Why Linux security has failed (for the past 10 years)

A honest look at the present (2009) situation and state of the art of Linux kernel security, and what has failed for almost a decade.

Read article

Runtime binary loading via the dynamic loader on Apple Mac OS X

Read article

Apple Mac OS X 10.4 temp_patch_ptrace(): Nonsense in kernel-land

Read article
Why Linux security has failed (for the past 10 years)
Runtime binary loading via the dynamic loader on Apple Mac OS X
Apple Mac OS X 10.4 temp_patch_ptrace(): Nonsense in kernel-land

October 24, 2009 | 9 minutes

Why Linux security has failed (for the past 10 years)

Introduction

Apparently there’s been an increased interest in bringing Linux kernel security issues to attention, for the past few months. It is a natural reaction to a policy which has been long time tacitly agreed upon by mostly all people involved in Linux kernel development (and more so, those with security-relevant roles, particularly a specific vendor). That is, a policy of silence. It is no surprise that Linux security currently looks much better on paper and marketing propaganda than it does in reality.

Runtime binary loading via the dynamic loader on Apple Mac OS X

An article written by Dan Goodin from The Register was recently published, it mentions a forthcoming presentation by Vincenzo Iozzo, which presents a method to load a binary on runtime, directly from memory, in Mac OS X systems.

Here we like to stick to the technical side of things… so let’s get started on explaining how this can be done, in case you aren’t planning to attend Black Hat or just feel particularly curious on the topic!

February 6, 2009 | 8 minutes

Keep reading

Apple Mac OS X 10.4 temp_patch_ptrace(): Nonsense in kernel-land

Several software vendors realized, sometime during the 1990-2000 time-frame, that exporting system call tables within kernel address space was a bad idea. This obviously doesn’t mean anything to Red Hat and other GNU/Linux vendors who are happily providing world readable System.map files. Not like anybody needs them, though.

Then again, you have to face potential funniness of contradictory measures, like Apple’s own mistakes. This article won’t talk about yet another bug introduced by a Linux developer working at Red Hat (and later silently fixed by another employee of the very same company), but an interesting issue with Mac OS X 10.4 systems on PowerPC.

November 3, 2008 | 4 minutes

Keep reading

Linux Kernel Silent Patching: VMI write_ldt_entry() local privilege escalation

Once again, the Linux kernel developers delight us with their always discreet (meaning: silent, no-advisory, no-warning policy) and wonderful patching practices. Sometime between 2.6.24 and 2.6.25 a patch from a Red Hat developer was committed into the Linux kernel git tree, implementing changes to the VMI interfaces hooking some functions dealing with the GDT and LDT.

diff --git a/arch/x86/kernel/vmi_32.c b/arch/x86/kernel/vmi_32.c
index 6ca515d..edfb09f 100644
--- a/arch/x86/kernel/vmi_32.c
+++ b/arch/x86/kernel/vmi_32.c
@@ -235,7 +235,7 @@ static void vmi_write_ldt_entry(struct desc_struct *dt, int entry,
        const void *desc)
 {
  u32 *ldt_entry = (u32 *)desc;
- vmi_ops.write_idt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
+ vmi_ops.write_ldt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
 }
 
 static void vmi_load_sp0(struct tss_struct *tss,

The original commit mentions that it was discovered when JRE caused failures, confirming that it could obviously be triggered by unprivileged user-land processes. It affects only x86 VMI guests.

October 28, 2008 | 2 minutes

Keep reading

Latest posts

Categories

AI
CTF
Hardware
Reverse Engineering
Wireless
Miscellanea
Software Security Assessment
Exploit Development

Tags

ai1 blog1 cryptography1 drones1 gpt1 hackthebox1 hardware-re1 historical3 humor1 ieee802112 ipc1 kernel3 linux2 monitoring1 openipc1 osx3 re1 rootkits2 shellcode1 userland1 wifi1 wireless2

Feeds