| |||||||||||||
The details on loading rootkits via /dev/memThe details on loading rootkits via /dev/memPosted Apr 23, 2009 14:00 UTC (Thu) by nix (subscriber, #2304)In reply to: The details on loading rootkits via /dev/mem by dersteppenwolf Parent article: The details on loading rootkits via /dev/mem
It's also like a time capsule from 1980 in that the comments and responses are generally courteous. You and Brad Spender and a very few others are notable exceptions, alas.
(Log in to post comments)
The details on loading rootkits via /dev/mem Posted Apr 23, 2009 20:11 UTC (Thu) by dersteppenwolf (guest, #58226) [Link]
I'm sorry if I've hurt your feelings, that wasn't my intention. I guess our ability to couple with hypocrisy and ineptitude is greatly diminished.
The details on loading rootkits via /dev/mem Posted Apr 24, 2009 10:52 UTC (Fri) by nix (subscriber, #2304) [Link]
You've not hurt my feelings: you're just being pointlessly unpleasant. I
hope you don't think that being pleasant to people where possible is equivalent to hypocrisy or ineptitude!
(shades of the Great Misogynism Comment Thread, yet again)
The details on loading rootkits via /dev/mem Posted Apr 27, 2009 14:00 UTC (Mon) by Randakar (guest, #27808) [Link]
I find it interesting how PAX, spengler, and dersteppenwolf prove Linus's point for him. Every single sentence of theirs seems to be dripping with a mixture of arrogance and self-righteousness to the point where I have to check the author lines to see if it's not secretly one and the same person.
Want to know why the PAX patches don't go in and the useful bits are getting 'plagiarized'? Look no further. Linus has no interest in maintainers with an attitude like that and I don't blame him.
People have tried to tell them their narrow minded view of the world and their little security corner is not even nearly as important in comparison to the larger picture as they seem to think it is. Unfortunately the replies seem to demonstrate again and again that these people have made up their minds and are simply incapable of changing their views. The above discussion is a perfect example where the whole point of every reply made by spengler seems to be "I am smarter than you neener neener".
I don't know who's correct or who isn't. I don't care. What I do care about is "are people capable of working with others?". Being unable or unwilling to understand someone elses's point of view, being unable to refrain from calling discussion a "waste of time", purposely misquoting someone because "that's what I think he really said" - all of that evidence points to one answer: "No".
So you guys want to improve Linux kernel security? Good luck. You won't achieve anything with that attitude.
The details on loading rootkits via /dev/mem Posted Apr 27, 2009 14:21 UTC (Mon) by const-g (subscriber, #5006) [Link]
Amen.
My thoughts exactly.
The details on loading rootkits via /dev/mem Posted Apr 27, 2009 17:22 UTC (Mon) by dersteppenwolf (guest, #58226) [Link]
I absolutely agree too. Can we all just get along and let the good times roll?
The details on loading rootkits via /dev/mem Posted Apr 27, 2009 23:47 UTC (Mon) by nix (subscriber, #2304) [Link]
It's 'spender', but seconded. If there's one thing a lifetime of
Asperger's has taught me, it's that social oil is completely *not* pointless. Without it, it doesn't matter *how* bright you are: nobody will pay any attention to you. More: if you've got it, many people (though not Linus, thankfully) will pay attention to you *even if you're an idiot*.
So it behooves bright people (like spender) to *learn to be nice*. Then
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 3:22 UTC (Tue) by dersteppenwolf (guest, #58226) [Link] From a fellow aspie survivor here: please stop being such an attention seeking drama queen over here. What the hell are you doing here, Mercedes?BTW, you can use HTML for applying more dramatic effect to your seemingly invaluable contributions to this thread. It's a tad bit too complex to learn, at least for a technically illiterate person like me, but someone as intelectually gifted as you could surely get it working quickly. I really wish we could all just get along, have a nice discussion and finally make you realize that we are trying our best to help. But you guys keep getting angry over a technical issue, bringing all your anger and projecting your flaws and sense of self-worth unto us like if we just delivered a blowing strike of truth against your egos. Who knows, perhaps these fellows got something to say, and maybe they really aren't here to prove how experienced and skilled they are. Maybe they don't need your approval in that sense. Perhaps they are just rather fed up with the fact that the entire community around the kernel has gone stupid about a simple fact: the current approach for security is mistaken and already had horribly laughable consequences. Let me ask you something: if Linux was an actual closed-source product, commercial and backed up by a vendor who profits from its software sales, and not for selling support, bump stickers, hats, t-shirts and thongs with printed penguin logos, would the customers be willing to take the crap which is being done right now? Silent patching of remotely exploitable issues, local privilege escalation bugs, obscure architecture-dependent bugs, etc. Why does Red Hat employ the person who stole the IRIX source code in the early 2000s? Stole as in DCC over EFNet, or so the rumor says. I would bet my earrings that SGI would be glad to talk about 'disclosure policies' with him on these matters...
