Re: Future Linux devel. Kernels

From: Khimenko Victor (khim@dell.sch57.msk.ru)
Date: Sun May 07 2000 - 18:43:53 EST

Next message: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Previous message: Mark Hahn: "Re:[PATCH] (for 2.3.99pre6) audit_ids system calls"
In reply to: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Next in thread: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8 May 2000 yoann@mandrakesoft.com wrote:

> Khimenko Victor <khim@dell.sch57.msk.ru> writes:
>
> > On Mon, 8 May 2000, Igmar Palsenberg wrote:
> >
> > >
> > > > > Well my thought was if you are running syslog on another box you would have
> > > > > somewhat of a temperproof
> > > > > system. For instance an intruder compromises root. loads a kernel module to
> > > > > hide his/her activities. If modules are logged there's one more piece of
> > > > > evidence that the system has been compromised. Right now (under 2.2 kernels)
> > > > > I do not see any logs when I load (or remove) modules.
> > > >
> > > > It was discussed zillion times already. It was just called "non-executable
> > > > stack". "One more layer of toilet paper" (instead of reliable lock) is NOT
> > > > acceptable in mainstream kernel. It's security via obscurity. It WORKS.
> > > > Really. But ONLY as long as it's not in mainstream kernel. Once such feature
> > > > is in mainstream kernel it's in VERY short time added to "automagic cracker
> > > > toolset" and then we have only bloat in kernel and no additional security
> > > > at all. So implement it as local patch if you wish -- it'll help you more
> > > > this way.
> > >
> > > It doesn't work.
> >
> > It works beautifully. As long as intruder does not know where exactly
> > traps are placed he can not avoid traps. Will it work as long time defence
> > against scilled cracker SPECIALLY directed against you ? Probably not.
> > Will it stop most crackers ? For sure. As long as traps are NOT common and
> > thus not known to majority of crackers!
> >
>
> It does not work.
> Please read the 'Proposal LUID' and 'Security in general (was Re: Proposal "LUID")'
> threads, where this was highly discuted.
>
This discussion does not apply here. Not at all. There was discussed some
things to be done in PUBLIC (read: intruder aware about changes). If you
are doing EXACTLY some thing in secrecy it'll work for some time (may be
even not so short time).

Please, please, PLEASE try to understood that "does not work as long term
solution" and "does not work at all" are different things. Sometimes
DRASTICALLY (for example UUIDs are always used as unique things but still
in REALLY long term they are not: there are only finite number of
different UUIDs :-))

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Previous message: Mark Hahn: "Re:[PATCH] (for 2.3.99pre6) audit_ids system calls"
In reply to: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Next in thread: yoann@mandrakesoft.com: "Re: Future Linux devel. Kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:21 EST