Re: OpenBSD kernel relinking is not transactional and a local exploit exists

[jvoisin via Fulldisclosure <fulldisclosure () seclists org>]

On 6/17/23 11:40, Schech, C. W. ("Connor") wrote:
> The automatic and mandatory-by-default reordering of OpenBSD kernels
> is NOT transactional and as a result, a local unpatched exploit exists
> which allows tampering or replacement of the kernel. Arbitrary build
> artifacts are cyclically relinked with no data integrity or provenance
> being maintained or verified for the objects being consumed with
> respect to the running kernel before and during the execution of the
> mandatory kernel_reorder process in the supplied /etc/rc and
> /usr/libexec scripts. The reordering occurs at the end of installation
> process and also automatically every reboot cycle thereafter unless
> manually bypassed by a knowledgable party.

I'm unsure I understand the threat model here: an attacker with root
privileges is able to modify the kernel data about to be relinked?

You're also mentioning SLSA, but as you also said, OpenBSD doesn't have
reproducible builds and all the cool build hardening things(tm). So
having a cryptographic path to the resulting relinked kernel won't
really improve anything, given the current state of affairs.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/