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 5:04 UTC (Tue) by foom (subscriber, #14868) [Link]
Good job, you managed to fit insult, condescension, bitter contempt, mock helpfulness, and
rumor-mongering into your comment.
Quite an accomplishment. But if you want to continue in that vein, slashdot is over there...
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 6:20 UTC (Tue) by nix (subscriber, #2304) [Link]
Well done for proving my point, you offensive twerp. That's one of the
most gratuitously nasty comments I've read anywhere, ever. I don't know who you are, but whatever code you've worked on I don't want to use: I don't think it's trustworthy if its upstream guardians accept contributions from someone as unpleasant as you.
I really really want an LWN killfile that I can use without switching to
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 2:40 UTC (Wed) by dersteppenwolf (guest, #58226) [Link]
I fear part of my comment might be understandable only to a small subset of the readers here, or, the person itself who has been referred. It wasn't just IRIX by the way, although that's likely the least useful of his "achievements". Whether you believe this or not, sir, is moot.
Regarding your "I don't want to use your code" claim, I'll start a short run down on other offensive, troubled and criminal twerps that have successfully contributed to the Linux source code in the past decade:
- Hans Reiser (developer of the reiserfs filesystem, among other things), convicted of second degree murder of his wife, Nina Reiser, mother of two. He further argued she was involved in BSDM sexual activities and made the kids aware of them. Also, argued she was an alcoholic, besides having an affair with another man.Not only he murdered the mother of his children, he also tried to tarnish her reputation even after she was dead. One cool dude.
- Jon "maddog" Hall (instrumental on providing hardware and resources for Linus to finish the very first stable milestones of the kernel), with severe anger management issues which got him his nickname.
- The dozens of other political activists in there who could have an agenda of their own.
The list goes on.
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 3:09 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
Hans Reiser's contributions to the kernel were before his criminal actions (or do you claim that everyone should have known what he would do years later?)
but his attitude and actions had a _lot_ to do with the fact that his later work didn't make it into the kernel (sound familiar here?)
Maddog has been very nice and polite in my interactions with him, so whatever anger management issues that he has don't affect his interactions with the community.
as far as political activists, they keep their politics out of their techinical discussions (and when they don't they get slapped down)
of these examples, Hans is the only one who was really bad in his discussions, and that caused significant delays in any of his work getting added.
the examples that you guys are giving are as bad as Hans at his worst, and you think that people don't want to deal with you or your code (which would mean dealing with you as a maintainer) because they want linux to be insecure????? get real, they just don't want to deal with the abuse.
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 7:27 UTC (Wed) by nix (subscriber, #2304) [Link]
Actually dersteppenwolf is substantially worse. I've never seen any kernel
contributor act like dersteppenwolf is (maybe he's drunk?)
Hans's problem (er, contribution-related problem, not murder-related
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 8:17 UTC (Wed) by dersteppenwolf (guest, #58226) [Link]
I'm krunk, not drunk. It's just too good that I've got diarrhea, so I can reply to all your substantially meaningless responses from the comfort of my toilet. Otherwise I wouldn't even bother replying.
Thanks sir, for proving yourself to be such an useless entertainment in my days of stomach infection solitude.
Meanwhile, could we get back to the topic at issue? Or choose some other one equally entertaining. How about talking about why kernel developers obscure vulnerabilities as denial of service issues when they are perfectly exploitable?
Regarding splitting up grsecurity and submitting patches to the maintainers, I think it was done in the past with hopeless results, but great attitude.
You know what, I just hope your personal information ends up splattered on some public site someday so we can all look back to this moment and laugh at your utter disregard and arrogance. You read that right. You most likely can't even grasp the nature of PaX or any of its concepts, yet you are here making claims about it. Guess that's why you resort to second guess and criticize the alleged attitude of its maintainer, who has more acumen in this area than any of us, and could possibly papa you about any system internals question.
With all due respect, please go fuck yourself. Now I'm gonna wipe my ass with pages printed from this thread and pray this diarrhea gets sorted out soon or I'll feel too tempted to delve deep into your innuendo. You goddamn pseudo grown up with the maturity and self stem of a 12 year old baboon.
