[lug] Steganography (was: newbie question - rc.sysinit)

rm at mamma.varadinet.de rm at mamma.varadinet.de
Sat Jul 14 06:45:22 MDT 2001 

On Sat, Jul 14, 2001 at 12:09:14AM -0600, Chris Riddoch wrote:
> > The main concern I'd have is getting the private signature. If you
> > manage some means to defeat actual overwrite of the kernel on the
> > drive and the boot sector, then any crack would be successful only
> > until the next reboot.
> 
> Not necessarily. If you manage to track down what the kernel is doing
> when it loads the module, through each and every step, then the hacker
> grabs the signature (which has been revealed by examining the running
> kernel) and simply signs her module with the same key you took such
> pains to protect.  Puts it in the appropriate place, changes some
> files, and now the module looks just as secure as all the rest because
> it was signed with the very same signature.  No reboots necessary.

That reminds me of a crack of some commercial cryptography program:
They had a very clever cryptographic function that would return 0 on
success and -1 on failure. To crack the program just meant that one
would need to change the one (!) assembler instruction after the call
to the key checking function (jump on zero -> jump on non-zero). If
you have access to the kernels address space you only need top patch
the functions that _call_ the signature checking functions.

> > Interesting to me is that there has been recent kernel devel list
> > talk about what would be required to install new kernels without
> > rebooting...nobody really wants to go through the pain of making
> > that possible, so I doubt it would ever happen, but it would make
> > for interesting security problems.

There actually are good reasons for having this feature (at least for
high availability servers).

[...]

> 
> > To flash the bios, you have to sit at the console. You can't do it with
> > root privilege from a remote login. Very very few of all cracked
> > machines (that I've heard about) in the news (or just in security group
> > postings) involve someone physically entering the room and flashing your
> > bios (which is no longer a software issue).
> 
> Don't be so sure that physical access is necessary. Most bioses are
> software-updatable, these days. Mine is, I bet yours is, too. No
> hardware twidling. A quick google search found this:
> 
> http://www.firmware.com/support/bios/flashchp.htm
>    "Flash chips are a relatively new type of non-volatile memory chip
>    that can be erased and reprogrammed without being removed from the
>    system they are used in....This allows motherboard manufacturers to
>    make BIOS updates available electronically (such as through FTP
>    sites...)  instead of requiring chips to be removed and replaced."

Yup. A really nasty cracker could actually replace the bios ith Linux!
(given that the hardware is supported by the Linux Bios Project ;-)


[...]

> 
> And here's my proposal: have a look at the "capabilities" attribute in
> the kernel.  It's rather Un-Unix-like, 

really? I thought BSD supports  capabilities since quite a while (same
with AIX if memory serves me right).

> but it does away with the idea
> of "Root can do everything, some programs can be granted root
> abilities while still letting users run them safely".  The Unix Way
> is, in principle, not so bad, but the whole idea could be changed...
> 
> User A is allowed to tweak with modules.  No other users are.  User B
> is allowed to listen on sockets on ports below 1024.  Your network
> daemons run as user B.  Cracker gets in on a buffer overflow, ends up
> as user B, and can't tweak with modules because user B can't do that.
> Only user A can do that.  All the hacker can do is, well, listen on
> sockets.  (And whatever is allowed by all users)
> 
> The idea is, you assign more specific labels to the privileges of the
> users on the system in order to minimize the scope of access provided
> by a breach, and to grant some access to normal users without letting
> them take over the server.  At least, that's my understanding of it.
> Someone correct me if I'm misrepresenting it.  I haven't actually
> taken the Operating Systems class yet.
> 

 Ralf

More information about the LUG mailing list