|From:||Ryan Mallon <rmallon-AT-gmail.com>|
|To:||Kees Cook <keescook-AT-chromium.org>, Theodore Ts'o <tytso-AT-mit.edu>, vegard.nossum-AT-oracle.com, LKML <linux-kernel-AT-vger.kernel.org>, Tommi Rantala <tt.rantala-AT-gmail.com>, Ingo Molnar <mingo-AT-kernel.org>, "Eric W. Biederman" <ebiederm-AT-xmission.com>, Andy Lutomirski <luto-AT-amacapital.net>, Daniel Vetter <daniel.vetter-AT-ffwll.ch>, Alan Cox <alan-AT-linux.intel.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Jason Wang <jasowang-AT-redhat.com>, "David S. Miller" <davem-AT-davemloft.net>, Dan Carpenter <dan.carpenter-AT-oracle.com>, James Morris <james.l.morris-AT-oracle.com>|
|Subject:||Re: [PATCH 1/9] Known exploit detection|
|Date:||Fri, 13 Dec 2013 10:50:32 +1100|
On 13/12/13 08:13, Kees Cook wrote: > On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <firstname.lastname@example.org> wrote: >> On Thu, Dec 12, 2013 at 05:52:24PM +0100, email@example.com wrote: >>> From: Vegard Nossum <firstname.lastname@example.org> >>> >>> The idea is simple -- since different kernel versions are vulnerable to >>> different root exploits, hackers most likely try multiple exploits before >>> they actually succeed. > > I like this idea. It serves a few purposes, not the least of which is > very clearly marking in code where we've had problems, regardless of > the fact that it reports badness to the system owner. And I think > getting any additional notifications about bad behavior is a nice idea > too. Though, if an attacker is running through a series of exploits, and one eventually succeeds then the first thing to do would be to clean traces of the _exploit() notifications from the syslog. Since running through a series of exploits is pretty quick, this can probably all be done before the sysadmin ever notices. The _exploit() notifications could also be used to spam the syslogs. Although they are individually ratelimited, if there are enough _exploit() markers in the kernel then an annoying person can cycle through them all to generate large amounts of useless syslog. ~Ryan
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds