[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: It's Official: NO security when you're running X Windows
From: Dave Feustel <dfeustel () mindspring ! com>
Date: 2006-05-01 4:40:05
Message-ID: 200604302340.05504.dfeustel () mindspring ! com
[Download RAW message or body]
]from ONLamp.com: OpenBSD 3.9: Blob-Busters Interviewed
at http://www.onlamp.com/lpt/a/6557]
Federico: The default value for the X Aperture sysctl is now off.
What's so evil in modern video cards?
Matthieu Herrb: Loic Duflot demonstrated in an excellent paper [PPT slides]
(slides at http://www.cansecwest.com/slides06/csw06-duflot.ppt) at
CanSecWest that the hardware access privileges that the X server is granted
by the aperture driver can be abused to gain access to kernel privileges
(allowing to bypass the security level settings for example). The X server
paradigm of "userland drivers" exposes all hardware features to userland.
Some of these features (Loic used the Pentium System Management Mode,
but there are probably dozen of other similar features for this purpose) can
be used to bypass the memory protection and thus provide the X server
with full control of the kernel. OpenBSD developers went through the effort
of privilege separating the X server as its own user, but it doesn't help at all
for this issue. We've also tried to design a better protection scheme with the
current X design, but it appears to be almost impossible. The X server needs
to be redesigned to not require direct access to hardware. We think it is a very
urgent matter for true security will never be achieved otherwise. For the time
being the only advice we could give to OpenBSD users who want their system
to be secure is to keep allowaperture=0 and not use the X server on those
systems. Also note that other systems have no protection at all against this attack.
Dave Feustel
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic