|
Message-ID: <CAFUG7CcDA+NzqmhFhP5O4fpbzU-rYRqc9U1ssLx3ELS1r+WCAw@mail.gmail.com> Date: Wed, 14 Jun 2017 16:37:25 -0400 From: Boris Lukashev <blukashev@...pervictus.com> To: Alan Cox <gnomes@...rguk.ukuu.org.uk> Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>, Mickaël Salaün <mic@...ikod.net>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Kees Cook <keescook@...omium.org>, Matt Brown <matt@...tt.com>, jason@...finion.com, linux-security-module <linux-security-module@...r.kernel.org>, Daniel Micay <danielmicay@...il.com>, kernel-hardening <kernel-hardening@...ts.openwall.com>, LKML <linux-kernel@...r.kernel.org> Subject: Re: Re: [PATCH v1] shebang: restrict python interactive prompt/interpreter On Wed, Jun 14, 2017 at 10:10 AM, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote: > > On Mon, 12 Jun 2017 10:27:24 -0400 > Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > > > On Sun, 2017-06-11 at 22:32 -0400, Mimi Zohar wrote: > > > On Sun, 2017-06-11 at 13:44 +0200, Mickaël Salaün wrote: > > > > > > Using filesystem xattr seems like a good idea for this kind of > > > > exceptions and instead of a hardcoded interpreter path. Something like > > > > "security.tpe.interpreter=1|2" (bitmask for interpreter-only and/or CLI) > > > > and "security.tpe.environment=HOME,LOGNAME" would be quite flexible to > > > > configure a security policy for some binaries. This could also be > > > > protected by IMA/EVM, if needed. > > > > > > Checking for the existence of an xattr without caching is relatively > > > slow. I'm not sure that we would want to go this route. > > > > For identifying interpreters, xattrs would be too slow (without > > caching results), but once identified, using xattrs as you suggested, > > for specifying how interpreters can be invoked and limiting > > environment variables, is a good idea. Perhaps the two xattrs could > > be combined? > > It's not just #! you need to cover. If I can run ld.so for my arch format > then ld.so will helpfully let me load any ELF binary I like and run it. > > Alan That depends on the threat model. Interpreted payloads are beneficial to attackers for their light forensic footprint along with implicit code-gen needs/powers - they dont require writing files to disk in order to affect their goals (staging is implicitly handled by the runtime, and behavior is tough to track). Anything going to disk is subject to forensic recovery, malware analysis, and a host of other concerns nobody wants to deal with when trying to compromise things quietly. While attackers can abuse the linker to their heart's content under certain contexts, they generally need to write files to disk in a place where the linker can get to them, leaving more footprints or being deterred altogether. At the payload delivery stage, remote attackers are effectively blind and unlikely to know if their exploit failed or the payload execution was mitigated. It has real world value. To go along with the notion of "perfect can be the enemy of good" (please pardon the likely incorrect paraphrasing, second language and all), rejecting a protection which offers coverage for a subset of potential vectors, because it does not provide coverage for others, leads to dead code and open holes. Is it feasible to adopt protections which cover specific threat models with annotations on what they may leave open such as to cover those areas in later commits? This would also allow common work to be converged, such as LSM code dealing with mprotect issues, path resolution as a security validator, etc. -Boris
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.