Date: Sun, 19 Sep 2004 03:18:14 +0800 From: Xin LI <delphij@frontfree.net> To: gerarra@tin.it Cc: freebsd-hackers@freebsd.org Subject: Re: FreeBSD Kernel buffer overflow Message-ID: <20040918191814.GA3716@frontfree.net> In-Reply-To: <4146316C0000A1A7@ims3a.cp.tin.it> References: <006201c49d42$0c751aa0$1200a8c0@gsicomp.on.ca> <4146316C0000A1A7@ims3a.cp.tin.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 18, 2004 at 12:10:14PM +0200, gerarra@tin.it wrote: >=20 > In my post I told that this is *NOT* exploitable but if somebody finds a > method? what you can say? In underground comunities it's not so rare, pat= ching > is better than having a new exploits for freebsd. I was very deluded by > this approach to potential security problem... > (I repeat: *POTENTIAL*). You have some different idea from ours. However, I think it might be useful to clarify our idea. 1. A kernel must trust itself in order for it to be efficient. It is not bad to have sanity checks, but checking it repeatly will pose a performance pain. With this in mind, the correct approach might be to have sanity check in the entry point, rather than having it everywhere. This is say, a input procedure must have everything in a sanity state in its early stage and, in addition, same check should not be done in elsewhere because it just repeatly check what is guaranteed to be true, in a production kernel this is not quite useful and even in a debug kernel it is not perferred approach because we don't have to explicitly have if(1=3D=3D1) or something like this. 2. As many people in this discussion has pointed out, it is necessary to have root access in order to alter a system call. That is say, that in order to successfully exploit this "vulnerablity" you have to be root first, and we have infinite "exploits" in this situation, because the attacker already got the ultimate power. We don't need to fear someone who already killed us, right? 3. Security is determined by the weakest tach. With this in concern, let's think about the following scenario: Every system calls have correct sanity check in their entry point while foo() have not. Someone has injected foo() with another way to have some code in kernel. The kernel code exploited the issue you mentioned. But is it actually wrong with the issue? Isn't it the weakest tach within the foo() system call? Shouldn't it be fixed? Hope this is helpful for the debate, and hope I have expressed my idea correctly. With these consideration, I think it is not very necessary to have the sanity check of parameter numbers for a system call entry because it need root access already and if the gain of root is considered harmful, then it's not the sanity of parameter numbers check but the actual problem should be fixed.=20 Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBTIn2/cVsHxFZiIoRAo5OAJ9B/m04M0U0yNniCySmfFX623HpygCdE0Gl z4l9EdaFv56bvGSN3mGIoHo= =fP2n -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040918191814.GA3716>