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 9:01 UTC (Wed) by hppnq (guest, #14462) [Link] How about talking about why kernel developers obscure vulnerabilities as denial of service issues when they are perfectly exploitable? If you mean the SCTP one referenced on this page, it looks serious, but it is not "perfectly exploitable" in the real world. You may not (want) to understand this, but in general, people will try to make a realistic assessment of the actual threat -- developers, distributors and also a few serious security researchers. In any case, security should be discussed and handled by people with at least some grasp of reality. Thinking that anyone can be on the right side of the thin line between right and wrong is part of the problem. It is typical that you don't understand this. (The patch for the SCTP vulnerability was available last year, by the way. My distribution was updated some weeks ago.)
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 9:17 UTC (Wed) by nix (subscriber, #2304) [Link]
OK, so as well as being pointlessly insulting you can't read. I never said
that either PaX nor grsecurity were bad. I've used both and think they're excellent pieces of work and that both the anonymous PaXteam and spender are superb at spotting holes. They're just hopeless at the social-oil part which makes it even slightly plausible that anyone else will pick up what they do in any larger project.
(And, well, I had a dig. One comment during the 2.6 freeze, obviously
... sheesh, why am I even responding to someone whose idea of cogent
ENOUGH Posted Apr 29, 2009 12:49 UTC (Wed) by corbet (editor, #1) [Link] OK, this thread has gone well beyond anything useful. Please stop here. Now."dersteppenwolf": this is not the sort of commentary that is welcome on LWN. You are not the only offender here, but you've been pushing the boundaries. Please stop.
ENOUGH Posted Apr 29, 2009 17:44 UTC (Wed) by nix (subscriber, #2304) [Link]
*Thank* you.
(I'll admit I suck at knowing when to stop, too. I'll shut up in this
ENOUGH Posted May 1, 2009 12:45 UTC (Fri) by dersteppenwolf (guest, #58226) [Link]
Corbet, please accept my most sincere apologies. I couldn't help it but defend myself against the obvious libelous and disrespectful attitude of this person and others, and felt morally obliged to comply with my ethical duties and present my personal perspective on these matters.
I did my best to try to get along and have a well mannered discussion here, but these people aren't the least interested on a civilized interaction. They come here with lies and banter, meaningless follow-ups which don't add anything of interest, but project their flaws and personal views in such a fascist way that any attempt to communicate with them ends in failure.
In addition, when they've been left out of arguments to support their claims, they resort to insulting people and calling them out as 'trolls'. I don't even know what they mean by 'troll' in this sense. Are they trying to make jokes about my physical appearance or disabilities?
Sigh, I had a better opinion of the Linux fan base until today.
ENOUGH Posted May 1, 2009 13:26 UTC (Fri) by Los__D (guest, #15263) [Link]
o_O
Hats off. That must be the best "fake hurt"-playing I ever saw.
ENOUGH Posted May 1, 2009 13:28 UTC (Fri) by corbet (editor, #1) [Link] You're still doing it. I'm honestly uninterested in assigning blame for the direction of this discussion. Please let's just stop.
ENOUGH Posted May 1, 2009 14:06 UTC (Fri) by dersteppenwolf (guest, #58226) [Link]
OK, I'm done with it as well. Like I said, I tried my best to get along.
BTW, is there any possibility in the future of allowing images to be included in comments? It would be quite beneficial in threads like this and some time ago It was impossible to put some diagrams on a SELinux related thread. Without those it's quite difficult to give proper explanations about some of the security models implemented (including MLS).
Keep up the great work with the site.
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 2:31 UTC (Wed) by k8to (subscriber, #15413) [Link]
Wow.
This is a new record in lows.
The details on loading rootkits via /dev/mem Posted Apr 29, 2009 7:12 UTC (Wed) by nix (subscriber, #2304) [Link]
It looks kind of libellous to me. If RH were a UK company, or LWN were
hosted in the UK, with its libel laws (so harsh that even UK MPs think they're crazy), I suspect Jon would have ripped the comment down for his own safety. (At least I hope he would have.)
'dersteppenwolf' seems like a very alt.syntax.tactical-style troll name to
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 4:19 UTC (Tue) by spender (subscriber, #23067) [Link]
Have some hashes:
spender@www:~$ md5sum ./devmem
See you in a couple years when someone figures it out. Unfortunately there's no one else involved in Linux kernel development who actually cares about improving security. They enjoy the mere appearance of security (the ability to claim they have ASLR and other protections), but don't bother to follow through. And that's why you end up with:
http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf
These have been public for weeks and are still unfixed. Whoever you think is in charge of the kernel's security is obviously asleep at the wheel.
I hope it's clear to everyone reading that objectivity doesn't matter to you: "I don't know who's correct or who isn't. I don't care." But instead, what's of utmost importance to you is that people "play nice."
