User: Password:
Subscribe / Log in / New account

Re: [PATCH 1/9] Known exploit detection

From:  Ryan Mallon <>
To:  Kees Cook <>, Theodore Ts'o <>,, LKML <>, Tommi Rantala <>, Ingo Molnar <>, "Eric W. Biederman" <>, Andy Lutomirski <>, Daniel Vetter <>, Alan Cox <>, Greg Kroah-Hartman <>, Jason Wang <>, "David S. Miller" <>, Dan Carpenter <>, James Morris <>
Subject:  Re: [PATCH 1/9] Known exploit detection
Date:  Fri, 13 Dec 2013 10:50:32 +1100
Message-ID:  <>
Archive-link:  Article

On 13/12/13 08:13, Kees Cook wrote:
> On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <> wrote:
>> On Thu, Dec 12, 2013 at 05:52:24PM +0100, wrote:
>>> From: Vegard Nossum <>
>>> The idea is simple -- since different kernel versions are vulnerable to
>>> different root exploits, hackers most likely try multiple exploits before
>>> they actually succeed.
> I like this idea. It serves a few purposes, not the least of which is
> very clearly marking in code where we've had problems, regardless of
> the fact that it reports badness to the system owner. And I think
> getting any additional notifications about bad behavior is a nice idea
> too.

Though, if an attacker is running through a series of exploits, and one
eventually succeeds then the first thing to do would be to clean traces
of the _exploit() notifications from the syslog. Since running through a
series of exploits is pretty quick, this can probably all be done before
the sysadmin ever notices.

The _exploit() notifications could also be used to spam the syslogs.
Although they are individually ratelimited, if there are enough
_exploit() markers in the kernel then an annoying person can cycle
through them all to generate large amounts of useless syslog.


(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds