| |||||||||||||
A nasty local kernel vulnerabilityA nasty local kernel vulnerabilityPosted Feb 26, 2013 21:39 UTC (Tue) by aggelos (subscriber, #41752)In reply to: A nasty local kernel vulnerability by khim Parent article: A nasty local kernel vulnerability
Two points:
a) Your analogy to the physical world is inapplicable as the potential for exploitation at a massive scale changes the economics considerably.
b) The Average Joe has no clue about the severity of a vulnerability or about the sophistication of the current generation of attacks. It would be good news if your Average (I assume, Professional) Joe did an actual cost/benefit analysis but, at least in my experience, they generally have neither the expertise nor the professionalism to do that.
(Log in to post comments)
A nasty local kernel vulnerability Posted Feb 27, 2013 7:30 UTC (Wed) by paulj (subscriber, #341) [Link]
An individual with 1 computer cannot be exploited at a massive scale. Indeed, even if exploitation of many individuals - at a massive scale - occurs, the risk to any 1 individual may still be minimal.
The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. What khim wrote stands for them.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:27 UTC (Wed) by khim (subscriber, #9252) [Link] The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. It's even worse then that. This discussion was started when it was known that "economies of scale" was broken (automatic exploit didn't work). Now the question becomes extremely technical: yes, we know that you need some offsets for any custom build of kernel, but is it something attacker can automatically guess from System.map or is it something attacker need to painstakingly dig from memory using esoteric debugging techniques? The natural assumption is that you need to use esoteric debugging techniques, but if the situation is different in some cases you'll never hear from PaX && Brad directly about that which turns their messages to classic "cry wolf" messages.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:47 UTC (Wed) by paulj (subscriber, #341) [Link]
If I understand the earlier discussion correctly, the PoC exploit doesn't automatically determine the offsets, but other code exists to do that. All you that needs to be done is combine the two - PaXTeam and Spender just havn't done so (perhaps deliberately). In which case, the attack can work perfectly well at scale.
As per your comment earlier, it's still not a massive problem for many specific entities, even if it's still a significant problem for the general internet eco-system (giving bad people control of things to use as staging posts for further bad stuff, etc.).
A nasty local kernel vulnerability Posted Feb 27, 2013 11:12 UTC (Wed) by khim (subscriber, #9252) [Link] If I understand the earlier discussion correctly, the PoC exploit doesn't automatically determine the offsets, but other code exists to do that. Yes, that's true, but can you glean this information from summarily unhelpful looks like you shouldn't be giving out advices (i thought you'd learned that in the past already ;). reading the actual exploit (never mind the posted output) would help explain why it didn't work on the 3.8 kernel message? Yes, message is 100% correct, but as we now know thread opener already knew just why exploit does not work — but he probably had no idea if there are exist code which can automatically find offsets or not. And instead of giving him the useful information the only thing message contained is sneers. As per your comment earlier, it's still not a massive problem for many specific entities, even if it's still a significant problem for the general internet eco-system (giving bad people control of things to use as staging posts for further bad stuff, etc.). Right, but can you ever find this information (the only information interesting for average LWN reader) in PaX && Brad opuses? Nope. But you'll find plenty of riddles and endless hubris in them. Not a good way to attract people's attention, really.
A nasty local kernel vulnerability Posted Feb 27, 2013 12:57 UTC (Wed) by spender (subscriber, #23067) [Link]
Hi khim,
While you were busy attacking your straw man (if you think our position involves massive security spending or constant patching, you clearly know nothing about us), I was posting exploitation notes in another forum where such information is actually valued instead of squandered on the likes of you. All the information you could want is available -- if you cared about security (which it does not seem that you do) you would be using additional sources to obtain it.
Would you prefer that I publish a weaponized exploit for the vulnerability or something? I can only imagine the kinds of complaints that would generate here and elsewhere. You appear to be whining about it not existing and insinuating that that's because it's impossible. The exploitation notes should clear up that this is trivial on vanilla Linux, not that facts appear to matter to you.
http://www.reddit.com/r/netsec/comments/198g7i/cve_201317...
I much prefer other forums where idiotic comments are downvoted to obscurity where they belong. It makes it much easier for people to see useful content.
-Brad
A nasty local kernel vulnerability Posted Feb 27, 2013 13:12 UTC (Wed) by mpr22 (subscriber, #60784) [Link] It seems to me that the overlap between "community capable of using downvote-to-obscurity systems responsibly" and "communities with any genuine need for a downvote-to-obscurity system in the first place" is likely to be extremely small. Downvote-to-obscurity systems don't directly cause groupthink, but they certainly facilitate its development.
