Hello Linux Gurus,
I am seeking divine inspiration.
I don’t understand the apparent lack of hypervisor-based kernel protections in desktop Linux. It seems there is a significant opportunity for improvement beyond the basics of KASLR, stack canaries, and shadow stacks. However, I don’t see much work in this area on Linux desktop, and people who are much smarter than me develop for the kernel every day yet have not seen fit to produce some specific advanced protections at this time that I get into below. Where is the gap in my understanding? Is this task so difficult or costly that the open source community cannot afford it?
Windows PCs, recent Macs, iPhones, and a few Android vendors such as Samsung run their kernels atop a hypervisor. This design permits introspection and enforcement of security invariants from outside or underneath the kernel. Common mitigations include protection of critical data structures such as page table entries, function pointers, or SELinux decisions to raise the bar on injecting kernel code. Hypervisor-enforced kernel integrity appears to be a popular and at least somewhat effective mitigation although it doesn’t appear to be common on desktop Linux despite its popularity with other OSs.
Meanwhile, in the desktop Linux world, users are lucky if a distribution even implements secure boot and offers signed kernels. Popular software packages often require short-circuiting this mechanism so the user can build and install kernel modules, such as NVidia and VirtualBox drivers. SELinux is uncommon, ergo root access is more or less equivalent to the kernel privileges including introduction of arbitrary code into the kernel on most installations. TPM-based disk encryption is only officially supported experimentally by Ubuntu and is usually linked to secure boot, while users are largely on their own elsewhere. Taken together, this feels like a missed opportunity to implement additional defense-in-depth.
It’s easy to put code in the kernel. I can do it in a couple of minutes for a “hello world” module. It’s really cool that I can do this, but is it a good idea? Shouldn’t somebody try and stop me?
Please insert your unsigned modules into my brain-kernel. What have I failed to understand, or why is this the design of the kernel today? Is it an intentional omission? Is it somehow contrary to the desktop Linux ethos?
What is your threat model? If someone gains root they can do whatever they want. No security will protect you from that.
If a browserjack malware does a complicated zero-click attack to gain root when you accidently typo a website, unfettered access to the system by root is a big problem. This is why SELinux exists. This is why browser sandboxing exists. This is why virtualization of modules and drivers and so on exists. This “security theatre” as you call it is to provide protection. Is protection guaranteed? No, but it’s the difference between locking your door at night and leaving it wide open.
Jesus H Christ youre running your browser as root?
Unless you mean an oceans 11-esque double zero-day exploit that jacks the userspace browser, stacked on a root-level privilege escalation zero-day on arguably the most secure OS in the world.
I think we have insanely different threat models
And yet, state actors have done exactly what you’ve laid out. This is challenge accepted to a hacker.
So your threat model is state level hackers?
On desktop PC’s?
Any malicious actor in the universe would love to be able to make a bot net out of 90% of the worlds computers, doesn’t make it any less plausible out of movies
There are no zero click root on any platform. That’s not how it works.
Browsers don’t run as root and all of the browser processes are sandboxed with least privilege being enforced. So many things would need to go wrong.
Precisely! It’s about making compromise expensive, multi-layered, driving up the cost so it becomes fiscally unattractive for the attacker.
The threat model is that root shouldn’t have to be a lose condition. It is certainly very bad, but there should be some things root cannot do, like modify the kernel, while still being the highest privilege level designed into the system. SELinux rules severely constrain the root user on Android for example to frustrate a total system compromise even if an attacker gains root.
The attacker must then find a way to patch the kernel to get the unconstrained root that we have today on Linux desktops.
A root use can modify the kernel on disk and then trigger a reboot. You need either containers or full virtualization to protect against that.
This cannot be done on most consumer OSs like Macs or Windows, or Android smartphones, because secure boot would refuse to load a modified kernel from the disk. It is possible on typical desktop Linux installations if they don’t implement secure boot.
Root access on any of these platforms would still result in persistent low level system access
On Android, secure boot causes boot loader validation, kernel validation, and subsequent validation by the kernel of all application code that is loaded into the system. You need an additional bug to obtain persistent access if the code has not been signed by an authorized party.
This is why iPhone jailbreaks are bifurcated into teathered and unteathered — many modern OSs require a second bug to survive a reboot and achieve persistence. The introduced code won’t pass signature check.
Secure boot is build on a model of proprietary software and antiuser freedom. For secure boot to do anything you first have to restrict what software the user can run which is already a no no. If you ignore that secure boot is often riddle with security problems and many companies use default keys. Your average device has multiple exploits.
Also, why would it matter if an adversary gain root vs kernel level access? Root can do anything so it wouldn’t matter much.