From: Ingo Molnar <mingo@kernel.org>
To: Eric Northup <digitaleric@google.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "x86@kernel.org" <x86@kernel.org>,
Jarkko Sakkinen <jarkko.sakkinen@intel.com>,
Matthew Garrett <mjg@redhat.com>,
Matt Fleming <matt.fleming@intel.com>,
Dan Rosenberg <drosenberg@vsecurity.com>,
Julien Tinnes <jln@google.com>, Will Drewry <wad@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH 3/3] x86: kernel base offset ASLR
Date: Fri, 5 Apr 2013 09:55:32 +0200 [thread overview]
Message-ID: <20130405075532.GF26889@gmail.com> (raw)
In-Reply-To: <CAG7+5M0SDj0r+HfrZp99FvmDa+LJMJmyDv2Eju5LSfe2TsCXbg@mail.gmail.com>
* Eric Northup <digitaleric@google.com> wrote:
> On Thu, Apr 4, 2013 at 1:58 PM, H. Peter Anvin <hpa@zytor.com> wrote:
> > It seems to me that you are assuming that the attacker is targeting a specific system, but a bot might as well target 256 different systems and see what sticks...
>
> The alarm signal from the ones that don't stick is, in my opinion, the
> primary benefit from this work -- it makes certain classes of attack
> much less economical. A crash dump from a panic'd machine may include
> enough information to diagnose the exploited vulnerability - and once
> diagnosed and fixed, knowledge about the vulnerability is much less
> valuable.
Correct.
Beyond making worm propagation and zombie collection dynamics much less
favorable, there's another aspect to randomization: attacks against high
value Linux targets often use high value exploits, where considerable
effort is spent to make sure that the attack will succeed 100%, without
alerting anyone - or will fail safely without alerting anyone.
Probabilistically crashing the kernel does not fit that requirement.
In some cases adding even a _single bit_ of randomness will change the
economics dramatically, because as time progresses and the kernel gets
(hopefully) more secure, the value of an exploitable zero-day
vulnerability becomes inevitably much higher than the value of pretty much
any system attacked.
Injecting a significant risk of detection is a powerful concept. Think of
WWII: how much effort went into making sure that the Germans did not
detect that the encryption of Enigma was broken. Or how much effort went
into making sure that the soviets did not detect that the US got hold of
one of their nukes - etc.
So this feature really seems useful across the security spectrum, for low
and high value systems alike.
Thanks,
Ingo
next prev parent reply other threads:[~2013-04-05 7:55 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-04 20:07 [PATCH 0/3] kernel ASLR Kees Cook
2013-04-04 20:07 ` [PATCH 1/3] x86: routines to choose random kernel base offset Kees Cook
2013-04-05 7:24 ` Ingo Molnar
2013-04-05 7:36 ` Ingo Molnar
2013-04-05 18:15 ` H. Peter Anvin
2013-04-04 20:07 ` [PATCH 2/3] x86: build reloc tool for both 64 and 32 bit Kees Cook
2013-04-05 7:13 ` Ingo Molnar
2013-04-04 20:07 ` [PATCH 3/3] x86: kernel base offset ASLR Kees Cook
2013-04-04 20:12 ` H. Peter Anvin
2013-04-04 20:19 ` Julien Tinnes
2013-04-04 20:23 ` Julien Tinnes
2013-04-04 20:27 ` H. Peter Anvin
2013-04-04 20:48 ` Julien Tinnes
2013-04-05 7:05 ` Ingo Molnar
2013-04-04 20:54 ` Kees Cook
2013-04-04 20:58 ` H. Peter Anvin
2013-04-04 21:00 ` Kees Cook
2013-04-04 21:01 ` H. Peter Anvin
2013-04-04 21:04 ` Eric Northup
2013-04-04 21:06 ` Kees Cook
2013-04-04 21:00 ` Julien Tinnes
2013-04-04 21:01 ` Eric Northup
2013-04-05 7:55 ` Ingo Molnar [this message]
2013-04-04 20:21 ` H. Peter Anvin
2013-04-04 20:47 ` Eric Northup
2013-04-05 1:08 ` H. Peter Anvin
2013-04-05 8:04 ` Ingo Molnar
2013-04-05 15:30 ` H. Peter Anvin
2013-04-08 11:58 ` Ingo Molnar
2013-04-08 14:58 ` H. Peter Anvin
2013-04-05 18:17 ` H. Peter Anvin
2013-04-05 20:01 ` Yinghai Lu
2013-04-05 20:05 ` H. Peter Anvin
2013-04-05 20:19 ` Yinghai Lu
2013-04-05 20:29 ` H. Peter Anvin
2013-04-05 7:11 ` Ingo Molnar
2013-04-05 22:06 ` Julien Tinnes
2013-04-05 22:08 ` H. Peter Anvin
2013-04-05 22:13 ` Julien Tinnes
2013-04-05 7:34 ` Ingo Molnar
2013-04-05 12:12 ` Jiri Kosina
2013-04-05 14:49 ` Borislav Petkov
2013-04-05 20:19 ` Julien Tinnes
2013-04-05 20:43 ` Borislav Petkov
2013-04-05 23:18 ` Kees Cook
2013-04-06 10:10 ` Borislav Petkov
2013-04-08 12:13 ` Ingo Molnar
2013-04-11 20:52 ` [PATCH 0/3] kernel ASLR H. Peter Anvin
2013-04-11 21:28 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130405075532.GF26889@gmail.com \
--to=mingo@kernel.org \
--cc=digitaleric@google.com \
--cc=drosenberg@vsecurity.com \
--cc=hpa@zytor.com \
--cc=jarkko.sakkinen@intel.com \
--cc=jln@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matt.fleming@intel.com \
--cc=mingo@redhat.com \
--cc=mjg@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).