| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 15 Dec 2013 10:59:35 +1100 From: Ryan Mallon <rmallon@...il.com> To: Theodore Ts'o <tytso@....edu>, vegard.nossum@...cle.com, linux-kernel@...r.kernel.org, Tommi Rantala <tt.rantala@...il.com>, Ingo Molnar <mingo@...nel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Andy Lutomirski <luto@...capital.net>, Kees Cook <keescook@...omium.org>, Daniel Vetter <daniel.vetter@...ll.ch>, Alan Cox <alan@...ux.intel.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jason Wang <jasowang@...hat.com>, "David S. Miller" <davem@...emloft.net>, Dan Carpenter <dan.carpenter@...cle.com>, James Morris <james.l.morris@...cle.com> Subject: Re: [PATCH 1/9] Known exploit detection On 13/12/13 06:06, Theodore Ts'o wrote: > On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@...cle.com wrote: >> From: Vegard Nossum <vegard.nossum@...cle.com> >> >> The idea is simple -- since different kernel versions are vulnerable to >> different root exploits, hackers most likely try multiple exploits before >> they actually succeed. > > Suppose we put put this into the mainstream kernel. Wouldn't writers > of root kit adapt by checking for the kernel version to avoid checking > for exploits that are known not work? So the question is whether the > additional complexity in the kernel is going to be worth it, since > once the attackers adapt, the benefits of trying to detect attacks for > mitigated exploits will be minimal. Doesn't the fact that the exploits are already mitigated make it of limited value anyway? In order for this detection to be effective, a system must be fully patched with all the latest CVE tags (and also, obviously all the associated security patches), otherwise the system will be vulnerable to the most recent security bugs, and will be unable to warn about them. If the system is fully patched, and an attacker is only using known attacks, then they aren't getting in anyway. The logging might be of some use in identifying users who are potentially malicious, but then those users are low threat anyway since all the attacks they are trying are fixed. Is it worth all the instrumentation of the kernel for this? So I think for the most serious cases of attack, where the attacker has some knowledge of the system version/patch level (for a system which is not fully patched), or has zero-day vulnerabilities, this protection will do nothing. This doesn't really work as a protection mechanism, the idea that "hackers most likely try multiple exploits before they actually succeed." seems a bit flawed. If they are eventually succeeding using a known vulnerability against an unpatched system, this this patchset is of limited protection. If the attacker is smart about the order of the attacks (e.g. try the new ones first) then they can probably still get in without triggering warnings. Sophisticated attackers who are have unpatched, unknown vulnerabilities, but still want to use known ones where possible are probably smart enough to evade any sort of protection mechanism like this. ~Ryan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists