| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Nov 2010 13:32:32 +0100 From: Ingo Molnar <mingo@...e.hu> To: Willy Tarreau <w@....eu> Cc: Marcus Meissner <meissner@...e.de>, security@...nel.org, mort@....com, Peter Zijlstra <a.p.zijlstra@...llo.nl>, fweisbec@...il.com, "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org, jason.wessel@...driver.com, tj@...nel.org, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking * Willy Tarreau <w@....eu> wrote: > On Sun, Nov 07, 2010 at 01:12:35PM +0100, Ingo Molnar wrote: > > > > * Willy Tarreau <w@....eu> wrote: > > > > > [...] > > > > > > It's precisely because you're making a special case of the security bug that you > > > want to hide bugs from user-space by cheating on version. > > > > You claimed this for the second time and i'm denying it for the second time. > > > > The goal of fuzzing the version inforation is _not_ to 'hide bugs from user-space by > > cheating on version'. The goal is to introduce uncertainty to attackers, so that a > > honeypot silent alarm can warn the admin. > > My interpretation of this mechanism is what I explained above. [...] ( Well, if it's "your interpretation" only then stop claiming that i said it. ) > [...] "Introducing uncertainty" means hiding a version so that the attacker > doesn't precisely know which one it is and has to send a few probes to guess it. No. The 'exploit honeypot' mechanism i outlined is really simple, and it means what i explained already: - attacker breaks into unprivileged user-space - attacker runs exploit - exploit attempt gets detected by the 'exploit honeypot' kernel code and a (silent) warning goes to the admin (via a syslog message for example) - attacker only sees that the attack did not succeed This makes it _unsafe_ (for many types of attackers) to run an exploit locally. > That's not much different than trying to fire the exploit itself. [...] Erm, the difference is possible _detection_ via a silent alarm. There's a huge difference between 'attempting an exploit and being caught' and 'not even trying the exploit because based on the kernel version the attacker knows it wont work'. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists