From owner-freebsd-hackers Thu Feb 14 15:39:23 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 7C9C937B405 for ; Thu, 14 Feb 2002 15:39:20 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020214233919.NVGS1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Thu, 14 Feb 2002 23:39:19 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1ENdIS37220; Thu, 14 Feb 2002 15:39:18 -0800 (PST) (envelope-from cjc) Date: Thu, 14 Feb 2002 15:39:18 -0800 From: "Crist J. Clark" To: "PSI, Mike Smith" Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Kernel after halt issued Message-ID: <20020214153918.D36782@blossom.cjclark.org> References: <3C6C0965.206509B4@mitre.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C6C0965.206509B4@mitre.org>; from mlsmith@mitre.org on Thu, Feb 14, 2002 at 02:00:53PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 02:00:53PM -0500, PSI, Mike Smith wrote: > I just heard someone say that they believed that the kernel was still > running after a halt is issued, but just cannot (won't?) create any > processes. So while I realize this person may not know what they are > talking about (and am showing my own ignorance for even listening), the > question is... > > Is the kernel still running after a halt? I don't think it will work. As a simple test, I pinged the box when it was up. It ponged fine. I shut it down (shutdown -h now) to the, The operating system has halted. Please press any key to reboot. Prompt and pinged again. Silence. Since the ICMP responses all live in the kernel's IP stack, I don't think there is an IP stack running. > If it is, then there are very interesting possibilities for building in > very specific capabilities in the kernel, then under "halt" condition > have those capabilities available. AND NOTHING ELSE! Interesting from a > security standpoint. Plus it would not require to to strip your system > down to bare bones to eliminate holes. You could bring it up to a fully > capable system at any time it was necessary. It sounds like a bad trade to me anyway. Compare: a box in the shutdown state, a kernel running with no userspace, to a box up and running with absolutely no userland processes listening. In either case, the only way someone can break the box remotely is with an exploitable, remote vulnerability in the kernel. A DoS attack on the kernel has identical results in either case. In both cases, the attacker owNz yr b0>< if they find an exploitable bug. There is the slight advantage with no userland, that the attacker may have a harder time doing something they consider useful with the owned box and establishing themselves so that they retain control (but neither is impossible). The kernel-only box also has a HUGE security disadvantage that pretty much makes it a non-starter IMHO, no logging. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message