Full Disclosure mailing list archives
Re: "Advances in Security" in the Linux Kernel and RedHat idiocy
From: spender () grsecurity net (Brad Spengler)
Date: Thu, 27 Jan 2005 14:44:51 -0500
On Thu, Jan 27, 2005 at 08:37:19PM +0100, Michal Zalewski wrote:
On Thu, 27 Jan 2005, Brad Spengler wrote:I guess anyone who thinks that taking a hardcoded exploit and running it 256 times would always result in a successful exploit is stupid.It would not always result in a successful exploitation; just as flipping the coin twice is not a guarantee of getting tails once.
Of course, but you get the idea. Your chances of succeeding after 256 tries are such that it is highly probable you wouldn't fail (and in fact, if the process you're attacking is a forking daemon like apache, if you iterate through all the possibilities, you do indeed have a 100% chance of succeeding after 256 tries).
Other than that, the amount of randomization is indeed puny; but then, even 32-bit randomization is a good defense only in certain situations, and often, can be defeated with some time, aided by luck or a decent NOP-equivalent sled.
Indeed, and only PaX/grsecurity handles these things, which is why it is useful in our case. However, attempting to use weak randomization as RedHat is trying is nothing more than trivial obfuscation, which should have no place in the kernel. All it does is give people a false sense of security, and allow RedHat to make claims that they're preventing 75% of exploits with Exec-shield (of course ignoring that all such exploits that failed could be easily rewritten to succeed). Things have really taken a turn for the worse: Linus used to be against having only a non-executable stack because it's trivially evaded. Now he's all for something that is even more obfuscation than having only a non-executable stack: the exploits don't even have to be rewritten in this case. This all reeks of security ignorance and politics. -Brad
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- "Advances in Security" in the Linux Kernel and RedHat idiocy Brad Spengler (Jan 27)
- Re: "Advances in Security" in the Linux Kernel and RedHat idiocy Arjan van de Ven (Jan 27)
- Re: "Advances in Security" in the Linux Kernel and RedHat idiocy Brad Spengler (Jan 27)
- Re: "Advances in Security" in the Linux Kernel and RedHat idiocy Michal Zalewski (Jan 27)
- Re: "Advances in Security" in the Linux Kernel and RedHat idiocy Brad Spengler (Jan 28)
- Re: "Advances in Security" in the Linux Kernel and RedHat idiocy Arjan van de Ven (Jan 27)