User: Password:
|
|
Subscribe / Log in / New account

Re: [PATCH 1/9] Known exploit detection

From:  Theodore Ts'o <tytso-AT-mit.edu>
To:  vegard.nossum-AT-oracle.com
Subject:  Re: [PATCH 1/9] Known exploit detection
Date:  Thu, 12 Dec 2013 14:06:59 -0500
Message-ID:  <20131212190659.GG13547@thunk.org>
Cc:  linux-kernel-AT-vger.kernel.org, Tommi Rantala <tt.rantala-AT-gmail.com>, Ingo Molnar <mingo-AT-kernel.org>, "Eric W. Biederman" <ebiederm-AT-xmission.com>, Andy Lutomirski <luto-AT-amacapital.net>, Kees Cook <keescook-AT-chromium.org>, Daniel Vetter <daniel.vetter-AT-ffwll.ch>, Alan Cox <alan-AT-linux.intel.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Jason Wang <jasowang-AT-redhat.com>, "David S. Miller" <davem-AT-davemloft.net>, Dan Carpenter <dan.carpenter-AT-oracle.com>, James Morris <james.l.morris-AT-oracle.com>
Archive-link:  Article

On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@oracle.com wrote:
> From: Vegard Nossum <vegard.nossum@oracle.com>
> 
> The idea is simple -- since different kernel versions are vulnerable to
> different root exploits, hackers most likely try multiple exploits before
> they actually succeed.

Suppose we put put this into the mainstream kernel.  Wouldn't writers
of root kit adapt by checking for the kernel version to avoid checking
for exploits that are known not work?  So the question is whether the
additional complexity in the kernel is going to be worth it, since
once the attackers adapt, the benefits of trying to detect attacks for
mitigated exploits will be minimal.

Regards,

							- Ted


(Log in to post comments)


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds