Khimenko Victor <khim@dell.sch57.msk.ru> writes:
> On 8 May 2000 yoann@mandrakesoft.com wrote:
>
> > Khimenko Victor <khim@dell.sch57.msk.ru> writes:
> >
> > > On Mon, 8 May 2000, Igmar Palsenberg wrote:
> > >
> > > >
> > > > > > Well my thought was if you are running syslog on another box you would have
> > > > > > somewhat of a temperproof
> > > > > > system. For instance an intruder compromises root. loads a kernel module to
> > > > > > hide his/her activities. If modules are logged there's one more piece of
> > > > > > evidence that the system has been compromised. Right now (under 2.2 kernels)
> > > > > > I do not see any logs when I load (or remove) modules.
> > > > >
> > > > > It was discussed zillion times already. It was just called "non-executable
> > > > > stack". "One more layer of toilet paper" (instead of reliable lock) is NOT
> > > > > acceptable in mainstream kernel. It's security via obscurity. It WORKS.
> > > > > Really. But ONLY as long as it's not in mainstream kernel. Once such feature
> > > > > is in mainstream kernel it's in VERY short time added to "automagic cracker
> > > > > toolset" and then we have only bloat in kernel and no additional security
> > > > > at all. So implement it as local patch if you wish -- it'll help you more
> > > > > this way.
> > > >
> > > > It doesn't work.
> > >
> > > It works beautifully. As long as intruder does not know where exactly
> > > traps are placed he can not avoid traps. Will it work as long time defence
> > > against scilled cracker SPECIALLY directed against you ? Probably not.
> > > Will it stop most crackers ? For sure. As long as traps are NOT common and
> > > thus not known to majority of crackers!
> > >
> >
> > It does not work.
> > Please read the 'Proposal LUID' and 'Security in general (was Re: Proposal "LUID")'
> > threads, where this was highly discuted.
> >
> This discussion does not apply here. Not at all. There was discussed some
> things to be done in PUBLIC (read: intruder aware about changes). If you
> are doing EXACTLY some thing in secrecy it'll work for some time (may be
> even not so short time).
>
> Please, please, PLEASE try to understood that "does not work as long term
> solution" and "does not work at all" are different things. Sometimes
> DRASTICALLY (for example UUIDs are always used as unique things but still
> in REALLY long term they are not: there are only finite number of
> different UUIDs :-))
>
non executable stack give, as it was said before, a false sence of security;
also, the majority of recent exploit work on non exec stack as it is, at least,
as easy to write an exploit for non executable as for executable stack.
So it will not even work on short term.
-- -- Yoann http://www.mandrakesoft.com/~yoann/ It is well known that M$ product don't make a free() after a malloc(), the unix community wish them good luck for their future developement.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:21 EST