[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    It's Official: NO security when you're running X Windows
From:       Dave Feustel <dfeustel () mindspring ! com>
Date:       2006-05-01 4:40:05
Message-ID: 200604302340.05504.dfeustel () mindspring ! com
[Download RAW message or body]


]from ONLamp.com: OpenBSD 3.9: Blob-Busters Interviewed
at http://www.onlamp.com/lpt/a/6557]

Federico: The default value for the X Aperture sysctl is now off. 
What's so evil in modern video cards?

Matthieu Herrb: Loic Duflot demonstrated in an excellent paper [PPT slides] 
(slides at http://www.cansecwest.com/slides06/csw06-duflot.ppt) at 
CanSecWest that the hardware access privileges that the X server is granted 
by the aperture driver can be abused to gain access to kernel privileges 
(allowing to bypass the security level settings for example). The X server 
paradigm of "userland drivers" exposes all hardware features to userland. 
Some of these features (Loic used the Pentium System Management Mode, 
but there are probably dozen of other similar features for this purpose) can 
be used to bypass the memory protection and thus provide the X server 
with full control of the kernel. OpenBSD developers went through the effort 
of privilege separating the X server as its own user, but it doesn't help at all 
for this issue. We've also tried to design a better protection scheme with the 
current X design, but it appears to be almost impossible. The X server needs 
to be redesigned to not require direct access to hardware. We think it is a very 
urgent matter for true security will never be achieved otherwise. For the time 
being the only advice we could give to OpenBSD users who want their system 
to be secure is to keep allowaperture=0 and not use the X server on those 
systems. Also note that other systems have no protection at all against this attack.

Dave Feustel
-- 
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]