Memory security on grsec with ACL mode enabled

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Memory security on grsec with ACL mode enabled

Postby cmouse » Mon Jan 12, 2004 2:17 pm

How secure is this, like can I access arbitrary memory regions as root. Memory can be accessed from other means than /dev/mem or /dev/kmem.

An example of this is rebooting the machine. Afaik it can be done by simply altering a byte in memory.
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby axehind » Tue Jan 13, 2004 11:05 pm

It's pretty secure if you use the memory protection enabled in the kernel in addition to the protection the acl provides.
axehind
 
Posts: 13
Joined: Mon Jul 01, 2002 1:32 pm

Postby cmouse » Fri Jan 16, 2004 2:32 pm

Can this proofed? I don't know the kernel source very well, but what is the protection that is provided by grsecurity against BIOS/APIC/APCI access as root?
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby cmouse » Tue Jan 20, 2004 8:38 am

Either my question is trivial or wrongly put but I would still appreciate a comment from f.ex. splender to proof that since /dev/?mem is not the only way into machine's memory, that the security exists. There are several different methods which could be used to point into kernel / device memory regions. Is there anything to stop these other ways such as directly accessing the memory or other ways? If my question is trivial or somehow stupid please let me know as well.
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby PaX Team » Mon Feb 02, 2004 12:58 pm

cmouse wrote:Either my question is trivial or wrongly put but I would still appreciate a comment from f.ex. splender to proof that since /dev/?mem is not the only way into machine's memory, that the security exists. There are several different methods which could be used to point into kernel / device memory regions. Is there anything to stop these other ways such as directly accessing the memory or other ways? If my question is trivial or somehow stupid please let me know as well.
can you be more specific as to what methods (and the context in which they're to be used) you're talking about?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby cmouse » Sat Feb 07, 2004 6:36 pm

Sorry for delay...

Anyways, there are several ways you can access memory:
1. Just point it to ptr and attempt to read since root has access to all memory. Perhaps you can even write to it then?
2. Dig swap region.
3. Use some device as point-of-entry.

I am not expert on this field but people far advanced on this area told me that there are several methods root can access memory. I just wonder what ways are covered by grsecurity...
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby siti » Sat Feb 07, 2004 9:48 pm

I think every process can only access its own memory. Even it is root. I think its only the kernel that can access all memory. Except through the special devices that grsecurity disables. (/dev/kmem etc.)
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm

Postby torne » Sun Feb 08, 2004 7:12 am

cmouse wrote:1. Just point it to ptr and attempt to read since root has access to all memory. Perhaps you can even write to it then?


This doesn't work, because pointers point to virtual address space, not physical address space. Memory protection is implemented in hardware and does not know or care whether the accessing process runs as root; only the kernel can make arbitrary mappings of physical memory. Userspace programs can only read/write memory that is not theirs via the kernel. Root does not have access to all memory, except through /dev/[k]mem.
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby cmouse » Sun Feb 08, 2004 1:47 pm

oh and then there is the question about BIOS/ACPI regions. Are they protected as well from read/write from root?
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Postby torne » Sun Feb 08, 2004 3:15 pm

You can't point at the BIOS or ACPI regions either whether you are root or not; they are just memory, the same as all other memory, and thus my above comment still applies. If any write access is granted to those regions via a proc/sysfs entry or via any kernel driver, then they'll be writable by whoever has permission to write to those entries (i.e. root); but I'm not aware of any such entries/drivers..
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby einsteinmg » Mon Mar 01, 2004 3:27 pm

What about Computers with Firewire.

Firewire has direct memmory access, without involving of the cpu.

is there a possibility to restrict this access? maybe in the firewire driver?
einsteinmg
 
Posts: 4
Joined: Fri Feb 06, 2004 4:52 am


Return to grsecurity support