Anatomy of a kernel attack

Take Away

I have described only two of many possible security issues. Other problems could include format strings, off-by-ones, out-of-bound reads, and more – all of which have affected past versions of Linux. Often preventing the attack is easy if the mechanics of the security issue are known – except if the compiler plays tricks on the programmer. Some issues can easily be found with static code analysis; other problems might require thorough testing. As a rule of thumb, automated tests should always include "critical" values, such as 128 for 8-bit values. Test cases should also include known older issues, to prevent them from being reintroduced (such as the Ping of Death in Windows IPv6). Surprisingly, static code analysis and automated testing are rare in many projects. OpenBSD is an example to the contrary, which is one reason for its secure reputation. Linux adopted static code analysis recently, and it has helped with finding and fixing many security issues.

Infos

  1. Buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
  2. "Smashing the Stack for Fun and Profit" by Aleph One, Phrack, issue 49, November 8, 1996, http://phrack.org/issues/49/14.html
  3. A Space Error: $370 Million for an Integer Overflow: https://hownot2code.com/2016/09/02/a-space-error-370-million-for-an-integer-overflow/
  4. "Static Code Analysis Finds Avoidable Errors" by Tobias Eggendorfer, ADMIN, issue 53, 2019, pp. 88-92, https://www.admin-magazine.com/Archive/2019/53/Static-code-analysis-finds-avoidable-errors
  5. The Shellcoder's Handbook: Discovering and Exploiting Security Holes 2nd Edition; By Anley, Heasman, Linder, and Richarte; Wiley 2007
  6. CVE-2019-17133: https://nvd.nist.gov/vuln/detail/CVE-2019-17133
  7. CVE-2006-3459: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
  8. cfg80211: wext: Reject Malformed SSID Elements: https://marc.info/?l=linux-wireless&m=157018270915487&w=2
  9. CVE-2019-16746: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16746
  10. BootHole: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
  11. Stagefright: Scary Code in the Heart of Android: https://www.youtube.com/watch?v=71YP65UANP0
  12. io_uring: Truncate Lengths Larger than MAX_RW_COUNT on Provide Buffers: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db

The Author

Tobias Eggendorfer is a professor for IT security in Ravensburg in the far south of Germany. He is also a freelance IT security consultant and data protection officer (http://www.eggendorfer.info). He is constantly surprised by data processors claiming they cannot be hacked because they use TLS. Such reports do not exactly match his experience.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Kernel Protection

    Security vulnerabilities in the kernel often remain undetected. The kernel hacker initiative, Kernel Self-Protection, promotes safe programming techniques to keep attackers off the network, and, if they do slip through the net, mitigate the consequences.

  • Rdesktop: Remote Control with Security Holes

    Security researchers iDefense have disclosed three vulnerabilities in the Rdesktop Remote Client.

  • Security and SOHO Routers

    Home and small office networks typically place their security in the hands of an inexpensive device that serves as a router, DHCP server, firewall, and wireless hotspot. How secure are these SOHO router devices? We're glad you asked …

  • Vulnerabilities in Xine-Lib and Mplayer

    Vulnerabilities have been discovered in two major media players for Linux. A Xine-Lib vulnerability also affects Mplayer.

  • Apache 2.2.13 with Overflow Protection

    With Apache 2.2.13, developers have closed security holes in the popular webserver.

comments powered by Disqus