undefined | Better HN

0 pointslima4mo ago0 comments

If Kernel Lockdown is enabled, a zero-day exploit is required to bypass module restrictions without a reboot.

Unfortunately, threat actors tend to have a stash of them and the initial entry vector often involves one (container or browser sandbox escape), and once you have that, you are in ring 0 already and one flipped bit away from loading the module.

The Linux kernel is not really an effective privilege boundary.

0 comments

Imustaskforhelp3mo ago

So what would you recommend instead? To run workflows in VMs?

Joel_Mckay3mo ago

A kvm hypervisor is not perfect, as sandbox escape was demonstrated even with https://qubes-os.org/ . On modern AMD/Intel/ARM64 consumer processors it is not possible to completely prevent bleeding keys across regions.

Only the old Sun systems with hardware encrypted mmu pages could actually enforce context isolation.

If performance is not important, and people are dealing with something particularly nasty... than running an emulator on another architecture is a better solution. For example, MacOS M4 with a read-only windows amd64 backing-image guest OS is a common configuration.

https://github.com/86Box/86Box/releases

https://github.com/Moonif/MacBox/releases

Best of luck =3

flipped3mo ago

I am hearing first time of a sandbox escape in QubesOS. Can you link the source?

Joel_Mckay3mo ago

It was a POC from shortly after Spectre CVE dropped, and I'm not sure if the source code made it into the public. I heard about the exploit in a talk by Joanna Rutkowska, where she admitted the OS could no longer completely span TCSEC standards on consumer Intel CPUs. YMMV

The modern slop-web is harder to find things now, and I can't recall specifically if it was something more than just common hypervisor guest escape. =3

j / k navigate · click thread line to collapse

0 comments

Imustaskforhelp3mo ago

So what would you recommend instead? To run workflows in VMs?

Joel_Mckay3mo ago

Only the old Sun systems with hardware encrypted mmu pages could actually enforce context isolation.

https://github.com/86Box/86Box/releases

https://github.com/Moonif/MacBox/releases

Best of luck =3

flipped3mo ago

I am hearing first time of a sandbox escape in QubesOS. Can you link the source?

Joel_Mckay3mo ago

The modern slop-web is harder to find things now, and I can't recall specifically if it was something more than just common hypervisor guest escape. =3

j / k navigate · click thread line to collapse