undefined | Better HN

0 pointsJoel_Mckay2mo ago0 comments

Most production OS I saw would do this on boot-up completion:

echo 1 > /proc/sys/kernel/modules_disabled

Which is supposed to block dynamic loading modules until a reboot.

It would be interesting if the PoC can get around that trick too. =3

0 comments

worthless-trash2mo ago

Once you have memory write as ring0, all protections are dubious at best.

Why bother loading a module when you can inject code into any function you want.

Joel_MckayOP2mo ago

The encrypted page memory manager hardware in some ancient Sun systems prevented a lot of these context isolation problems. However, the modern IT landscape chose consumer grade processor architecture and bodged GPUs as the cloud infrastructure foundation.

Thus, there currently is economic inertia entrenching vulnerable system design. I don't think there is a company large enough to change the situation anytime soon, as the market has spoken. =3

Rule #3: popularity is not an indication of utility.

lima2mo ago

If Kernel Lockdown is enabled, a zero-day exploit is required to bypass module restrictions without a reboot.

Unfortunately, threat actors tend to have a stash of them and the initial entry vector often involves one (container or browser sandbox escape), and once you have that, you are in ring 0 already and one flipped bit away from loading the module.

The Linux kernel is not really an effective privilege boundary.

Imustaskforhelp2mo ago

So what would you recommend instead? To run workflows in VMs?

Joel_MckayOP2mo ago

A kvm hypervisor is not perfect, as sandbox escape was demonstrated even with https://qubes-os.org/ . On modern AMD/Intel/ARM64 consumer processors it is not possible to completely prevent bleeding keys across regions.

Only the old Sun systems with hardware encrypted mmu pages could actually enforce context isolation.

If performance is not important, and people are dealing with something particularly nasty... than running an emulator on another architecture is a better solution. For example, MacOS M4 with a read-only windows amd64 backing-image guest OS is a common configuration.

https://github.com/86Box/86Box/releases

https://github.com/Moonif/MacBox/releases

Best of luck =3

1 more reply

worthless-trash2mo ago

Or only allow signed kernel modules. Aka secure boot.

This doesn't solve all vectors but afaics this will prevent non signed modules from loading.

j / k navigate · click thread line to collapse

0 comments

worthless-trash2mo ago

Once you have memory write as ring0, all protections are dubious at best.

Why bother loading a module when you can inject code into any function you want.

Joel_MckayOP2mo ago

Thus, there currently is economic inertia entrenching vulnerable system design. I don't think there is a company large enough to change the situation anytime soon, as the market has spoken. =3

Rule #3: popularity is not an indication of utility.

lima2mo ago

If Kernel Lockdown is enabled, a zero-day exploit is required to bypass module restrictions without a reboot.

The Linux kernel is not really an effective privilege boundary.

Imustaskforhelp2mo ago

So what would you recommend instead? To run workflows in VMs?

Joel_MckayOP2mo ago

Only the old Sun systems with hardware encrypted mmu pages could actually enforce context isolation.

https://github.com/86Box/86Box/releases

https://github.com/Moonif/MacBox/releases

Best of luck =3

1 more reply

worthless-trash2mo ago

Or only allow signed kernel modules. Aka secure boot.

This doesn't solve all vectors but afaics this will prevent non signed modules from loading.

j / k navigate · click thread line to collapse