Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #76

Re: Write protection on SD cards

From Günther Schwarz <strap@gmx.de>
Newsgroups comp.os.linux.security
Subject Re: Write protection on SD cards
Date 2011-12-17 16:32 +0000
Message-ID <9l3ugmFc2sU1@mid.individual.net> (permalink)
References <9hb396F3fcU1@mid.individual.net> <j8rfg7$6n8$1@dont-email.me> <9hkma2Fcu3U1@mid.individual.net> <7tobv7pu6a.fsf@leeloo.local.mcanswer.pl>

Show all headers | View raw

mcanswer wrote:

> Günther Schwarz <strap@gmx.de> writes:
> 
>> Tobias Blass wrote:
>>
>>> On 2011-11-01, Günther Schwarz <strap@gmx.de> wrote:
>>>            the attacker could (root access provided) e.g. load a
>>>            kernel
>>> module or install another kernel that does not check the write
>>> protection switch.
>>
>> You understood that correctly. The device is supposed to survive in a
>> clean state in case the systems gets compromised and thus allow for a
>> fresh installation without having to insert a CD or doing a PXE boot.
>> It should be better in this respect than an extra partition on the main
>> hard disk. But still the security needs are moderate.
> 
> You can always use some mandatory access control preventing attacker
> from access to this device and/or from load kernel modules. The first
> one could be done by SeLinux or RBAC, second one by for ex. GrSecurity

These are all very useful in protecting a running system. But then my 
question was if a SD might be considered as reasonably safe in a scenario 
where an uncontrolled system an kernel are running. Just think of a bug 
or a misconfiguration in the BIOS setup which allows for booting from a 
CD or USB device instead from the hard disk.

Günther

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

Write protection on SD cards Günther Schwarz <strap@gmx.de> - 2011-11-01 20:31 +0000
  Re: Write protection on SD cards Lusotec <nomail@nomail.not> - 2011-11-01 21:48 +0000
  Re: Write protection on SD cards Tobias Blass <tobiasblass@gmx.net> - 2011-11-02 13:10 +0000
    Re: Write protection on SD cards Günther Schwarz <strap@gmx.de> - 2011-11-05 11:51 +0000
      Re: Write protection on SD cards mcanswer@mcanswer.pl - 2011-12-17 07:51 +0100
        Re: Write protection on SD cards Günther Schwarz <strap@gmx.de> - 2011-12-17 16:32 +0000

csiph-web