Add brute forcing/rapid crash detection and mitigation #39
Labels
[Feature] ASLR
involves address space layout randomization
[PATCH] Exists
A patch exists to address the issue
[PATCH] Submitted
A patch has been submitted upstream
userspace defense
This defense is intended to improve the resilience of userspace programs
Comments
kees
added
[PATCH] Exists
|
It'd be nice to get a kernel-crash detection version of this as well, for systems that don't set |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Attacks against setuid applications traditionally end up using some level of bruce forcing to either break ASLR or otherwise wait for the right conditions on re-exec (e.g. StackClash explicitly called out this defense as foiling their attack). A setuid application or forking daemon rapidly crashing is a pretty clear signal to the kernel that something malicious (or at least resource-wasting) is happening in userspace, so it would be nice to have this detected and mitigated. This was already done in grsecurity with their CONFIG_GRKERNSEC_BRUTE.
An attempt was made to upstream this defense:
https://lore.kernel.org/linux-fsdevel/1419457167-15042-1-git-send-email-richard@nod.at/
But it did not continue to get developed. It needed both a CONFIG and a sysctl added. (And to have a more well described explanation for why this should not be part of the userspace libc, which is the wrong layer to detect the condition, nor to do anything about it.)
The text was updated successfully, but these errors were encountered: