Just a small note...

Just a small note...

Posted Nov 20, 2011 19:51 UTC (Sun) by khim (subscriber, #9252)
In reply to: Interesting idea, but... by tshow
Parent article: That newfangled Journal thing

With text-based logging, the attacker would have to replace nearly every binary in the system to prevent you from reading the real log (though they could probably guess and just hit less, vi and tail...), so it's easier to rewrite the log.

Actually attacker only needs to inject small kernel module and that's it. There are plenty of material for script kiddied on the internet.

If I were attacking a system with this kind of logging, what I would be trying to do is (1) replace the log reader with something that lies, and (2) try to get an overflow attack into the actual log data so that if someone tries uncorrupted tools I can corrupt them from within.

Well, overflow in log reader tool is valid concern at least. I guess feasibility will depend on size of these tools, but yes, this is pretty scary thing. Of course there are plenty of sandbox options for you to use (seccomp, nacl, etc), but still, this is valid concern.

---

to post comments

Just a small note...

Posted Nov 20, 2011 19:57 UTC (Sun) by tshow (subscriber, #6411) [Link]

> Well, overflow in log reader tool is valid concern at least.

It can be (mostly) mitigated by ensuring that the log format is simple and the log reader is paranoid, but it's definitely worth paying attention to. The more self-referential the log format is, the more nightmarish it gets to ensure the reader is bulletproof.