|
|
Subscribe / Log in / New account

Known-exploit detection for the kernel

Known-exploit detection for the kernel

Posted Dec 19, 2013 12:19 UTC (Thu) by spender (guest, #23067)
In reply to: Known-exploit detection for the kernel by josh
Parent article: Known-exploit detection for the kernel

Some trivial static analysis (the likes of which I already do in enlightenment for other purposes) will defeat that "workaround" easily. Obviously I'm not going to waste time writing code for every possible change that could be made to the "feature" but the fact remains that there's no asymmetry of information here. Whatever eventually gets merged will be known to all and defeated. I guarantee it.

It's clear to me many people want more than anything to believe that this feature will work, regardless of any facts.

-Brad

to post comments

Known-exploit detection for the kernel

Posted Dec 19, 2013 14:32 UTC (Thu) by josh (subscriber, #17465) [Link] (1 responses)

> Some trivial static analysis (the likes of which I already do in enlightenment for other purposes) will defeat that "workaround" easily.

I'd be curious what kind of static analysis you have in mind.

> It's clear to me many people want more than anything to believe that this feature will work

I don't think anyone believes this mechanism will stop or detect sophisticated attacks. The question remains: will it detect some subset of unsophisticated attacks, enough to make it worth including, or not?

Known-exploit detection for the kernel

Posted Dec 24, 2013 6:30 UTC (Tue) by drag (guest, #31333) [Link]

> The question remains: will it detect some subset of unsophisticated attacks, enough to make it worth including, or not?

The social aspect of it is the problem.

Sure the kernel implementing features like this may succeed at detecting ham-fisted attacks, but the problem you run into is that people will naturally assume that this security feature has merit and will unfortunately actually try to depend on it.

People will write blog posts on how critically important it is to make sure you use a kernel version with this detection enabled in it and so on and so forth. It'll end up in Google's cache when people search 'make sure Linux is secure' or such things and then it'll just get increasingly stupid and self-defeating from then on.

You can see the same thing happen all over the place with various 'linux security features'.

A perfect example of this is things like 'chkrootkit'. People may end up with a hacked website and then install chkrootkit and run it thinking that somehow it will actually be effective at detecting root kits, which it is not. Or schemes that involve checking file checksums using 'rpm' utility. Or things like 'fail2ban' being used to 'secure' ssh, or port knocking, or any other number of silly and hokum things that people try to do to 'improve' their security.

Like anti-virus in Windows there is a actual limited useful application for some of this stuff, but most people are not able to know what that is.

Software security is already hard enough without creating features that add to the confusion with no real benefit.

Known-exploit detection for the kernel

Posted Dec 19, 2013 14:39 UTC (Thu) by vegard (subscriber, #52330) [Link]

Hi Brad,

I'm really grateful that we have people like yourself who are both competent and view security with a critical eye. Your feedback is appreciated. Keep up the good work!

Vegard


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds