From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BA80C433ED for ; Tue, 6 Apr 2021 23:56:06 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D1C6961246 for ; Tue, 6 Apr 2021 23:56:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D1C6961246 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lTvXr-00040B-42; Tue, 06 Apr 2021 19:55:43 -0400 Received: from mail-qt1-x82e.google.com ([2607:f8b0:4864:20::82e]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from ) id 1lTvXo-000401-PR for kernelnewbies@kernelnewbies.org; Tue, 06 Apr 2021 19:55:41 -0400 Received: by mail-qt1-x82e.google.com with SMTP id s2so12522970qtx.10 for ; Tue, 06 Apr 2021 16:55:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vt-edu.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:in-reply-to:references:mime-version :content-transfer-encoding:date:message-id; bh=rCqVW+AT+2X07Hnfi10SQs10DErNosAcrxMDQAcrQew=; b=RQ6ISxkvODH4RjwQt7q5x5o/F3Ix88FvMs21iJtASx8G7eLvWj7/n7faoo0ao4VHFc dQZsmMYuIaL5LanIBVhITmF+fFkqTcpm5HB4Yc0KaePASOjmXvPacwSzyJYUqPG18Xye ikf2vl2ugCOEpRdYHA/YMtdYPFSaWUpFg5qUeHfVc+1l2wVjnwpidqS5X6d1APClZO1W cSCD+MLoQaPPOeJXdos2qMSncs1jnvh0Tw/diUb2BC0VIMlWa7DS31hTn7f1qHIEq/pN Y4KGJaCbefQYsekD9CtSwfsSW5+m+sj1HVnTb1l09fbD6/XjDbReZ1X6qjHV0y2x8Bd6 GhXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :mime-version:content-transfer-encoding:date:message-id; bh=rCqVW+AT+2X07Hnfi10SQs10DErNosAcrxMDQAcrQew=; b=JirvbpqKG14OwJoveZ81YuLFW7xUCuCAm1yQW221Lov3zC2r7J1lPpSqYKjc8OX331 o3bjK9ot/Jdfqb/IpDO+WEgIgkkwzV9Ym4DlCZuV8uZjzCh/u/7tnUQ/4y7ZSH9wIm9u +e8BW03jSxbQQ5fweH2HbGAv3GLtGT3/cqCLOTYOjUG/rEFwuxR7Iu5wlbgQX2z9iRbj 2pzx1rwsl0NZy00vhW8aUKk5s3nNLY+fjsOsN+KG8JIYHhF2HB2EjYbB/djiBDqAraTy LS6CVoZErGN4MHp8A4VPn9RG23FWquPn968P1glM5WA+Z4w6sfPW+Z2tvEc24XMzQ7Gc ymew== X-Gm-Message-State: AOAM53228k1jja57TLTUka599/vAy/jvNdWLiktv4wj1jnmMcUBuUtcN cHJJmYbqP21ciSO0OEUpNk35hw== X-Google-Smtp-Source: ABdhPJxbNhV7g0V5XUxZzQ1AByo3QNoSsgiOJeCVgP3WEaS+XxeaG0Z0P4c492r2sBFdVuudK4l/zw== X-Received: by 2002:ac8:47c6:: with SMTP id d6mr461307qtr.36.1617753337968; Tue, 06 Apr 2021 16:55:37 -0700 (PDT) Received: from turing-police ([2601:5c0:c380:d61::359]) by smtp.gmail.com with ESMTPSA id j14sm15702451qtj.87.2021.04.06.16.55.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Apr 2021 16:55:37 -0700 (PDT) From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Google-Original-From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev To: John Wood Subject: Re: Notify special task kill using wait* functions In-Reply-To: <20210405073147.GA3053@ubuntu> References: <20210330173459.GA3163@ubuntu> <79804.1617129638@turing-police> <20210402124932.GA3012@ubuntu> <106842.1617421818@turing-police> <20210403070226.GA3002@ubuntu> <145687.1617485641@turing-police> <20210404094837.GA3263@ubuntu> <193167.1617570625@turing-police> <20210405073147.GA3053@ubuntu> Mime-Version: 1.0 Date: Tue, 06 Apr 2021 19:55:36 -0400 Message-ID: <115437.1617753336@turing-police> Cc: kernelnewbies@kernelnewbies.org X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7056553928500456468==" Errors-To: kernelnewbies-bounces@kernelnewbies.org --===============7056553928500456468== Content-Type: multipart/signed; boundary="==_Exmh_1617753336_108837P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1617753336_108837P Content-Type: text/plain; charset=us-ascii On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said: > > And how does the kernel know that it's notifying a "real" supervisor process, > > and not a process started by the bad guy, who can receive the notification > > and decide to respawn? > > > Well, I think this is not possible to