A nasty local kernel vulnerability Posted Feb 27, 2013 14:17 UTC (Wed) by khim (subscriber, #9252) [Link] While you were busy attacking your straw man (if you think our position involves massive security spending or constant patching, you clearly know nothing about us), I was posting exploitation notes in another forum where such information is actually valued instead of squandered on the likes of you. Let me translate from English to English: while people here tried to understand what effect this exploit can have you've only posted snide remarks here and expressly refused to help because audience here does not worship you enough. It's your choice, of course, but then you should not be surprised by the reaction. I mean: you've spent a lot of time and efforts to make sure people on LWN will perceive you as "this asshole who never says anything concrete and just plays some great guru who has right to ridicule everyone else without a substantial reason" — and now you are surprised that people treat you as such asshole? Few people who do know what you actually do are trying to fix this perception but of course they can't do anything: direct words "from horse's mouth" are more potent by far then third-party narrations. Would you prefer that I publish a weaponized exploit for the vulnerability or something? Nope. Sane explanation of what goes on will be enough. Here is the example of sane explanation. Here is the example of snakeoil salesmen pitch (mixed with the deep technical details which are of no interest to most users). People who are sold on grsecurity already don't need it and people who are not sold will start to ignore it after few repeats of "you were owned before the distro even pushed an update" with no observed consequences (that's the "wolf" cry I've talked about).
A nasty local kernel vulnerability Posted Feb 27, 2013 15:19 UTC (Wed) by malor (subscriber, #2973) [Link]
As far as I'm concerned, you're both towering assholes, and all this verbiage is accomplishing precisely nothing.
You'd both do well do stop waving your electronic genitalia.
A nasty local kernel vulnerability Posted Feb 27, 2013 15:46 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]
> while people here tried to understand what effect this exploit can have
first, they did not (provide evidence that they did. no, running the exploit is not evidence of that.) second, as i explained so many times, you don't care about exploits, you care about exploitable bugs, regardless of an exploit that you may very well never get your hands on (but your attackers may/will). please stop spreading this bullshit attitude, this is exactly one of the biggest problems with people who are in charge of security somewhere but are incompetent to the point that without a weaponized exploit or worse, getting completely owned they would never consider fixing the problems.
> you've only posted snide remarks here and expressly refused to help
that help was already in the article, including the linked ones too: there is an exploitable kernel bug, no ifs and buts about it. go fix it yourself if you can, wait for your distro otherwise. no other piece of information is needed if you only care about defense! and forgive me if i refuse to play on the attacker side and help people write weaponized exploits. pretty please? ;)
> I mean: you've spent a lot of time and efforts to make sure people on
do you have evidence that we don't provide 'anything concrete'? spoonfeeding weaponized exploit info doesn't count of course (albeit spender has been quilty of even that but then i don't expect you know, it's so much easier to throw out random shit without evidence, aint't it ;). and yes, we do ridicule idiots such as yourself, but you see biased samples don't statistics make (may i refer you to the same wikipedia article that i suggested nix to read as well? ;).
> and now you are surprised that people treat you as such asshole?
and that statistics is based on what evidence exactly? oh wait, the usual 'i made it up because that is what fits my distorted reality'. second, what does it matter (seemingly to you, but not us) what anyone thinks of us? does that change anything? not us apparently. then why do you care? do *you* change when others think of you as an asshole? yeah, i didn't think so either ;). third time i'm reminded of Einstein. the guy knew something.
Enough? Posted Feb 27, 2013 16:18 UTC (Wed) by corbet (editor, #1) [Link] I get the sense that the few people still following this thread have a fairly good idea of what the participants think of each other at this point. So maybe we could stop here? Seriously, personal attacks don't help the conversation, let's try to do rather less of that, OK?
A nasty local kernel vulnerability Posted Feb 27, 2013 11:00 UTC (Wed) by aggelos (subscriber, #41752) [Link] An individual with 1 computer cannot be exploited at a massive scale. Indeed, even if exploitation of many individuals - at a massive scale - occurs, the risk to any 1 individual may still be minimal. The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. What khim wrote stands for them.Sigh. Being able to attack at a massive scale (and being able to easily monetize exploited systems) makes writing an exploit way more attractive to a group of skilled people with no qualms about how to make money (nevermind the power trip factor). That means that any individual's chance of getting owned is significantly higher than if mass exploitation wasn't possible. Therefore mass exploitation changes the economics of a cost/benefit analysis. QED.
|
|||||||||||||