Known-exploit detection for the kernel
Known-exploit detection for the kernel
Posted Dec 19, 2013 9:34 UTC (Thu) by Trou.fr (subscriber, #26289)Parent article: Known-exploit detection for the kernel
I find it baffling that even security-minded people like Kees Cook support the idea.
Posted Dec 19, 2013 12:44 UTC (Thu)
by iq-0 (subscriber, #36655)
[Link] (4 responses)
The idea itself is also not bad. It's the equivalent of doing authentication attempt logging and detecting possible attacks. Does it increase security? No. Does it tell you there might be something going on? Yes. Can attackers circumvent those checks? Yes. Does that make them less valuable? No, the attackers have to take more precautions, take more actions which might be detected or risk tripping an alarm.
An analogy would be to install a video cameras in your house. Any burglar could easily either circumvent them, disable them or ignore them and afterwards erase the tapes. But it makes live more difficult for them (even if slightly), might deter them to look for easier targets or increase the chance of detection because of all the steps involved. And there is a good chance some are not that diligent and get caught in the act.
You can never assume to be secure, you can only try and hope that it's as uneconomically possible for others to abuse the weaknesses.
Posted Dec 19, 2013 23:16 UTC (Thu)
by Trou.fr (subscriber, #26289)
[Link] (3 responses)
The single "recent" feature which led to actual security improvements in the kernel I can think of is seccomp-bpf, which is a brilliant and very efficient idea.
As you said, developpers would probably turn their attention to something else entirely. If only some grsec features could be included in the kernel.
Posted Dec 25, 2013 23:02 UTC (Wed)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Dec 25, 2013 23:56 UTC (Wed)
by PaXTeam (guest, #24616)
[Link] (1 responses)
Posted Dec 26, 2013 22:22 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Dec 20, 2013 15:10 UTC (Fri)
by roblucid (guest, #48964)
[Link]
Reading logs manually is way too slow, so good sysadmins generate alarms filtering for where action may be required.
It might not be only Internet facing boxes, where for example remote or local root exploit attempts might be of interest. Engineers & other employees to get curious and try things, sometimes things they really are not supposed to. Just because the most clueful and careful attacker won't trip something doesn't mean a measure is useless.
Known-exploit detection for the kernel
But often it's just as important to just know somebody might have (tried) to do that, so you can take appropriate measures to minimize possible (indirect) damage.
Known-exploit detection for the kernel
Known-exploit detection for the kernel
If only some grsec features could be included in the kernel.
That seems unlikely to happen while the grsec people remain incapable of working with other people or taking criticism of any kind without blowing up like two-year-olds. (Apologies to my two-year-old niece, who blows up very rarely and is usually quite charming and sweet.)
Known-exploit detection for the kernel
Known-exploit detection for the kernel
Known-exploit detection for the kernel