know. Anyway, I believe that the "bad > guy" not rely on the wait* notification to decide to respawn or not. He > will do the attack without waiting any notification. You believe wrong. After my 4 decades of interacting with the computer security community, the only thing that remains a constant is that if you say "I believe that...", there will be *somebody* who will say "Challenge accepted" and try to do the opposite just for the lulz. Then there will be a second guy saying "Hmm.. I wonder how much I could sell a 0-day for..." If you provide a way for an attacker to "fly under the radar" (either by having a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves to, or by letting them set up a "supervisor" process they can abuse, or any other method), attackers *will* use it to prevent being detected. That's the thing about computer security - you have to keep asking yourself "how could the attacker abuse feature X to their benefit?" It's probably *not* even safe to go and kill *all* processes running under the same UID - because if you do that, and a code execution bug is found in the web server software (or back-end stuff launched by it), you just provided an attacker a free DoS of the webserver. Remember - your attacker is somebody who can take a 1-byte buffer overflow, and convert it into a complete root compromise of a system If you think I'm kidding, go look at this paper that analyzes how to exploit a bug in ntpd to get yourself a root shell from a remote system (or whatever other code you want to run): https://www.giac.org/paper/gcih/352/linux-ntpd-buffer-overflow/102270 Of course, that bug was in 2002, and the author had to hand-craft a lot of the support framework. These days, the attacker would probably just craft a module for Metasploit from the team at Rapid7 or other attack tool. Yes, there's open-source exploit tools out there... See https://metasploit.com/ - or at least the YouTube demo https://www.youtube.com/watch?v=cYtDxfKdlqs Make note of how many Windows versions they tested against in the video. And if you don't watch, here's the backstory: A crew call Shadowbroker hacked the NSA and stole a huge collection of exploit tools and dumped them into the public. Somebody else took one of the exploit tools, figured out what it was doing, and tossed a module over to the Metasploit crew - and now there's an automated "type 3 lines to pwn the box" that's almost certainly easier to use than the NSA version.... Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember that the black hats are at least as good, and have toolkits at least as good... --==_Exmh_1617753336_108837P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Comment: Exmh version 2.9.0 11/07/2018 iQIVAwUBYGz09wdmEQWDXROgAQImdw/9EZaEoELNCsztcQKK6Q0RHx2pBPck2MR3 KV9gPy6R9BogytJ4bqL+zHXdgqdZpfxZ9XnBK4eiKEcWVRLspORKJgds5aUunQli 9JvkXPy0msvHdWOCMUnKe0BUZw+bQhsPk88YJIwmGGd5I9UTBRsoW3/4Jq96c7IW OPZab505a7Rasv43QxKNtme/RXv0Kiq5+w0VtA3Jn04Tm9soLTze0SgALEN/+QDb frNoEaieujGrya0hwV3v9RnD8sPwi2N8ODmw9gCmMMj1WT5qaxIpFRhgQtowRHi2 rKfzmHkxuGBbX5uQy8oC9EN78s/rqs8IvNSYkh1PtO5Zau6MxDDPNFExhscXrDMc UPY76gMnDQj2x8ZUwHAnLJM0tZohXZX1655M+QwGvD7wqDfYcjPypC2vzS2GGAtI /7MADPmUkHfEsnobsAyAM98NFUNVRazn+gXd1X4AAHVxb08RpyLpKZmartRKBDQi FTVbWAyg2mEa4FoDu7i2NFXKxA6tbt15RIGg5r5OjFw/gdFAYm1ORS7ygBAHDhQa vYOiG+iAEYg8alWJqiT6pVQr0xwygGlHtC57YpbT14/qniZcbMJoVhz0EDVtpMKw /zpzeOVzRsNziMe3GkSN4pwMEiMvXcclV1MklIYR5Ls8XOIrYoLbeoOTZbLNLKU9 z/kwEENUkCI= =gmpP -----END PGP SIGNATURE----- --==_Exmh_1617753336_108837P-- --===============7056553928500456468== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============7056553928500456468==--