[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

Gordan Bobic gordan at bobich.net
Fri Jul 6 11:14:28 BST 2012


On 07/06/2012 10:50 AM, Lauri Kasanen wrote:
> On Thu, 05 Jul 2012 09:21:47 -0700
> freebirds at fastmail.fm wrote:
>
>> Gordon Bobic asked: "If you are running a Linux kernel that will only
>> load signed modules, how do you propose the perpetrator would
>> inject a custom, unsigned virtualization module into your running kernel
>> to leverage virtualization extensions to do something nasty to the
>> running OS?" I do not know.
>
> http://lwn.net/Articles/472651/
>
> I don't claim to be an expert on this topic, but I trust the grsec people, and they have repeatedly claimed that even disabling modules entirely does not prevent someone determined from loading code to the vanilla kernel.
>
> If disabled modules still allows that, then surely signed modules is no better.

Sure, but that still doesn't explain how they got into the machine and 
gained root access. If they managed to gain root access to your machine 
they already have full control. You need to establish the initial attack 
vector and plug that.

Bottom line - you need to stop the perp from gaining shell access in the 
first place. After that you are just fighting an increasingly losing battle.

Gordan



More information about the arm-netbook mailing list