Re: [PATCH 1/9] Known exploit detection

From: Ryan Mallon
Date: Sat Dec 14 2013 - 18:59:10 EST


On 13/12/13 06:06, Theodore Ts'o wrote:

> On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@xxxxxxxxxx wrote:
>> From: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
>>
>> The idea is simple -- since different kernel versions are vulnerable to
>> different root exploits, hackers most likely try multiple exploits before
>> they actually succeed.
>
> Suppose we put put this into the mainstream kernel. Wouldn't writers
> of root kit adapt by checking for the kernel version to avoid checking
> for exploits that are known not work? So the question is whether the
> additional complexity in the kernel is going to be worth it, since
> once the attackers adapt, the benefits of trying to detect attacks for
> mitigated exploits will be minimal.


Doesn't the fact that the exploits are already mitigated make it of
limited value anyway? In order for this detection to be effective, a
system must be fully patched with all the latest CVE tags (and also,
obviously all the associated security patches), otherwise the system
will be vulnerable to the most recent security bugs, and will be
unable to warn about them.

If the system is fully patched, and an attacker is only using known
attacks, then they aren't getting in anyway. The logging might be of
some use in identifying users who are potentially malicious, but then
those users are low threat anyway since all the attacks they are
trying are fixed. Is it worth all the instrumentation of the kernel
for this?

So I think for the most serious cases of attack, where the attacker
has some knowledge of the system version/patch level (for a system
which is not fully patched), or has zero-day vulnerabilities, this
protection will do nothing.

This doesn't really work as a protection mechanism, the idea that
"hackers most likely try multiple exploits before they actually
succeed." seems a bit flawed. If they are eventually succeeding
using a known vulnerability against an unpatched system, this this
patchset is of limited protection. If the attacker is smart about
the order of the attacks (e.g. try the new ones first) then they
can probably still get in without triggering warnings. Sophisticated
attackers who are have unpatched, unknown vulnerabilities, but
still want to use known ones where possible are probably
smart enough to evade any sort of protection mechanism like this.

~Ryan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/