Difference between revisions of "Inactive Projects"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
m
Line 21: Line 21:


This could include approaches such as manual audits, static analysis, fuzzing testing, etc.
This could include approaches such as manual audits, static analysis, fuzzing testing, etc.
= Development =
There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. They have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations.
== Symlink Protection ==
A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user).
The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them).
Some links to the history of its discussion:
* 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2
* 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html
* 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4
* 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html
Past objections and rebuttals could be summarized as:
* Violates POSIX.
** POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this.
* Might break unknown applications that use this feature.
** Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't.
* Applications should just use mkstemp() or O_CREATE|O_EXCL.
** True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability.
[http://kernel.ubuntu.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/symlink proposed upstream patch]

Revision as of 22:11, 12 November 2012

There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at kernel-hardening@lists.openwall.com and mention what you're covering.

Process Improvements

Security Code Review Guidelines

This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around.

Patch Signing

This project would provide support to determine if patches have been modified or tampered since they were signed.

Verification of Critical Subsystems

This project would provide verification of critical subsystems such as:

  • Networking
  • Network file systems
  • KVM
  • Cryptographic library
  • Kernel build infrastructure

This could include approaches such as manual audits, static analysis, fuzzing testing, etc.

Development

There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. They have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations.

Symlink Protection

A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user).

The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them).

Some links to the history of its discussion:

Past objections and rebuttals could be summarized as:

  • Violates POSIX.
    • POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this.
  • Might break unknown applications that use this feature.
    • Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't.
  • Applications should just use mkstemp() or O_CREATE|O_EXCL.
    • True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability.

proposed upstream patch