006-3124
Created:August 28, 2006 Updated:September 6, 2006
Description: Ulf Harnhammer from the Debian Security Audit Project discovered that streamripper, a utility to record online radio-streams, performs insufficient sanitizing of data received from the streaming server, which might lead to buffer overflows and the execution of arbitrary code.
Alerts:
Gentoo 200609-01 streamripper 2006-09-06
Debian DSA-1158-1 streamripper 2006-08-25

Comments (none posted)

wireshark: several vulnerabilities

Package(s):wireshark CVE #(s):CVE-2006-4330 CVE-2006-4331 CVE-2006-4332 CVE-2006-4333
Created:August 25, 2006 Updated:November 2, 2006
Description: There are multiple problems in Wireshark, versions 0.7.9 to 0.99.2.
Alerts:
Red Hat RHSA-2006:0658-01 wireshark 2006-09-12
Debian DSA-1171-1 ethereal 2006-09-07
Gentoo 200608-26 wireshark 2006-08-29
Fedora FEDORA-2006-936 wireshark 2006-08-25
Mandriva MDKSA-2006:152 wireshark 2006-08-25
rPath rPSA-2006-0158-1 wireshark 2006-08-25

Comments (none posted)

X.org: local privilege escalations

Package(s):xorg-x11 CVE #(s):CVE-2006-4447
Created:August 28, 2006 Updated:April 30, 2007
Description: Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine.
Alerts:
Gentoo 200704-22 beast 2007-04-27
Mandriva MDKSA-2006:160 xorg-x11 2006-08-31
Gentoo 200608-25 xdm 2006-08-28

Comments (none posted)

Resources

Ross Anderson's Security Engineering book downloadable

Ross Anderson's well regarded book Security Engineering is now available online. From Bruce Schneier's introduction:

Security engineering is different from any other kind of programming. It's a point I made over and over again: in my own book, Secrets and Lies, in my monthly newsletter Crypto-Gram, and in my other writings. And it's a point Ross makes in every chapter of this book. This is why, if you're doing any security engineering ... if you're even thinking of doing any security engineering, you need to read this book. It's the first, and only, end-to-end modern security design and engineering book ever written.

Comments (6 posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds