[nycbug-talk] kernels

[Bob Ippolito]

On Jun 3, 2004, at 7:02 PM, Roland C. Dowdeswell wrote:

> On 1086302515 seconds since the Beginning of the UNIX epoch
> Bob Ippolito wrote:
>>
>
>> Well, I know that root isn't ring 0, but you can do a whole lot of
>> nasty stuff like rewrite the boot loader and reboot, or read/write
>> memory in other proceses, shutdown the machine, wipe the partition
>> table, etc.  I'm not familiar enough with the implementation of the
>> *BSDs to know whether or not they try and disable any of these things
>> given an appropriate security setting.
>
> They do.  In high enough secure level, you cannot write to disks
> except through the file-system code, and cannot upgrade read-only
> mounts to read-write mounts, etc., etc.  You can still do a reasonable
> amount of damage, but if the system with some level of care it can
> be difficult to compromise---that is either by careful use of
> immutable flags, or by simply mounting most of the file-systems
> read-only.
>
> Of course you can shutdown the machine, but that's not much of a
> problem.

Sounds like a lot of work for a little real benefit.  Let's imagine for 
a second that I'm running an email server that I would like to be 
highly secure.  By some hook or crook, an attacker gets uid 0 on my 
highly secure machine.  They decide it would be funny to wipe out all 
of my mail spools and start sending spam.  Everything I wanted that 
machine to do is now ruined, and I need to wipe the disk and restore 
from tape or start over.  What's really left to protect if userspace is 
hosed?  I'm not sure if I should care whether or not they can talk on 
the PCI bus.

If my application *was* the kernel, maybe I'd care, but a kernel really 
isn't very useful on its own :)

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040603/aabe7dc9/attachment.bin