From: Vasiliy Kulikov <segoon@openwall.com>
To: Joe Perches <joe@perches.com>
Cc: kernel-hardening@lists.openwall.com,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, Matt Mackall <mpm@selenic.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [kernel-hardening] Re: [RFC v1] implement SL*B and stack usercopy runtime checks
Date: Sun, 3 Jul 2011 23:53:06 +0400 [thread overview]
Message-ID: <20110703195306.GA9714@albatros> (raw)
In-Reply-To: <1309721875.18925.30.camel@Joe-Laptop>
On Sun, Jul 03, 2011 at 12:37 -0700, Joe Perches wrote:
> On Sun, 2011-07-03 at 23:24 +0400, Vasiliy Kulikov wrote:
> > Btw, if the perfomance will be acceptable, what do you think about
> > logging/reacting on the spotted overflows?
>
> If you do, it might be useful to track the found location(s)
Sure.
> and only emit the overflow log entry once as found.
Hmm, if consider it as a purely debugging feature, then yes. But if
consider it as a try to block some exploitation attempt, then no.
I'd appresiate the latter.
> Maybe use __builtin_return_address(depth) for tracking.
PaX/Grsecurity uses dump_stack() and do_group_exit(SIGKILL); If setup,
it kills all user's processes and locks the user for some time. I don't
really propose the latter, but some reaction (to at least slowdown a
blind bruteforce) might be useful.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: Joe Perches <joe@perches.com>
Cc: kernel-hardening@lists.openwall.com,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, Matt Mackall <mpm@selenic.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [kernel-hardening] Re: [RFC v1] implement SL*B and stack usercopy runtime checks
Date: Sun, 3 Jul 2011 23:53:06 +0400 [thread overview]
Message-ID: <20110703195306.GA9714@albatros> (raw)
In-Reply-To: <1309721875.18925.30.camel@Joe-Laptop>
On Sun, Jul 03, 2011 at 12:37 -0700, Joe Perches wrote:
> On Sun, 2011-07-03 at 23:24 +0400, Vasiliy Kulikov wrote:
> > Btw, if the perfomance will be acceptable, what do you think about
> > logging/reacting on the spotted overflows?
>
> If you do, it might be useful to track the found location(s)
Sure.
> and only emit the overflow log entry once as found.
Hmm, if consider it as a purely debugging feature, then yes. But if
consider it as a try to block some exploitation attempt, then no.
I'd appresiate the latter.
> Maybe use __builtin_return_address(depth) for tracking.
PaX/Grsecurity uses dump_stack() and do_group_exit(SIGKILL); If setup,
it kills all user's processes and locks the user for some time. I don't
really propose the latter, but some reaction (to at least slowdown a
blind bruteforce) might be useful.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-07-03 19:53 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-03 11:10 [kernel-hardening] [RFC v1] implement SL*B and stack usercopy runtime checks Vasiliy Kulikov
2011-07-03 11:10 ` Vasiliy Kulikov
2011-07-03 11:10 ` Vasiliy Kulikov
2011-07-03 18:27 ` [kernel-hardening] " Linus Torvalds
2011-07-03 18:27 ` Linus Torvalds
2011-07-03 18:27 ` Linus Torvalds
2011-07-03 18:57 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-03 18:57 ` Vasiliy Kulikov
2011-07-03 18:57 ` Vasiliy Kulikov
2011-07-03 19:10 ` [kernel-hardening] " Linus Torvalds
2011-07-03 19:10 ` Linus Torvalds
2011-07-03 19:10 ` Linus Torvalds
2011-07-03 19:24 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-03 19:24 ` Vasiliy Kulikov
2011-07-03 19:37 ` Joe Perches
2011-07-03 19:37 ` Joe Perches
2011-07-03 19:53 ` Vasiliy Kulikov [this message]
2011-07-03 19:53 ` Vasiliy Kulikov
2011-07-06 3:39 ` Jonathan Hawthorne
2011-07-06 3:39 ` Jonathan Hawthorne
2011-07-18 18:39 ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-07-18 18:39 ` Vasiliy Kulikov
2011-07-18 18:39 ` Vasiliy Kulikov
2011-07-18 18:52 ` [kernel-hardening] " Andrew Morton
2011-07-18 18:52 ` Andrew Morton
2011-07-18 18:52 ` Andrew Morton
2011-07-18 19:33 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-18 19:33 ` Vasiliy Kulikov
2011-07-19 7:40 ` Vasiliy Kulikov
2011-07-19 7:40 ` Vasiliy Kulikov
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:08 ` Matt Mackall
2011-07-18 19:24 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-18 19:24 ` Vasiliy Kulikov
2011-07-18 19:24 ` Vasiliy Kulikov
2011-07-18 21:18 ` [kernel-hardening] " Christoph Lameter
2011-07-18 21:18 ` Christoph Lameter
2011-07-18 21:18 ` Christoph Lameter
2011-07-19 6:53 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-19 6:53 ` Vasiliy Kulikov
2011-07-19 6:53 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110703195306.GA9714@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=cl@linux-foundation.org \
--cc=hpa@zytor.com \
--cc=joe@perches.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=mpm@selenic.com \
--cc=penberg@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.