Comment 10 for bug 759725
Revision history for this message
| Richard W.M. Jones (rich-annexia) wrote Re: [Bug 759725] Re: The kernel is no longer readable by non-root users | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Tue, Apr 26, 2011 at 09:49:25PM -0000, Kees Cook wrote:
> But because the symbols can be extracted in the way you point out is
> why the kernel image itself needs to be unreadable. This change is
> to block the class of attacks carried out by script kiddies and
> automated systems that expect to be able to look up symbols locally
> and make exploits totally portable to all kernel versions.
You didn't appear to understand the code that I wrote: it gets out the
symbols from any version of the kernel by simply reading the kernel
*runtime memory*.
So the attacker now has two alternative methods: (a) fire up a web
browser or (b) inject shell code into the kernel which greps through
physical memory to find the symbol tables, and note method (b) works
with any kernel version without reference to the original vmlinuz
file.
> It changes the nature of future attacks, at least forcing attackers
> to take additional steps.
Yes, firing up a web browser or injecting an extra small piece of
shell code into the kernel.