User: Password:
|
|
Subscribe / Log in / New account

Attacking hardened Linux systems with kernel JIT spraying

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 18:19 UTC (Sun) by patrick_g (subscriber, #44470)
Parent article: Attacking hardened Linux systems with kernel JIT spraying

> PaX's KERNEXEC feature implements in software a policy very similar to SMEP. And indeed, the JIT spray exploit succeeds where a traditional jump-to-userspace fails. (grsecurity has other features that would mitigate this attack, like the ability to lock out users who oops the kernel.)

Does it mean a PaX hardened kernel is **more** vulnerable than a mainline kernel (with BPF JIT disabled)?


(Log in to post comments)

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 18:36 UTC (Sun) by spender (subscriber, #23067) [Link]

That's not what it means. For more information, please see:
http://en.wikipedia.org/wiki/Reading_comprehension

PS: at the risk of making the kernel even more vulnerable, please see the following:
http://grsecurity.net/~spender/jit_prot.diff

-Brad

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 19:44 UTC (Sun) by patrick_g (subscriber, #44470) [Link]

> That's not what it means. For more information, please see:
> http://en.wikipedia.org/wiki/Reading_comprehension

Thanks. Your usual condescending tone.
I'm not a native english speaker so perhaps you could explain more thoroughly why I'm wrong? According to the article, BPF JIT is disabled by distributions so the JIT spraying attack cannot work. Concerning PaX's KERNEXEC the author wrote "JIT spray exploit succeeds" so I wrongly thought it was a weakness in PaX.

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 19, 2012 18:40 UTC (Mon) by iabervon (subscriber, #722) [Link]

This attack succeeds on PaX "where a traditional jump-to-userspace fails"; on mainline, the traditional jump-to-userspace succeeds, so JIT spraying is unnecessary.

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 23:08 UTC (Sun) by NightMonkey (subscriber, #23051) [Link]

spender/Brad, you might be right, but lets keep LWN free of lame put-downs. Keep it civil, please. Thanks.

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 19:02 UTC (Sun) by robert_s (subscriber, #42402) [Link]

No - that's not what it means at all. This article is _not_ saying SMEP makes anyone any less secure, it's just saying it's quite easy to work around in certain circumstances.

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 18, 2012 23:45 UTC (Sun) by yann.morin.1998 (subscriber, #54333) [Link]

> > PaX's KERNEXEC feature implements in software a policy very similar to SMEP. And indeed, the JIT spray exploit succeeds where a traditional jump-to-userspace fails. (grsecurity has other features that would mitigate this attack, like the ability to lock out users who oops the kernel.)

> Does it mean a PaX hardened kernel is **more** vulnerable than a mainline kernel (with BPF JIT disabled)?

What I understood (not being a native english speaker either, as you know ;-) ) is:

- JIT disabled: no issue, as it's not even possible to attack the JIT, it being disabled
- JIT enabled, with PaX' KERNEXEC: JIT was successfully subverted
- JIT enabled, with SMEP: unknown, but probably similar to PaX' KERNEXEC, as the thechnique is the same

Hop,
Me.

Attacking hardened Linux systems with kernel JIT spraying

Posted Nov 19, 2012 16:56 UTC (Mon) by randomguy3 (subscriber, #71063) [Link]

A PaX hardened kernel with JIT disabled is (probably) more secure than mainline (in this regard).

A PaX hardened kernel with JIT enabled is (probably) just as insecure as mainline (in this regard). This is because the JIT can be used to work around the extra security that PaX provides.

A PaX hardened kernel is (probably) never less secure than mainline (in this regard).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds