| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Aug 2021 13:35:08 +0000
From: THOBY Simon <Simon.THOBY@...eris.fr>
To: Igor Zhbanov <izh1979@...il.com>,
linux-integrity <linux-integrity@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 0/1] NAX (No Anonymous Execution) LSM
Hi Igor,
On 8/20/21 12:12 AM, Igor Zhbanov wrote:
> [Overview]
>
> Fileless malware attacks are becoming more and more popular, and even
> ready-to-use frameworks are available [1], [2], [3]. They are based on
> running of the malware code from anonymous executable memory pages (which
> are not backed by an executable file or a library on a filesystem.) This
> allows effectively hiding malware presence in a system, making filesystem
> integrity checking tools unable to detect the intrusion.
>
[snip]
>
> [TODO]
> - Implement xattrs support for marking privileged binaries on a per-file
> basis.
If/when you plan to add that, adding the new xattr to the list of EVM-protected xattrs
may be worth discussing.
> - Store NAX attributes in the per-task LSM blob to implement special
> launchers for the privileged processes, so all of the children processes
> of such a launcher would be allowed to have anonymous executable pages
> (but not to grandchildren).
>
[snip]
Overall I'm pleased to see this patch and I have no more remarks,
outside of the few points Randy Dunlap raised.
Reviewed-by: THOBY Simon <Simon.THOBY@...eris.fr>
Thanks,
Simon
Powered by blists - more mailing lists