From: John Wood <firstname.lastname@example.org> To: Andi Kleen <email@example.com> Cc: John Wood <firstname.lastname@example.org>, Kees Cook <email@example.com>, Jann Horn <firstname.lastname@example.org>, Randy Dunlap <email@example.com>, Jonathan Corbet <firstname.lastname@example.org>, James Morris <email@example.com>, Shuah Khan <firstname.lastname@example.org>, "Serge E. Hallyn" <email@example.com>, Greg Kroah-Hartman <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Re: [PATCH v5 7/8] Documentation: Add documentation for the Brute LSM Date: Sun, 7 Mar 2021 17:45:20 +0100 [thread overview] Message-ID: <20210307164520.GA16296@ubuntu> (raw) In-Reply-To: <20210307151920.GR472138@tassilo.jf.intel.com> On Sun, Mar 07, 2021 at 07:19:20AM -0800, Andi Kleen wrote: > Sorry for the late answer. I somehow missed your email earlier. > > > As a mitigation method, all the offending tasks involved in the attack are > > killed. Or in other words, all the tasks that share the same statistics > > (statistics showing a fast crash rate) are killed. > > So systemd will just restart the network daemon and then the attack works > again? Sorry, but I think my last explanation is not clear enough. If the network daemon crashes repeatedly in a short period of time it will trigger a brute force attack through the fork system call. Then this daemon and all the fork processes created from it will be killed. If the systemd restart the network daemon and it will crash again, then the systemd will be killed. I think this way the attack is fully mitigated. > Or if it's a interactive login you log in again. First the login will be killed (if it fails with a fatal signal) and if it is restarted, the process that exec() it again will be killed. In this case I think that the threat is also completely mitigated. > I think it might be useful even with these limitations, but it would > be good to spell out the limitations of the method more clearly. > > I suspect to be useful it'll likely need some user space configuration > changes too. In the v2 version there were some sysctl attributes to fine tuning the detection. The following two paragraph are extracted from the documentation patch of this version: To customize the detection's sensibility there are two new sysctl attributes that allow to set the last crashes timestamps list size and the application crash period threshold (in milliseconds). Both are accessible through the following files respectively. /proc/sys/kernel/brute/timestamps_list_size /proc/sys/kernel/brute/crash_period_threshold However, Kees Cook suggested that if we narrow the attack detection focusing in the crossing of privilege boundaries and signals delivered only by the kernel, it seems not necessary the customization of this feature by the user. I aggree with that. > > -Andi I have sent a v6 version with the documentation improved. Thanks for your comments, John Wood
next prev parent reply other threads:[~2021-03-07 16:46 UTC|newest] Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-02-27 15:30 [PATCH v5 0/8] Fork brute force attack mitigation John Wood 2021-02-27 15:30 ` [PATCH v5 1/8] security: Add LSM hook at the point where a task gets a fatal signal John Wood 2021-02-27 15:30 ` [PATCH v5 2/8] security/brute: Define a LSM and manage statistical data John Wood 2021-03-02 5:49 ` [security/brute] cfe92ab6a3: WARNING:inconsistent_lock_state kernel test robot 2021-03-02 18:39 ` John Wood 2021-02-27 15:30 ` [PATCH v5 3/8] securtiy/brute: Detect a brute force attack John Wood 2021-02-27 15:30 ` [PATCH v5 4/8] security/brute: Fine tuning the attack detection John Wood 2021-02-27 15:30 ` [PATCH v5 5/8] security/brute: Mitigate a brute force attack John Wood 2021-03-11 20:32 ` peter enderborg 2021-03-12 16:19 ` John Wood 2021-02-27 15:30 ` [PATCH v5 6/8] selftests/brute: Add tests for the Brute LSM John Wood 2021-02-27 15:30 ` [PATCH v5 7/8] Documentation: Add documentation " John Wood 2021-02-28 18:56 ` Andi Kleen 2021-03-02 18:31 ` John Wood 2021-03-07 15:19 ` Andi Kleen 2021-03-07 16:45 ` John Wood [this message] 2021-03-07 17:25 ` Andi Kleen 2021-03-07 18:05 ` John Wood 2021-03-07 22:49 ` Andi Kleen 2021-03-09 18:40 ` John Wood 2021-03-11 18:22 ` John Wood 2021-03-11 20:08 ` Andi Kleen 2021-03-12 17:47 ` John Wood 2021-03-11 20:05 ` Andi Kleen 2021-03-12 17:54 ` John Wood 2021-02-27 15:30 ` [PATCH v5 8/8] MAINTAINERS: Add a new entry " John Wood 2021-02-27 18:44 ` [PATCH v5 0/8] Fork brute force attack mitigation John Wood
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210307164520.GA16296@ubuntu \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [PATCH v5 7/8] Documentation: Add documentation for the Brute LSM' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).