| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Dec 2013 14:06:48 +0100 From: Ingo Molnar <mingo@...nel.org> To: Ryan Mallon <rmallon@...il.com> Cc: Kees Cook <keescook@...omium.org>, Theodore Ts'o <tytso@....edu>, vegard.nossum@...cle.com, LKML <linux-kernel@...r.kernel.org>, Tommi Rantala <tt.rantala@...il.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Daniel Vetter <daniel.vetter@...ll.ch>, Alan Cox <alan@...ux.intel.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jason Wang <jasowang@...hat.com>, "David S. Miller" <davem@...emloft.net>, Dan Carpenter <dan.carpenter@...cle.com>, James Morris <james.l.morris@...cle.com> Subject: Re: [PATCH 1/9] Known exploit detection * Ryan Mallon <rmallon@...il.com> wrote: > On 13/12/13 08:13, Kees Cook wrote: > > On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <tytso@....edu> wrote: > >> On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@...cle.com wrote: > >>> From: Vegard Nossum <vegard.nossum@...cle.com> > >>> > >>> The idea is simple -- since different kernel versions are vulnerable to > >>> different root exploits, hackers most likely try multiple exploits before > >>> they actually succeed. > > > > I like this idea. It serves a few purposes, not the least of which is > > very clearly marking in code where we've had problems, regardless of > > the fact that it reports badness to the system owner. And I think > > getting any additional notifications about bad behavior is a nice idea > > too. > > Though, if an attacker is running through a series of exploits, and > one eventually succeeds then the first thing to do would be to clean > traces of the _exploit() notifications from the syslog. [...] There are several solutions to that: 1) Critical sites use remote logging over a fast LAN, so a successful exploit would have to zap the remote logging daemon pretty quickly before the log message goes out over the network. 2) Some sites also log to append-only media [such as a printer] or other append-only storage interfaces - which cannot be manipulated from the attacked system alone after a successful break-in. 3) In future the exploit() code could trigger actual active defensive measures, such as immediately freezing all tasks of that UID and blocking further fork()s/exec()s of that UID. Depending on how critical the security of the system is, such active measures might still be a preferable outcome even if there's a chance of false positives. (Such active measures that freeze the UID will also help with forensics, if the attack is indeed real.) > [...] Since running through a series of exploits is pretty quick, > this can probably all be done before the sysadmin ever notices. It's not necessarily the sysadmin the attacker is racing against, but against append-only logging and other defensive measures - which too are programs. > The _exploit() notifications could also be used to spam the syslogs. > Although they are individually ratelimited, if there are enough > _exploit() markers in the kernel then an annoying person can cycle > through them all to generate large amounts of useless syslog. AFAICS they are globally rate-limited, just like many other attacker-triggerable printk()s the kernel may generate. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists