Recently @Dje4321 pointed out the various security improvements of Android due to SELinux and I was wondering, if SELinux shouldn't prevent DRAMMER - Rowhammer on Android - or if I did get something wrong? I mean sure, hammering and getting root still works, but there isn't much the attacker should be able to do, is there?
Drammer is a memory exploit but selinux is a filesystem thing, so yeah with hammering one can escelate privileges but if selinux is configured properly, there's nothing root can do, since selinux doesn't care about user discretion.
Dunno what the situation about seandroid in general is, as in implementation by manufacturers, but samsung at least has it configured well; no undefined policies and every app runs in their own domains (mcs)
This will be very layman about how Rowhammer actually works but stick with me
Rowhammer exploits a problem with DDR ram called bit flipping. Bit flipping works by writing to ram faster than it can handle. This will cause adject bits next to the area too be flipped. Now a attacker could leverage this by flipping bits in a very specific way to change the memory in a different process.
So if you had 2 bytes of right next to each other and you started writing to the first byte extremely fast then the adjacent byte might change ever so slightly.
Before bit flipping
After bit flipping
Now imagine that secord byte being a pointer to some ram where the process executes code. So you can flip the bits in a correct way where the process will start executing from ram you control.
So what can SELinux do about this? SElinux could monitor the processs and catch it jumping to ram it does not control but there is nothing stopping you from just bit flipping the execute part of ram that the process uses. Now you enter a cat and mouse game where you just keep one step ahead of the curve. So how do you actually stop this? Short answer. Wait for the hardware to get features to prevent this level of attack. Long answer. Add features to parts of the system like the kernel that check to see if parts of ram were unexpectedly moddifed and kills the process before something happens. You still do standard hacker things like just bitflip out the part that checks for bit flips. All your doing is moving the problem back one step
Thanks for the answer
Afaik SELinux can't prevent the bit flipping stuff, but even if the process gains
root privilegies, an attacker should be unable to leverage them, since SELinux will prevent malicious activity.
On the other hand, shouldn't
root user be able to simply deactivate SELinux and then exploit the system?
This paper shows in section 4 how different kind of
root exploits don't work properly anymore - or at least how an attacker is still crippled by SELinux.
But in the DRAMMER paper mentioned above, there is no mention of SELinux even though it has become standard on Android. Which is why, I'm unsure if I have missed something?
If disabling SELinux as
root is as simple as typing
setenforce 0 then there is not much to be gained from SELinux from a security standpoint, if SELinux does indeed prevent that, than uninstalling SELinux might turn into a nightmare.
setenforce 0 doesn't work if the root user is confined, the root user would need to change to for example selinux sysadmin user & role which can set the sestatus, which again, should be set to a different password than root has.
Ootb in linux selinux doesn't confine users at all, everyone is unconfined, and it's the unconfined rule that is the biggest weakness regarding security, since it means users can do whatever they want.
It's up to the admin to confine the users, but there's preconfigured selinux user roles that can easily be set, like user_u for normal users and sysadm_u for root.
Speaking of which;
Gonna do another more in depth vid sometime during weeks 29-31 when I'm on holiday, super busy with life atm
root is the end all of users. once ypu get root that is it. there is nothing you can't do to a aystem. SElinux will and should not touch root. you can run into the risk of bricking a system by limiting the powers of root
Need more beer?
whoops. was typed on my phone
Well according to the above paper and according to @Baz it isn't. That being said, shouldn't the
root user be able to switch to
selinux sysadim via
su selinux for instance?
Yes. Root is the highest user in any standard linux system with or without SElinux. Root is by default UID 0. Atleast on my android device going "su selinux" just links me back to the root account.
Root is a user as any other as far as SELinux is concerned, you can even make root a guest user with no privs at all lol
Ok so if i create a new user, let's call him
poweruser and give him admin rights from SELinux perspective, an attacker might be able to use Drammer to get
root access (uid=0,gid=0), but since he is still unable to deactivate/interfere with SELinux. But, if he modifes his own page table accordingly and becomes
poweruser he is free to turn it off, right?
Yup, exactly this.
Still, if the > poweruser would be for example mapped to selinux user sysadm_u, it would stil be confined, meaning while sysadm_u is basically the 'new root', there's still some stuff it can't do. Which is still better than allowing a single user full unrestricted access (traditional root).