From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754420Ab3LNX7F (ORCPT ); Sat, 14 Dec 2013 18:59:05 -0500 Received: from mail-pb0-f45.google.com ([209.85.160.45]:33173 "EHLO mail-pb0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753979Ab3LNX7D (ORCPT ); Sat, 14 Dec 2013 18:59:03 -0500 Message-ID: <52ACF0E7.1070106@gmail.com> Date: Sun, 15 Dec 2013 10:59:35 +1100 From: Ryan Mallon User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20 MIME-Version: 1.0 To: "Theodore Ts'o" , vegard.nossum@oracle.com, linux-kernel@vger.kernel.org, Tommi Rantala , Ingo Molnar , "Eric W. Biederman" , Andy Lutomirski , Kees Cook , Daniel Vetter , Alan Cox , Greg Kroah-Hartman , Jason Wang , "David S. Miller" , Dan Carpenter , James Morris Subject: Re: [PATCH 1/9] Known exploit detection References: <1386867152-24072-1-git-send-email-vegard.nossum@oracle.com> <20131212190659.GG13547@thunk.org> In-Reply-To: <20131212190659.GG13547@thunk.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/12/13 06:06, Theodore Ts'o wrote: > On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@oracle.com wrote: >> From: Vegard Nossum >> >> The idea is simple -- since different kernel versions are vulnerable to >> different root exploits, hackers most likely try multiple exploits before >> they actually succeed. > > Suppose we put put this into the mainstream kernel. Wouldn't writers > of root kit adapt by checking for the kernel version to avoid checking > for exploits that are known not work? So the question is whether the > additional complexity in the kernel is going to be worth it, since > once the attackers adapt, the benefits of trying to detect attacks for > mitigated exploits will be minimal. Doesn't the fact that the exploits are already mitigated make it of limited value anyway? In order for this detection to be effective, a system must be fully patched with all the latest CVE tags (and also, obviously all the associated security patches), otherwise the system will be vulnerable to the most recent security bugs, and will be unable to warn about them. If the system is fully patched, and an attacker is only using known attacks, then they aren't getting in anyway. The logging might be of some use in identifying users who are potentially malicious, but then those users are low threat anyway since all the attacks they are trying are fixed. Is it worth all the instrumentation of the kernel for this? So I think for the most serious cases of attack, where the attacker has some knowledge of the system version/patch level (for a system which is not fully patched), or has zero-day vulnerabilities, this protection will do nothing. This doesn't really work as a protection mechanism, the idea that "hackers most likely try multiple exploits before they actually succeed." seems a bit flawed. If they are eventually succeeding using a known vulnerability against an unpatched system, this this patchset is of limited protection. If the attacker is smart about the order of the attacks (e.g. try the new ones first) then they can probably still get in without triggering warnings. Sophisticated attackers who are have unpatched, unknown vulnerabilities, but still want to use known ones where possible are probably smart enough to evade any sort of protection mechanism like this. ~Ryan