-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Many kernel task handle function lack of permission check when calling it #5794
Comments
@peanuts62 TizenRT has no permission on task management. I don't know what issue is with the attack cases above. |
The issue was that there is no permission control method or task in TizenRT. If the developer uses this framework to create several tasks, and one of the tasks has an exploitable vulnerability in the user mode, the attacker can use ROP or It is the way of shellcode execution to call these syscalls to create a high-priority task and to modify or close the task of key services, in which the kernel does not do any isolation and inspection. The correct way should be to properly isolate the operations between tasks. In addition, I want to report another issue here. There is an MPU design under the arm architecture. The documentation is here https://github.com/Samsung/TizenRT/blob/master/docs/HowToUseMPU.md , the mpu design book It is to isolate the kernel and user mode, so as to ensure that the problem of user mode will not affect the kernel, but the same as the above situation, if there is a vulnerability in user mode that can ROP or execute shellcode, then the attacker can easily call mpu_control(false) invalidates the settings of the mpu to obtain user data protected by the mpu or change the mpu protect memory. Those functions didn’t any protect when the attacker call them. we are working on the protection architecture for those vulnerability, if you want to know more detail about protection architecture can connect [email protected] |
I want to follow up on the discussion by clarifying the security issues described at the very beginning. |
In the
os/kernel/task/
have many task or kernel thread handle function. But all of them were lack of checking for calling task.So if a normal task calltask_delete
with a high level task pid or calltask_create
set a high priority or a large stack it will keeps taking up other tasks and eventually becomes Dos.attack case 1:
attack case 2:
List of kernel task function which lack of permission check when the task call it
The text was updated successfully, but these errors were encountered: