Re: [PATCH 1/9] Known exploit detection

[Ryan Mallon]

On 13/12/13 08:13, Kees Cook wrote:
> On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <tytso@xxxxxxx> wrote:
>> On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@xxxxxxxxxx wrote:
>>> From: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
>>>
>>> The idea is simple -- since different kernel versions are vulnerable to
>>> different root exploits, hackers most likely try multiple exploits before
>>> they actually succeed.
> 
> I like this idea. It serves a few purposes, not the least of which is
> very clearly marking in code where we've had problems, regardless of
> the fact that it reports badness to the system owner. And I think
> getting any additional notifications about bad behavior is a nice idea
> too.

Though, if an attacker is running through a series of exploits, and one
eventually succeeds then the first thing to do would be to clean traces
of the _exploit() notifications from the syslog. Since running through a
series of exploits is pretty quick, this can probably all be done before
the sysadmin ever notices.

The _exploit() notifications could also be used to spam the syslogs.
Although they are individually ratelimited, if there are enough
_exploit() markers in the kernel then an annoying person can cycle
through them all to generate large amounts of useless syslog.

~Ryan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/