From: Richard Weinberger <richard@nod.at>
To: Pavel Machek <pavel@ucw.cz>
Cc: Jiri Kosina <jkosina@suse.cz>, Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
David Rientjes <rientjes@google.com>,
Aaron Tomlin <atomlin@redhat.com>,
DaeSeok Youn <daeseok.youn@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
vdavydov@parallels.com, Rik van Riel <riel@redhat.com>,
Oleg Nesterov <oleg@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@amacapital.net>,
Brad Spengler <spender@grsecurity.net>
Subject: Re: [PATCH] [RFC] Deter exploit bruteforcing
Date: Sat, 03 Jan 2015 10:45:41 +0100 [thread overview]
Message-ID: <54A7BA45.1050005@nod.at> (raw)
In-Reply-To: <20150102230837.GA4482@amd>
Am 03.01.2015 um 00:08 schrieb Pavel Machek:
> On Sat 2015-01-03 00:00:22, Richard Weinberger wrote:
>> Am 02.01.2015 um 23:54 schrieb Pavel Machek:
>>> On Fri 2015-01-02 23:49:52, Jiri Kosina wrote:
>>>> On Fri, 2 Jan 2015, Pavel Machek wrote:
>>>>
>>>>>> You also want to protect against binaries that are evil on purpose,
>>>>>> right?
>>>>>
>>>>> Umm. No. Not by default. We don't want to break crashme or trinity by
>>>>> default.
>>>>
>>>> I thought trinity is issuing syscalls directly (would make more sense than
>>>> going through glibc, wouldn't it?) ... haven't checked the source though.
>>>
>>> Patch in this thread wanted to insert delays into kernel on SIGSEGV
>>> processing. That's bad idea by default.
>>
>> No. This is not what this patch does.
>>
>>> But changing glibc to do sleep(30); abort(); instead of abort(); to
>>> slow down bruteforcing of canaries makes some kind of sense... and
>>> should be ok by default.
>>
>> As I saidn only focusing one the specific stack canary case is not enough.
>
> Ok, so I am now saying "adding random delays to the kernel, hoping
> they slow attacker down" is bad idea. Feel free to add my NAK to the
> patch.
The patch does not add random delays nor is hope involved.
It has a very clear purpose, it makes brute force attacks to forking
services unattractive.
Exploits often use the fact that after fork() the child has the same memory
as the parent and therefore an attacker can start fruitful brute force attacks
to brute stack canaries, offsets, etc. as the new child will always have mostly
the same memory layout as before.
But I'll happily add your NAK to this series.
> If really neccessary, "kill_me_slowly()" syscall would be acceptable,
> but it seems just sleep(); abort(); combination is enough.
The goal of the patch is not to protect only against brute forcing the stack canary.
It should protect against all kind of brute forcing using forking services.
> glibc should cover 99% cases where this matters, please just fix glibc,
> others will follow.
There are a lot of systems out there without glibc.
And many applications make system calls without going though any libc wrapper.
Hey, we want also protect esoteric distros like http://sta.li. :-)
I'm all for implementing as much in user space as possible but in this case the kernel
is the only sane way to offer the protection to _all_ kind of applications.
Thanks,
//richard
next prev parent reply other threads:[~2015-01-03 9:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-24 21:39 [PATCH] [RFC] Deter exploit bruteforcing Richard Weinberger
2014-12-30 18:40 ` Kees Cook
2014-12-30 18:49 ` Andy Lutomirski
2014-12-30 18:50 ` Richard Weinberger
2015-01-02 5:11 ` Pavel Machek
2015-01-02 11:00 ` Richard Weinberger
2015-01-02 19:46 ` Pavel Machek
2015-01-02 21:40 ` Richard Weinberger
2015-01-02 22:29 ` Pavel Machek
2015-01-02 22:32 ` Jiri Kosina
2015-01-02 22:46 ` Pavel Machek
2015-01-02 22:49 ` Jiri Kosina
2015-01-02 22:53 ` Jiri Kosina
2015-01-02 22:54 ` Pavel Machek
2015-01-02 23:00 ` Richard Weinberger
2015-01-02 23:08 ` Pavel Machek
2015-01-03 9:45 ` Richard Weinberger [this message]
2015-01-03 22:36 ` Pavel Machek
2015-01-03 22:44 ` Richard Weinberger
2015-01-03 23:01 ` Pavel Machek
2015-01-03 23:07 ` Richard Weinberger
2015-01-03 23:06 ` Andy Lutomirski
2015-01-03 23:19 ` Richard Weinberger
2015-01-05 22:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A7BA45.1050005@nod.at \
--to=richard@nod.at \
--cc=akpm@linux-foundation.org \
--cc=atomlin@redhat.com \
--cc=daeseok.youn@gmail.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=vdavydov@parallels.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).