Re: Secure 2.4.x kernel

To: "Gary MacDougall" <gary@freeportweb.com>
Cc: "Matthew Sackman" <matthew@sackman.co.uk>, <debian-security@lists.debian.org>
Subject: Re: Secure 2.4.x kernel
From: Anthony DeRobertis <asd@suespammers.org>
Date: Tue, 25 Dec 2001 00:09:37 -0500
Message-id: <[🔎] 97DCF23C-F8F5-11D5-8229-00039355CFA6@suespammers.org>
In-reply-to: <[🔎] 006e01c18cf7$968390e0$0400a8c0@gary>


On Monday, December 24, 2001, at 10:52 , Gary MacDougall wrote:

Someone said that St. Jude was what I was looking for, and I think
its pretty much *exactly* what I was pointing out.

Can't, in general, stop an attack. All the attacker has to do isnot do unusual calls which jude monitors, which would appearfrom the docs to be execve.

You don't need to call execve to have all sorts of evil fun.open and write (something most processes do quite legitimately)will suffice. So will open and read.

The problem you're trying to solve is to get the kernel to
refuse to execute exploit code. Exploit code looks just like any
other code to CPU. Good luck trying to get the kernel to tell
the difference.


The problem really isn't the code that an exploit executes, the problem

is that the exploit can allow for "root" access by allowing themalicious

code to spawn a new shell.

It doesn't need to spawn a new shell to allow root access. Itcan just load the a properly-linked shell into memory (notcalling execve), then jump to main.


Or it can not use a shell at all. Shells aren't special in any way.

In short: Would EPERM from exec stop a script kiddie? Probably.
Would it stop a dedicated attacker? No.


Ok, maybe i'm missing something, but a "script kiddie" basically needs

access to your box to trojan it right? An attacker, needsaccess to the

box to attack it, right? Whats the difference?

A script kiddie is someone who downloaded some exploit code offthe 'net, and goes and tries it against random boxes. Or againstpopular boxes. If his downloaded code does not work, he's stuck.Might not even know C. Probably doesn't understand how theexploit works. He'll give up or try another box.

A dedicated attacker, to me, is a person with a lot moreexperience, a lot more time to use to attack you, and a reasonto attack that box specifically. He does read the source ofprograms, looking for holes. He will manage to find the tricksyou've put into place, and, given enough time, get around them.

I confess that the danger to most people is the former. You haveto be protecting fairly important information to get the latter.Or be otherwise important.

Reply to:

Follow-Ups:
- Re: Secure 2.4.x kernel
  - From: "Gary MacDougall" <gary@freeportweb.com>

References:
- Re: Secure 2.4.x kernel
  - From: "Gary MacDougall" <gary@freeportweb.com>

Prev by Date: Re: iptables missing library (FIXED)
Next by Date: Re: Secure 2.4.x kernel
Previous by thread: Re: Secure 2.4.x kernel
Next by thread: Re: Secure 2.4.x kernel
Index(es):
- Date
- Thread