lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: spender at grsecurity.net (Brad Spengler)
Subject: "Advances in Security" in the Linux Kernel and
	RedHat idiocy

On Thu, Jan 27, 2005 at 08:37:19PM +0100, Michal Zalewski wrote:
> On Thu, 27 Jan 2005, Brad Spengler wrote:
> 
> > I guess anyone who thinks that taking a hardcoded exploit and running it
> > 256 times would always result in a successful exploit is stupid.
> 
> It would not always result in a successful exploitation; just as flipping
> the coin twice is not a guarantee of getting tails once.

Of course, but you get the idea.  Your chances of succeeding after 256 
tries are such that it is highly probable you wouldn't fail (and in 
fact, if the process you're attacking is a forking daemon like apache, 
if you iterate through all the possibilities, you do indeed have a 100% 
chance of succeeding after 256 tries).

> Other than that, the amount of randomization is indeed puny; but then,
> even 32-bit randomization is a good defense only in certain situations,
> and often, can be defeated with some time, aided by luck or a decent
> NOP-equivalent sled.

Indeed, and only PaX/grsecurity handles these things, which is why it is 
useful in our case.  However, attempting to use weak randomization as 
RedHat is trying is nothing more than trivial obfuscation, which should 
have no place in the kernel.  All it does is give people a false sense 
of security, and allow RedHat to make claims that they're preventing 
75% of exploits with Exec-shield (of course ignoring that all such 
exploits that failed could be easily rewritten to succeed).  Things 
have really taken a turn for the worse: Linus used to be against having 
only a non-executable stack because it's trivially evaded.  Now he's 
all for something that is even more obfuscation than having only a 
non-executable stack: the exploits don't even have to be rewritten in 
this case.  This all reeks of security ignorance and politics.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050127/ca280df1/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