lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 6 Apr 2016 11:31:50 -0700
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Emrah Demir <ed@...sec.com>
Cc:	Dan Rosenberg <dan.j.rosenberg@...il.com>,
	Dave Jones <davej@...hat.com>,
	Kees Cook <keescook@...omium.org>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:05 AM,  <ed@...sec.com> wrote:
>
> Most distros don't use KASLR, but they use kptr_restrict. Without KASLR,
> kptr_restirct most likely useless.

Well, yes kaslr is effectively useless right now due to the fact that
people still use hibernation in effectively every single distro out
there.

But kptr_restrict was enabled by distro people, and in theory it does
end up possibly helping: it at least it hides the exact per-function
addresses.

Of course, with 99.9% of all users then using a distro kernel, you can
just get those remotely anyway by just downloading the distro image,
so it turns out that now there is effectively zero bits that you are
really hiding, because the information is effectively right there in
"uname -a".

End result: kptr_restrict is a wonderful flag if all you want to
disable is a trivial convenience function that is easy for an attacker
to do other ways.

Quite frankly, personally I find a lot of security people and patches
to be disingenuous for exactly this kind of reason. They look at the
small details, and are completely missing the big picture.

I'm at the IoT conference right now. "Security" has been a big word
this week. "45 billion devices, lack of security, the sky is falling".
I don't think we had a lot of people talking about "oh, the cloud
service is getting shut down, so now those devices don't even *work*".

But that's ok. Because "security" is more important than "reality". Groan.

                Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