| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Nov 2010 12:42:37 +0100 From: Ingo Molnar <mingo@...e.hu> To: Willy Tarreau <w@....eu> Cc: Marcus Meissner <meissner@...e.de>, security@...nel.org, mort@....com, Peter Zijlstra <a.p.zijlstra@...llo.nl>, fweisbec@...il.com, "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org, jason.wessel@...driver.com, tj@...nel.org, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking * Willy Tarreau <w@....eu> wrote: > [...] I was explaining that doing this will not prevent them from guessing the > precise kernel version, [...] Well, which is exactly what i have said to Marcus early on in this discussion: | | What i suggested in later parts of my mail might provide more security: to sandbox | kernel version information from unprivileged user-space - if we decide that we | want to sandbox kernel version information ... | | That is a big if, because it takes a considerable amount of work. Would be worth | trying it - but feel-good non-solutions that do not bring much improvement to the | majority of users IMHO hinder such efforts. | The 'considerable amount of work' refers not to the utsname version fuzzing patch (it's a 10-liner patch, literally), but to controlling the channels of version information you mentioned (uptime, the /boot timestamp), and some other channels you did not mention: dmesg, various /sys and /proc entries that leak version information, etc. All must be closed down for unprivileged user-space, for this to be effective, obviously. ( Note that there will also be some channels of information that cannot realistically be closed down (such as the presence of sys_perf_event_open() indicates a v2.6.32+ kernel - or a backported, patched kernel) - but what matters mostly is to fuzz the _precise_ version information, to inject uncertainty into the equation of attackers. Combined with honeypot silent alarm functionality it turns the equation around and creates an outright risk of detection. ) Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists