Hi all,
after reading the recent CORE advisory about the mbuf handling bug, I
was wondering if some of OpenBSD's exploit mitigation strategies could
also be applied to the kernel in order to prevent exploitation of kernel
bugs. Theo's presentation about exploit mitigation (
http://openbsd.org/papers/ven05-deraadt/index.html ) mentions Stackgap,
ProPolice/SSP, W^X/NX bit, ld.so randomization, randomized malloc,
.rodata segment, StackGhost (on Sparc/Sparc64), privilege
revocation/separation, which all seem to have been introduced in order
to protect buggy userland code from being exploited (please correct me
if I'm wrong).
Are there any known techniques for also protecting kernel code, which
could be implemented in OpenBSD, i.e., would it be technically feasible
(or would it make any sense) to implement some address randomization to
a kernel image after it has been initially loaded into memory? Does W^X
also apply to kernel code, i.e., could it be applied in order to prevent
maliciously introduced code from execution inside the kernel? In other
words: is a bug-free kernel the only way to eventually render a system
secure against such attacks? And if this is so, does this mean that
microkernel designs are in fact inherently more secure than monolithic
kernels, because they allow for a better reduction of the attack surface
which can't be achieved with alternative strategies? In other words:
regarding security, is Prof. Tanenbaum actually right with his
preference for microkernels in his books about operating systems?
I'm aware that my questions must look quite silly to you kernel
developers, but I am wondering about these things for quite some time
now -- it would be great if someone could shed some light on this, or
just point me to some relevant literature.
regards,
Andreas
- Exploit mitigation techniques and kernel code Andreas Bartelt
-
