linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Richard Weinberger <richard@nod.at>
To: Pavel Machek <pavel@ucw.cz>, Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	David Rientjes <rientjes@google.com>,
	Aaron Tomlin <atomlin@redhat.com>,
	DaeSeok Youn <daeseok.youn@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	vdavydov@parallels.com, Rik van Riel <riel@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
	Andy Lutomirski <luto@amacapital.net>,
	Brad Spengler <spender@grsecurity.net>
Subject: Re: [PATCH] [RFC] Deter exploit bruteforcing
Date: Fri, 02 Jan 2015 12:00:08 +0100	[thread overview]
Message-ID: <54A67A38.3000207@nod.at> (raw)
In-Reply-To: <20150102051142.GF4873@amd>

Am 02.01.2015 um 06:11 schrieb Pavel Machek:
> On Tue 2014-12-30 10:40:15, Kees Cook wrote:
>> On Wed, Dec 24, 2014 at 1:39 PM, Richard Weinberger <richard@nod.at> wrote:
>>> While exploring the offset2lib attack I remembered that
>>> grsecurity has an interesting feature to make such attacks
>>> much harder. Exploits can brute stack canaries often very easily
>>> if the target is a forking server like sshd or Apache httpd.
>>> The problem is that after fork() the child has by definition
>>> exactly the same memory as the parent and therefore also the same
>>> stack canaries.
>>> The attacker can guess the stack canaries byte by byte.
>>> After 256 times 7 forks() a good exploit can find the correct
>>> canary value.
>>>
>>> The basic idea behind this patch is to delay fork() if a child died
>>> due to a fatal error.
>>> Currently it delays fork() by 30 seconds if the parent tries to fork()
>>> within 60 seconds after a child died due to a fatal error.
>>>
>>> I'm sure you'll hate this patch but I want to find out how much you hate it
>>> and whether there is a little chance to get it mainline in a modified form.
>>> Later I'd make it depend on a new Kconfig option and off by default
>>> and the timing constants changeable via sysctl.
> 
> Does this break trinity, crashme, and similar programs?

If they fork() without execve() and a child dies very fast the next fork()
will be throttled.
This is why I'd like to make this feature disabled by default.

> Can you detect it died due to the stack canary? Then, the patch might
> be actually acceptable.

I don't think so as this is glibc specific.

Thanks,
//richard

  reply	other threads:[~2015-01-02 11:00 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-24 21:39 [PATCH] [RFC] Deter exploit bruteforcing Richard Weinberger
2014-12-30 18:40 ` Kees Cook
2014-12-30 18:49   ` Andy Lutomirski
2014-12-30 18:50   ` Richard Weinberger
2015-01-02  5:11   ` Pavel Machek
2015-01-02 11:00     ` Richard Weinberger [this message]
2015-01-02 19:46       ` Pavel Machek
2015-01-02 21:40         ` Richard Weinberger
2015-01-02 22:29           ` Pavel Machek
2015-01-02 22:32             ` Jiri Kosina
2015-01-02 22:46               ` Pavel Machek
2015-01-02 22:49                 ` Jiri Kosina
2015-01-02 22:53                   ` Jiri Kosina
2015-01-02 22:54                   ` Pavel Machek
2015-01-02 23:00                     ` Richard Weinberger
2015-01-02 23:08                       ` Pavel Machek
2015-01-03  9:45                         ` Richard Weinberger
2015-01-03 22:36                           ` Pavel Machek
2015-01-03 22:44                             ` Richard Weinberger
2015-01-03 23:01                               ` Pavel Machek
2015-01-03 23:07                                 ` Richard Weinberger
2015-01-03 23:06                             ` Andy Lutomirski
2015-01-03 23:19                               ` Richard Weinberger
2015-01-05 22:56                                 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54A67A38.3000207@nod.at \
    --to=richard@nod.at \
    --cc=akpm@linux-foundation.org \
    --cc=atomlin@redhat.com \
    --cc=daeseok.youn@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=pavel@ucw.cz \
    --cc=peterz@infradead.org \
    --cc=riel@redhat.com \
    --cc=rientjes@google.com \
    --cc=spender@grsecurity.net \
    --cc=tglx@linutronix.de \
    --cc=vdavydov@parallels.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).