28

When most Linux users hear "root", they think of the maximum possible privilege on a computer. Some even think that root runs in ring 0. But in reality, root is just a regular user running in ring 3, albeit one which the kernel trusts (many sensitive kernel operations are guarded with checks along the lines of if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) return -EPERM; to prevent abuse, which simply returns an error if uid != 0).

On most Linux systems, the kernel trusts root so much that it can easily exploit the kernel and gain access to ring 0 at will. However, it is often possible with security tools such as grsecurity, SELinux, etc, to prevent this by reducing root's dangerous abilities, and enforcing these restrictions on the kernel level.

I would like to enumerate a list of methods by which root could exploit the kernel to gain access to kernel mode and ring 0. So far, these are the methods I have thought or learned of by which this could happen, along with potential mitigations:

  • ioperm() and iopl() can set I/O port permissions and can be abused to write to arbitrary regions of memory, including memory where the kernel resides. These syscalls can be disabled by removing them from the syscall table or with grsecurity.
  • Root can just modify the kernel image in /boot or through the block device. A MAC can restrict root's access to both of these.
  • /dev/{k,}mem are designed to allow rw access to arbitrary memory. These can be disabled completely in the kernel config, by using grsecurity, or with a MAC.
  • Some MSRs can be used to write to arbitrary memory. Denying writing to MSRs either by disabling them in the kernel config or with grsecurity mitigates this issue.
  • kexec allows root to select an alternate kernel to boot into. This is an optional kernel feature, so simply compiling the kernel without kexec support is enough to make this a non-issue.
  • sysfs provides low level access to much of the hardware, which can hijack a poorly locked-down BIOS/UEFI on many vulnerable systems to gain ring 0, or even ring -2 access. A MAC can restrict access to /sys, and various tools can detect vulnerabilities in UEFI/BIOS.
  • If root is allowed to load ACPI tables at runtime (DSDT, SSDT, etc), it can cause the kernel to execute AML, which is ACPI bytecode, and change how the kernel behaves and reacts to the hardware it runs on. I know little about ACPI and AML, but this sounds like an absolute recipe for disaster. Disabling loadable ACPI table support in the kernel should mitigate this.
  • Loading malicious kernel modules can directly hijack the kernel. This can be trivially defeated by requiring module signing, or by building a kernel without module support.

Obviously, I will be using principal of least privilege for root, rather than trying to blacklist all the possible ways it can break out of its chains. That doesn't change the fact that it is still extremely useful, and interesting, to understand all the ways it can abuse the kernel's trust.

And so that brings me to my question: Are there any other methods which root can use to gain access to ring 0, without using 0days and without exploiting opsec mistakes, which I have not covered here?

forest
  • 64,616
  • 20
  • 206
  • 257
  • What is your goal with this? – Neil Smithline Apr 07 '16 at 04:49
  • 6
    The goal is simply to understand in what ways root can compromise a system. On my own system, I have root limited quite strictly, but instead of assuming that my own whitelist approach is tight enough, I set out to learn more about the entire topic. – forest Apr 07 '16 at 06:42
  • Just to ask you, who will configure SELinux? Who will perform kernel update if necessary? And how he will do so if he is prevented? – Fis Sep 14 '19 at 08:57
  • @Fis Pre-isolated root can configure SELinux but, once it is enabled, even root cannot disable it (depending on configuration). For an LSM like SELinux, I believe that's CAP_MAC_OVERRIDE and CAP_MAC_ADMIN. – forest Sep 14 '19 at 09:01

2 Answers2

3

I can think of these:

  • Indirectly modifying kernel image or signed modules by changing update or other system configurations (point update server to yours, add your keys). Or by compromising infrastructure where the updates come from.
  • n-days. syzkaller reports quite a few bugs and some remain unfixed for a while. https://syzkaller.appspot.com/
  • Loading firmware onto a device that can directly interact with RAM (e.g. PCIe, firewire devices).
domen
  • 1,040
  • 10
  • 21
  • I think that n-days are out-of-scope because the question is about an up-to-date system. And loading firmware onto a DMA-capable device requires IO permissions which are explicitly disabled. – forest Sep 07 '19 at 06:35
  • Unfixed n-days. Firmware can be loaded through "normal" means by using kernel interfaces, replacing file on storage, changing update configuration. – domen Sep 08 '19 at 08:21
  • The assumption is that the kernel is up-to-date. If 0days are excluded, _a fortiori_, so are n-days. – forest Sep 08 '19 at 08:25
  • 1
    Maybe it's the terminology or maybe I'm misunderstanding you. I am talking about publicly known vulnerabilities for which there is no fix yet, so having an up to date system doesn't help. If you look at syzkaller url, I'm confident you could find an interesting use-after-free. – domen Sep 08 '19 at 08:55
  • 1
    It could be that you want to enumerate escallations that are there by design. – domen Sep 08 '19 at 08:56
  • 2
    Escalations by design is exactly it. – forest Sep 08 '19 at 08:57
  • Do you have any other examples? All of the ones you've provided in here were mentioned in the question, with the exception of n-days which I guess I didn't explicitly mention (I guess by 0days I just meant "unfixed security bugs" in general). The third idea you write is prevented by restricting `ioperm()` and the like. – forest Sep 17 '19 at 05:36
  • Oh, with #3 I actually mean `/lib/firmware` (or another location, if `/sys/module/firmware_class/parameters/path` is set) and other abstracted firmware loading mechanisms. But, yes, restricting `sysfs` access should do it. I'm struggling to come up with other examples. Btw, I guess you know that for some systems (some versions of Android at least) root/kernel is a security boundary. – domen Sep 17 '19 at 10:39
-7

Root is designed to do whatever he wants on the system! He is the system administrator. He is the boss there. There is no reason to limit him in any way! As there will always be a method to go in somehow - i.e. compile kernel space module, properly sign it and force kernel to load it on next reboot or modify some system files, certificates, whatever I can't see any reason to prevent him to do something.

I would rather recommend you to use less privileged accounts with assigning only necessary privileges and disable direct logins to the root account completely!

Fis
  • 1,200
  • 7
  • 10
  • 4
    **-1 This is incorrect.** Root can be restricted, and regularly is. This doesn't answer the question. – forest Sep 14 '19 at 02:54
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/98654/discussion-between-forest-and-fis). – forest Sep 14 '19 at 09:06
  • Maybe regulrly is but it is completely wrong way. – Fis Nov 14 '19 at 05:09
  • What is the wrong way? – forest Nov 17 '19 at 22:36
  • Preventing somebody to so something. Better to prevent him anything and allow just things we want allow him. – Fis Nov 18 '19 at 01:37
  • Well that's kind of how restrictions on root are done (whitelist, not blacklist). – forest Nov 18 '19 at 01:38
  • As I said, its bad. Root is root, it is supposed to do anything on the system, thats it. – Fis Nov 18 '19 at 01:39
  • That's not the consensus among infosec professionals who regularly deal with root restrictions, capabilities ("caps"), etc. Root is UID 0, but it need not be god. – forest Nov 18 '19 at 01:40
  • From my experience, if blacklisting method is in use usually something is forgotten. Its hard to control what is blacklisted and what is not without complete knowledge of the system. Also, any update can bring another features which are not... blackisted. – Fis Nov 18 '19 at 01:42
  • Changes in abilities to UID 0 are rare. Any good sysadmin will keep track of such changes before they are put in mainline. – forest Nov 18 '19 at 01:43
  • we can't trust that our system is maintained by good sysadmin, right? or he didnt get drunk yesterday. Or trust he will never make mistakes and will be in 100% form all the time... – Fis Nov 18 '19 at 01:45
  • If your system doesn't have a good sysadmin, they won't know how to restrict root correctly. It requires more than basic system knowledge to do it. – forest Nov 18 '19 at 01:47
  • sure. can you be 100% sure your employee are always good enough? also, please keep in mind they are focused on business rather on security... – Fis Nov 18 '19 at 01:48
  • Of course not. But that wasn't the question. – forest Nov 18 '19 at 01:49
  • Also, please note there will land a LSM or "lockdown" module in 5.4 kernel (already RC) so it may help to solve your problem. Seems to me finally good way to go. – Fis Nov 18 '19 at 01:52
  • Lockdown makes it simpler to do this so you don't have to trust that your sysadmin is always sober, but it has been possible for long before that LSM. – forest Nov 18 '19 at 01:53
  • But the approach seems to me opposite than before. – Fis Nov 18 '19 at 01:57
  • What do you mean? – forest Nov 18 '19 at 01:58
  • Just prevent anything rather than blacklist something and forget something else. – Fis Nov 18 '19 at 01:59
  • Again, if a sysadmin is liable to simply forget something or not keep up with changes for the kernel he's using, he's not fit to manage a system with high enough security requirements that root restrictions are necessary. – forest Nov 18 '19 at 02:07
  • Seems to me you live in another world than I do. There is not enough deeply experienced people in the market and quality of admins differ dramatically. – Fis Nov 18 '19 at 07:02
  • No one ever claimed that most sysadmins are capable of restricting root effectively. – forest Nov 18 '19 at 08:36
  • Did you already find how to limit root? And especially how to prevent root to change policies in order to do malicious actions again? – Fis May 23 '20 at 19:27
  • If the policy prevents root from changing key policy files, it'll do that. – forest Oct 12 '20 at 23:10