Known-exploit detection for the kernel

Posted Dec 20, 2013 1:54 UTC (Fri) by PaXTeam (guest, #24616)
In reply to: Known-exploit detection for the kernel by tialaramex
Parent article: Known-exploit detection for the kernel

i'm not entirely sure whether you grasped the proposed feature and spender's criticism (the perfection strawman and silly real life non-examples indicate otherwise) but here it is in a nutshell:

detecting and reacting to incidents is a useful thing (grsec has been probably doing it for longer and more efficiently than most) but this feature will not achieve anything, not just because there're so many ways to know when a kernel is equipped with it or because the potential for false positives, but also because in real life nobody reacts to logs on systems where script kiddies are considered an actual threat (these are the lowest value systems, cf. the kernel.org compromise whose dmesg with the sign of a backdoor laid in public for weeks before anyone figured out that something wasn't right with it). and where they're not a threat, the remaining attackers are sophisticated enough to use 0-day to begin with (many of which the mechanisms in grsec will handle unlike the proposed feature).

Known-exploit detection for the kernel

Posted Dec 20, 2013 10:52 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (1 responses)

The issue of ignoring alarms is a far more widespread one than can be covered in this thread, or indeed LWN at all.

In the maritime industry almost every other accident report will involve alarms that were disabled, non-functional, or ignored. In other transport industries it's less bad, but e.g. a London Underground driver overrode or disabled all the safety alarms in his train and was only alerted to the fact that he'd driven out of a station with the doors still open by the screaming of passengers. They couldn't alert him using the provided passenger alarm because he'd switched that off too.

Teaching people to investigate alarms rather than ignore them, and to test and maintain alarm systems so that they have confidence that the alarms reported are real is a bunch of work, but it's not impossible.

Known-exploit detection for the kernel

Posted Dec 24, 2013 6:34 UTC (Tue) by drag (guest, #31333) [Link]

The most critical step in that is to have alarms that are actually meaningful and functional.

In most of those cases you mentioned you'd find that those alarms were disabled because they had so many false positives. A alarm that goes off once because a train left it's doors open is useless when it also goes off a thousand times when the doors are actually closed.