From: Matt Mackall <mpm@selenic.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: cl@linux-foundation.org, penberg@kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Make /proc/slabinfo 0400
Date: Thu, 03 Mar 2011 15:44:27 -0600 [thread overview]
Message-ID: <1299188667.3062.259.camel@calx> (raw)
In-Reply-To: <1299186986.2071.90.camel@dan>
On Thu, 2011-03-03 at 16:16 -0500, Dan Rosenberg wrote:
> >
> > Looking at a couple of these exploits, my suspicion is that looking at
> > slabinfo simply improves the odds of success by a small factor (ie 10x
> > or so) and doesn't present a real obstacle to attackers. All that
> > appears to be required is to arrange that an overrunnable object be
> > allocated next to one that is exploitable when overrun. And that can be
> > arranged with fairly high probability on SLUB's merged caches.
> >
>
> This is accurate, but the primary goal of exploit mitigation isn't
> necessarily to completely prevent the possibility of exploitation (time
> has shown that this is unlikely to be feasible), but rather to increase
> the cost of investment required to develop a reliable exploit. If
> removing read access to /proc/slabinfo means that heap exploits are even
> slightly more likely to fail, then that's a win as far as I'm concerned
> and may be the thing that prevents some helpless end user from getting
> compromised.
Well if it were a 1000x-1000000x difficulty improvement, I would say you
had a point. But at 10x, it's just not a real obstacle. For instance, in
this exploit:
http://www.exploit-db.com/exploits/14814/
..there's already detection of successful smashing, so working around
not having /proc/slabinfo is as simple as putting the initial smash in a
loop. I can probably improve my odds of success to nearly 100% by
pre-allocating a ton of objects all at once to get my own private slab
page and tidy adjoining allocations. I'll only fail if someone does a
simultaneous allocation between my target objects or I happen to
straddle slab pages.
And once an exploit writer has figured that out once, everyone else just
copies it (like they've copied the slabinfo technique). At which point,
we might as well make the file more permissive again..
> > On the other hand, I'm not convinced the contents of this file are of
> > much use to people without admin access.
> >
>
> Exactly. We might as well do everything we can to make attackers' lives
> more difficult, especially when the cost is so low.
There are thousands of attackers and millions of users. Most of those
millions are on single-user systems with no local attackers. For every
attacker's life we make trivially more difficult, we're also making a
few real user's lives more difficult. It's not obvious that this is a
good trade-off.
--
Mathematics is the supreme nostalgia of our time.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-03-03 21:44 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-03 17:50 [PATCH] Make /proc/slabinfo 0400 Dan Rosenberg
2011-03-03 18:17 ` Dave Hansen
2011-03-03 18:29 ` Dan Rosenberg
2011-03-03 20:58 ` Matt Mackall
2011-03-03 21:16 ` Dan Rosenberg
2011-03-03 21:44 ` Matt Mackall [this message]
2011-03-03 22:30 ` Dan Rosenberg
2011-03-03 23:08 ` Matt Mackall
2011-03-04 0:32 ` Dave Hansen
2011-03-04 0:50 ` Theodore Tso
2011-03-04 6:52 ` Pekka Enberg
2011-03-04 17:36 ` Dave Hansen
2011-03-04 17:48 ` Linus Torvalds
2011-03-04 18:14 ` Matt Mackall
2011-03-04 20:02 ` Pekka Enberg
2011-03-04 20:31 ` Matt Mackall
2011-03-04 20:42 ` Dan Rosenberg
2011-03-04 20:56 ` Pekka Enberg
2011-03-04 21:08 ` Dan Rosenberg
2011-03-04 21:30 ` Pekka Enberg
2011-03-04 21:44 ` Dan Rosenberg
2011-03-04 22:10 ` Pekka Enberg
2011-03-04 22:14 ` Pekka Enberg
2011-03-04 23:02 ` Matt Mackall
2011-03-05 16:25 ` Ted Ts'o
2011-03-06 13:19 ` Alan Cox
2011-03-07 14:56 ` Dan Rosenberg
2011-03-07 16:02 ` Matt Mackall
2011-03-04 20:37 ` Dan Rosenberg
2011-03-04 20:58 ` Pekka Enberg
2011-03-04 21:10 ` Dan Rosenberg
2011-03-06 0:42 ` Jesper Juhl
2011-03-06 0:57 ` Dan Rosenberg
2011-03-06 1:09 ` Matt Mackall
2011-03-06 1:15 ` Jesper Juhl
2011-03-07 16:40 ` Christoph Lameter
2011-03-04 21:12 ` Matt Mackall
2011-03-04 11:58 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2011-03-07 14:19 [PATCH] Make /proc/slabinfo 040 George Spelvin
2011-03-07 17:49 ` [PATCH] Make /proc/slabinfo 0400 George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1299188667.3062.259.camel@calx \
--to=mpm@selenic.com \
--cc=cl@linux-foundation.org \
--cc=drosenberg@vsecurity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).