On Tuesday 02 May 2006 10:46, Mark Williamson wrote:
> > Thanks for the resonses.
> > For those interested in the gory details of a proof-of-concept exploit,
> > it's all laid out in the 16-page pdf by Loic Duflot:
> > http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper
> Ah, interesting.
> It turns out this exploit is something new, in that it's not something I'd
> heard of before. But it looks mostly interesting to OpenBSD. Why? Because
> OpenBSD has more sane controls on the X Server than Linux, and so the fact
> that it can elevate privileges is worrysome. Since on Linux it (often) runs
> with superuser privileges anyhow, this attack isn't the main problem...
> Their exploit *does* show that mmap of the video ram, combined with the
> ability to access IO port 0xB2 is enough for a root exploit... I don't know
> if fbdev is restrictive enough to prevent this - OBSD have obviously tried to
> minimise X11's privileges and still found it circumventable.
> Nevertheless, Xen offers confinement. Also, as Keir pointed out, there are
> stricter restrictions on what even dom0 can do (and these can be made even
> more strict).
If it turns out that Xen has the capability to prevent this exploit in
virtualized operating systems,
that capability could become a big inducement to use Xen all the time -
certainly in my case.
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"
Xen-devel mailing list