|From:||Kees Cook <keescook-AT-chromium.org>|
|To:||"Theodore Ts'o" <tytso-AT-mit.edu>, Kees Cook <keescook-AT-chromium.org>, vegard.nossum-AT-oracle.com, LKML <linux-kernel-AT-vger.kernel.org>, Tommi Rantala <tt.rantala-AT-gmail.com>, Ingo Molnar <mingo-AT-kernel.org>, "Eric W. Biederman" <ebiederm-AT-xmission.com>, Andy Lutomirski <luto-AT-amacapital.net>, Daniel Vetter <daniel.vetter-AT-ffwll.ch>, Alan Cox <alan-AT-linux.intel.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Jason Wang <jasowang-AT-redhat.com>, "David S. Miller" <davem-AT-davemloft.net>, Dan Carpenter <dan.carpenter-AT-oracle.com>, James Morris <james.l.morris-AT-oracle.com>|
|Subject:||Re: [PATCH 1/9] Known exploit detection|
|Date:||Fri, 13 Dec 2013 10:07:35 -0800|
On Thu, Dec 12, 2013 at 9:27 PM, Theodore Ts'o <email@example.com> wrote: > On Thu, Dec 12, 2013 at 01:13:41PM -0800, Kees Cook wrote: >> > Suppose we put put this into the mainstream kernel. Wouldn't writers >> > of root kit adapt by checking for the kernel version to avoid checking >> > for exploits that are known not work? So the question is whether the >> > additional complexity in the kernel is going to be worth it, since >> > once the attackers adapt, the benefits of trying to detect attacks for >> > mitigated exploits will be minimal. >> >> This is already somewhat the case, but I think this idea still has >> value. The reality of the situation is that the kernels running on an >> end-user's system is rarely a stock upstream kernel. As a result, they >> usually have organization-specific versioning, which makes >> version-only autodetection useless to an attacker. > > Most organizations can't afford to have an in-house kernel team > providing specialized kernels for their server farms or their > customized desktop distributions. :-) > > Some places have publically said that they do this; Google has > publically talked about Goobuntu and their data center production > kernels, and some financial firms on Wall Street have boasted about > how they run with a customized kernel --- although other financial > firms have said they don't want to do that because they don't want to > void their support contract with Red Hat or SuSE. I suspect that at > most shopes, though, the latter is going to be far more common than > the former. We can never really know, but given the evidence I've seen, there are a lot of custom kernels out in the world. That combined with the fact that sloppy attackers will still probe distro kernels, I think the argument that "attackers will fall back to other detection mechanisms" isn't strong enough to convince me that this series lacks value. > Practically speaking, testing for various distribution kernel > versions, as well as specific ChromeOS and Android kernel versions, > wouldn't be that difficult for an attacker, and would probably allow > them to avoid detection for 99% of the Linux systems found in the > wild. It would certainly be useful for detecting attempted attacks > for private kernels where the configuration and security patches > applied for some internal kernel are not public --- and if that caused > the botnet author to be paranoid enough to avoid attacking machines > which didn't have a known distribution kernel that definitely had that > vulnerability, it would certainly be good for people running their own > privately maintained kernel image. So if this increases the market > demand for kernel programmers, that's a good thing, right? :-) The careful attackers can successfully probe a system without needing uname at all. These patches won't help against them. -Kees -- Kees Cook Chrome OS Security
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds