[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20131213131926.GA10981@gmail.com>
Date: Fri, 13 Dec 2013 14:19:26 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Theodore Ts'o <tytso@....edu>, James Morris <jmorris@...ei.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Dave Jones <davej@...hat.com>,
Kees Cook <keescook@...omium.org>, vegard.nossum@...cle.com,
LKML <linux-kernel@...r.kernel.org>,
Tommi Rantala <tt.rantala@...il.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andy Lutomirski <luto@...capital.net>,
Daniel Vetter <daniel.vetter@...ll.ch>,
Alan Cox <alan@...ux.intel.com>,
Jason Wang <jasowang@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Dan Carpenter <dan.carpenter@...cle.com>,
James Morris <james.l.morris@...cle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 1/9] Known exploit detection
* Theodore Ts'o <tytso@....edu> wrote:
> On Fri, Dec 13, 2013 at 04:09:06PM +1100, James Morris wrote:
> >
> > I think we'd need to have someone commit to maintaining this long
> > term before seriously considering it as part of mainline. Over
> > time it will become increasingly useless if new triggers aren't
> > added.
> >
> > What happens when code is refactored, who refactors the triggers?
>
> We would definitely need to have test cases which deliberately trips
> the triggers, which would be run regularly (which means they would
> need to be included in the kernel tree), or else it's very likely as
> the code gets refactor or even just modiied, the exploit() calls
> might end up getting moved to the wrong place, or otherwise
> deactivated/denatured.
That looks useful for another reason as well: we had cases where the
same exploit re-appeared because our fix against it regressed.
> [...]
>
> I'm still a little dubious about the size of benefit that trying to
> maintain these exploit() markers would provide, and whether it would
> ultimately be worth the cost.
These items are very easy to remove if any of them breaks or gets out
of sync. So the cost can be reduced to zero, if the experiment fails.
I'd definitely be willing to accept the x86 and perf bits, if all
complaints are fixed and if Vegard (and Kees?) volunteers to maintain
this thing.
I see no real downside - other than giving the security circus a
foothold in the kernel.
OTOH, such defensive measures _do_ have tangible benefits:
- They warn kernel developers about dangerous patterns and past
incidents, in the code itself. There are 'hotspot' areas in the
kernel that tend to attract more bugs than others.
- They give actual real figures to people/organizations: do these
checks ever trigger? Have they triggered in the past 5 years? A
large enough organization might be able to quantify and guesstimate
its attack surface that way.
- We could actually insert such checks against known zero day
exploits out in the wild. Those exploits will eventually be changed
to be more careful, but there is going to be a delay with such
updates: catching some attack attempts. Software update delays
will finally work in favor of the good guys!
so maybe these effects reduce the security circus aspect. Or not :-)
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists