VANCOUVER, BC -- Two security researchers at search engine giant Google have discovered 20 kernel bugs, about half remaining unpatched, affecting Windows, Linux and the popular VMware virtualization software over the last several years.
The complexity of the kernel makes for more diverse and interesting logical bugs."
- Julien Tinnes
Google engineers, Julien Tinnes and Tavis Ormandy said kernel security must improve. They shared their kernel security research recently at the CanSecWest Applied Security Conference. They say they hope their data motivates operating system developers to reduce the kernel attack surface.
The kernel is the underlying code base of an operating system where processes, resources and memory allocation is handled. While attacks against kernel flaws are few in number because they take an increased sophistication to pull off, they can be serious because a successful attack could give cybercriminals complete access to a system and all its resources.
Researcher behind Linux Kernel flaw explains motives: When a vulnerability researcher discloses a flaw in a widely-used operating system or application, some IT professionals question the motive.
What are Google Chrome's security features? In this expert response, Michael Cobb reviews the security features of Google Chrome.
"The complexity of the kernel makes for more diverse and interesting logical bugs," Tinnes said."It may be more complex, but it's much more interesting because you can do whatever you want."
Kernel bugs in Linux are more populous, but less targeted by attackers since the operating system has fewer users and therefore attacking it is less lucrative for cybercriminals. But Windows-based kernel flaws are growing, the researchers said, with six remotely executable errors surfacing in the last seven years. Attackers can use Web browsers and video drivers as entry points into the kernel.
While the researchers couldn't provide specifics on all the vulnerabilities -- half of them have not been patched -- Tinnes said several memory corruption errors are contained in the Linux kernel as well as up to six classic buffer overflows and a number of null pointer references, which is buggy code that points to data stored in a machine's memory. Getting the errors patched has been difficult until recently, Tinnes said. For a certain time, every major Linux version (2.4 and 2.6) shipped with a vulnerable kernel, he said.
"Linux kernel developers didn't understand the security consequences," Tinnes said. "Nowadays people understand that it's a problem."
Ormandy focused on Windows Server 2003, where a page fault exception occurs when code has insufficient privilege to access a page. The researchers were able to exploit the bug to gain access to the kernel in VMware guests.
"We found a way to cause VMware to set the supervisor bit for user page faults," Ormandy said.
Techniques that reduce the attack surface are getting better. Trusted path executables, a Linux kernel configuration that limits the number of executables that can run to mitigate the threat of malicious code executing within the kernel, is gaining popularity on the Windows platform. Application sandboxing, which limits the number of processes an application can run, also reduces the attack surface.
"The attack surface is getting easier to reach remotely," Tinnes said. "It goes from something very easy to some very challenging stuff. It's hard to get rid of the kernel's attack surface. Even if you sandbox, which Microsoft did with Office and we did with Chrome."