Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)

From: Jann Horn
Date: Thu Sep 10 2020 - 16:40:46 EST

On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> [kees: re-sending this series on behalf of John Wood <john.wood@xxxxxxx>
> also visible at fbfam]
> The goal of this patch serie is to detect and mitigate a fork brute force
> attack.
> Attacks with the purpose to break ASLR or bypass canaries traditionaly use
> some level of brute force with the help of the fork system call. This is
> possible since when creating a new process using fork its memory contents
> are the same as those of the parent process (the process that called the
> fork system call). So, the attacker can test the memory infinite times to
> find the correct memory values or the correct memory addresses without
> worrying about crashing the application.

For the next version of this patchset, you may want to clarify that
this is intended to stop brute force attacks *against vulnerable
userspace processes* that fork off worker processes. I was halfway
through the patch series before I realized that.