User: Password:
|
|
Subscribe / Log in / New account

Re: [PATCH 1/9] Known exploit detection

From:  Ryan Mallon <rmallon-AT-gmail.com>
To:  Kees Cook <keescook-AT-chromium.org>, Theodore Ts'o <tytso-AT-mit.edu>, vegard.nossum-AT-oracle.com, LKML <linux-kernel-AT-vger.kernel.org>, Tommi Rantala <tt.rantala-AT-gmail.com>, Ingo Molnar <mingo-AT-kernel.org>, "Eric W. Biederman" <ebiederm-AT-xmission.com>, Andy Lutomirski <luto-AT-amacapital.net>, Daniel Vetter <daniel.vetter-AT-ffwll.ch>, Alan Cox <alan-AT-linux.intel.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Jason Wang <jasowang-AT-redhat.com>, "David S. Miller" <davem-AT-davemloft.net>, Dan Carpenter <dan.carpenter-AT-oracle.com>, James Morris <james.l.morris-AT-oracle.com>
Subject:  Re: [PATCH 1/9] Known exploit detection
Date:  Fri, 13 Dec 2013 10:50:32 +1100
Message-ID:  <52AA4BC8.1080207@gmail.com>
Archive-link:  Article

On 13/12/13 08:13, Kees Cook wrote:
> On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <tytso@mit.edu> wrote:
>> On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@oracle.com wrote:
>>> From: Vegard Nossum <vegard.nossum@oracle.com>
>>>
>>> The idea is simple -- since different kernel versions are vulnerable to
>>> different root exploits, hackers most likely try multiple exploits before
>>> they actually succeed.
> 
> I like this idea. It serves a few purposes, not the least of which is
> very clearly marking in code where we've had problems, regardless of
> the fact that it reports badness to the system owner. And I think
> getting any additional notifications about bad behavior is a nice idea
> too.

Though, if an attacker is running through a series of exploits, and one
eventually succeeds then the first thing to do would be to clean traces
of the _exploit() notifications from the syslog. Since running through a
series of exploits is pretty quick, this can probably all be done before
the sysadmin ever notices.

The _exploit() notifications could also be used to spam the syslogs.
Although they are individually ratelimited, if there are enough
_exploit() markers in the kernel then an annoying person can cycle
through them all to generate large amounts of useless syslog.

~Ryan



(Log in to post comments)


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds