Anatomy of a kernel attack
Take Away
I have described only two of many possible security issues. Other problems could include format strings, off-by-ones, out-of-bound reads, and more – all of which have affected past versions of Linux. Often preventing the attack is easy if the mechanics of the security issue are known – except if the compiler plays tricks on the programmer. Some issues can easily be found with static code analysis; other problems might require thorough testing. As a rule of thumb, automated tests should always include "critical" values, such as 128 for 8-bit values. Test cases should also include known older issues, to prevent them from being reintroduced (such as the Ping of Death in Windows IPv6). Surprisingly, static code analysis and automated testing are rare in many projects. OpenBSD is an example to the contrary, which is one reason for its secure reputation. Linux adopted static code analysis recently, and it has helped with finding and fixing many security issues.
Infos
- Buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
- "Smashing the Stack for Fun and Profit" by Aleph One, Phrack, issue 49, November 8, 1996, http://phrack.org/issues/49/14.html
- A Space Error: $370 Million for an Integer Overflow: https://hownot2code.com/2016/09/02/a-space-error-370-million-for-an-integer-overflow/
- "Static Code Analysis Finds Avoidable Errors" by Tobias Eggendorfer, ADMIN, issue 53, 2019, pp. 88-92, https://www.admin-magazine.com/Archive/2019/53/Static-code-analysis-finds-avoidable-errors
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes 2nd Edition; By Anley, Heasman, Linder, and Richarte; Wiley 2007
- CVE-2019-17133: https://nvd.nist.gov/vuln/detail/CVE-2019-17133
- CVE-2006-3459: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
- cfg80211: wext: Reject Malformed SSID Elements: https://marc.info/?l=linux-wireless&m=157018270915487&w=2
- CVE-2019-16746: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16746
- BootHole: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
- Stagefright: Scary Code in the Heart of Android: https://www.youtube.com/watch?v=71YP65UANP0
- io_uring: Truncate Lengths Larger than MAX_RW_COUNT on Provide Buffers: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)