Just another geek

A blogging framework for hackers.

What Is Really the Attack Surface of the Kernel Running a SECCOMP Process?

In a previous post, I said the attack surface of the kernel for processes running SECCOMP was really low. To confirm this assumption, each vulnerability affecting the 2.6 kernel was reviewed.

Only those triggerable from a SECCOMPed process were kept. On 440 vulnerabilities, 13 were qualified:

ImpactDescriptionArchitectureReference
HIGHinfinite loop triggering signal handleri386CVE-2004-0554
MEDIUMaudit_syscall_entry bypassamd64CVE-2009-0834
MEDIUMSECCOMP bypassamd64CVE-2009-0835
MEDIUMNon-sign extension of syscall argumentss390CVE-2009-0029
MEDIUMEFLAGS leak on context switchamd64/i386CVE-2006-5755
MEDIUMNested faultsamd64CVE-2005-1767
MEDIUMNot handling properly certain privileged instructionss390CVE-2004-0887
LOWFix register leak in 32 bits syscall audititingamd6481766741f
LOW64-bit kernel register leak to 32-bit processesamd6424e35800c
LOWRegister leakamd64CVE-2009-2910
LOWDoS by using malformed LDTamd64CVE-2008-3247
LOWDoS on floating point exceptionspowerpc HTXCVE-2007-3107
LOWDoS on 32-bit compatibility modeamd64CVE-2005-1765

In other words, if you are running a pure 32 bits environment, our initial intuition was almost good with two bugs so far (in 2004 and 2006). However, on AMD64, I wouldn’t bet.

Disclaimer: Off course, theses numbers are meaningless because of the non-disclosure policy of the kernel’s developpers.