Here's a better idea: if you don't have anything technical to offer, don't bother replying. If you know you're out of your element, don't bother replying, or just admit that you don't know what you're talking about. A person who's sitting on an exploit for the subject being discussed is unlikely to change his viewpoint.
-Brad
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 5:40 UTC (Tue) by patrick_g (subscriber, #44470) [Link] >>> Whoever you think is in charge of the kernel's security is obviously asleep at the wheel.Linux development is open. If nobody is in charge of the kernel's security why don't you take in charge this role? Of course you must learn to interact well with other in the community but patchs are very welcome.
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 6:24 UTC (Tue) by nix (subscriber, #2304) [Link]
Um, just checking. This is the person who was castigating the -stable team
for not releasing bugfixes until they could be sure if they were security holes and they had working exploits, no matter how long it took, *and* simultaneously that the holes existed in the first place...
... *posting hashes of descriptions of exploits rather than the fix*?!
Any claim you make henceforward that you're interested in *anything* other
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 12:47 UTC (Tue) by spender (subscriber, #23067) [Link]
You may disagree, but I choose not to contribute in such a way as if the people involved in Linux kernel development acted like other responsible companies who properly handle security. When you have exploits of your own, feel free to share them, but speaking for myself I refuse to support their policy of silently fixing vulnerabilities.
I will continue to do as I have done for the past 8 years and fix these issues within grsecurity. If the kernel developers are as capable as Linus claims to be able to backport silent vulnerability fixes, surely they can spot the fixes in grsecurity as well. The source is available to everyone, after all.
Regarding your summary of my view on how vulnerabilities *known to the developers* in the Linux kernel could better be handled, it's as wrong as it was last year when we corrected you on it. To say that I advocated "not releasing bugfixes until they could be sure if they were security holes and they had working exploits, no matter how long it took" is just pure trolling, and anyone who has read our past posts knows that. If you want to see how it can be handled (a little) better, see Chris Wright's announcement for the latest kernel.
-Brad
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 13:49 UTC (Tue) by hppnq (guest, #14462) [Link] Instead you choose to foam at the mouth on a public news website, like, err, other responsible companies.I am actually interested in your /dev/mem pagetable exploit, by the way. Just curious. Is it a bit like this, or are these people also hopelessly incompetent idiots who need to be taught a lesson?
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 14:27 UTC (Tue) by spender (subscriber, #23067) [Link]
If you're referring to this attack in Section 4.2 of the paper:
void remap_kernel_code() {
This is the same method used by the Phalanx2 rootkit which was already discussed above. It's not the method the PaX team and I referred to, which as I've already mentioned needs only use read/write within the first 1MB of /dev/mem, as is allowed by the mainline protection.
But if you're talking about the one in Section 4.1, you're getting warmer.
Though it sounds like the solution provided in Section 5.1 would do the trick against the attacks in Sections 4.1/4.2 as well as our attack, there's also a much easier way to solve all three problems (since in a way, they're all facets of a single problem).
If you do the work to research it, given the details we've already mentioned, I'm pretty confident you can figure out the problem and how to fix it as well.
Completely unrelated, but somewhat "breaking" news: http://kernelbof.blogspot.com/
-Brad
The details on loading rootkits via /dev/mem Posted Apr 28, 2009 14:39 UTC (Tue) by spender (subscriber, #23067) [Link]
Also, in case it wasn't clear from the previous post, the "much easier way" to solve the problems referred only to this particular scenario we're discussing with /dev/mem. It should be clear that the protection discussed in the paper is useful against kernel exploitation as well and in fact is quite close to the concept of KERNSEAL which the PaX team came up with in 2003. Google reveals a couple results on KERNSEAL, but the PaX team hasn't released a definitive explanation of the implementation, which is likely why it wasn't referenced by the paper you linked to.
-Brad
Checking the attributions ... Posted Apr 29, 2009 0:01 UTC (Wed) by AnswerGuy (guest, #1256) [Link]
Regarding "to the point where I have to check the author lines to see if it's not secretly one and the same person."
... it's possible that they are secretly one person and that this is a case of deliberate astroturfing.
Personally I would think it would be rather crude and ineffective astroturfing --- I think the better techniques involve inserting criticism which superficially seems "helpful" and constructive while providing snippets that can be taken out of context by the front line "analyst" flaks.
But then ... what would I know?
JimD
Checking the attributions ... Posted Apr 29, 2009 6:48 UTC (Wed) by nix (subscriber, #2304) [Link]
They're different people in the real world of the internet, outside of
LWN: and of course as you know you can believe everything you see there.
|
|||||||||||||