Support systems without /proc/kallsyms and unmounted /boot
Opened this issue · 3 comments
My box runs a custom-built Gentoo hardened monolithic kernel with most GRSEC protections enabled (so root doesn't see /proc/kallsyms), but no SELinux or other MAC. It also does not have /boot mounted while running (because i have KASLR enabled).
I already know from Intel's list of affected CPU that my Ivybridge i7 exhibits the behaviour, that is exploited by Meltdown.
But it would be nice to know, whether exploiting the bug on my system would need a tailored exploit in practice or if a further improved generic exploit could do it.
I think we'll need to implement ideas presented here: https://gruss.cc/files/kaiser.pdf
It's said that meltdown can be used to bypass KASLR, and from there, we could figure out some places in kernel which would allows us to check it. Remove the dependency on /proc/kallsyms will be a great achievement for this project
Why rely on external information/ bypass KASLR? We could inject a small module which either provides some "strings" to find or it can dump the current address of the syscall table.
Injecting some strings is probably easier than the second idea. I implemented the extraction of the address of the syscall table for a PoC/training rootkit some years ago. Unfortunately the pattern I used to match within the syscall handler is not valid any more. The old code is uploaded here.