|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-11-15 13:10:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Cook: Security things in Linux v5.3
Kees Cook catches
up with the security improvements in the 5.3 kernel.
"In recent exploits, one of the steps for making the attacker’s life
easier is to disable CPU protections like Supervisor Mode Access (and
Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU
control registers to disable these features. For example, CR4 controls SMAP
and SMEP, where disabling those would let an attacker access and execute
userspace memory from kernel code again, opening up the attack to much
greater flexibility. CR0 controls Write Protect (WP), which when disabled
would allow an attacker to write to read-only memory like the kernel code
itself. Attacks have been using the kernel’s CR4 and CR0 writing functions
to make these changes (since it’s easier to gain that level of execute
control), but now the kernel will attempt to 'pin' sensitive bits in CR4
and CR0 to avoid them getting disabled. This forces attacks to do more work
to enact such register changes going forward."
Kees Cook catches
up with the security improvements in the 5.3 kernel.
"In recent exploits, one of the steps for making the attacker’s life
easier is to disable CPU protections like Supervisor Mode Access (and
Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU
control registers to disable these features. For example, CR4 controls SMAP
and SMEP, where disabling those would let an attacker access and execute
userspace memory from kernel code again, opening up the attack to much
greater flexibility. CR0 controls Write Protect (WP), which when disabled
would allow an attacker to write to read-only memory like the kernel code
itself. Attacks have been using the kernel’s CR4 and CR0 writing functions
to make these changes (since it’s easier to gain that level of execute
control), but now the kernel will attempt to 'pin' sensitive bits in CR4
and CR0 to avoid them getting disabled. This forces attacks to do more work
to enact such register changes going forward."
