On 8 May 2000 yoann@mandrakesoft.com wrote:
> Khimenko Victor <khim@dell.sch57.msk.ru> writes:
>
> > On 8 May 2000 yoann@mandrakesoft.com wrote:
> >
> > > Khimenko Victor <khim@dell.sch57.msk.ru> writes:
> > >
> > > > On Mon, 8 May 2000, Igmar Palsenberg wrote:
> > > >
> > > > >
> > > > > > > Well my thought was if you are running syslog on another box you would have
> > > > > > > somewhat of a temperproof
> > > > > > > system. For instance an intruder compromises root. loads a kernel module to
> > > > > > > hide his/her activities. If modules are logged there's one more piece of
> > > > > > > evidence that the system has been compromised. Right now (under 2.2 kernels)
> > > > > > > I do not see any logs when I load (or remove) modules.
> > > > > >
> > > > > > It was discussed zillion times already. It was just called "non-executable
> > > > > > stack". "One more layer of toilet paper" (instead of reliable lock) is NOT
> > > > > > acceptable in mainstream kernel. It's security via obscurity. It WORKS.
> > > > > > Really. But ONLY as long as it's not in mainstream kernel. Once such feature
> > > > > > is in mainstream kernel it's in VERY short time added to "automagic cracker
> > > > > > toolset" and then we have only bloat in kernel and no additional security
> > > > > > at all. So implement it as local patch if you wish -- it'll help you more
> > > > > > this way.
> > > > >
> > > > > It doesn't work.
> > > >
> > > > It works beautifully. As long as intruder does not know where exactly
> > > > traps are placed he can not avoid traps. Will it work as long time defence
> > > > against scilled cracker SPECIALLY directed against you ? Probably not.
> > > > Will it stop most crackers ? For sure. As long as traps are NOT common and
> > > > thus not known to majority of crackers!
> > > >
> > >
> > > It does not work.
> > > Please read the 'Proposal LUID' and 'Security in general (was Re: Proposal "LUID")'
> > > threads, where this was highly discuted.
> > >
> > This discussion does not apply here. Not at all. There was discussed some
> > things to be done in PUBLIC (read: intruder aware about changes). If you
> > are doing EXACTLY some thing in secrecy it'll work for some time (may be
> > even not so short time).
> >
> > Please, please, PLEASE try to understood that "does not work as long term
> > solution" and "does not work at all" are different things. Sometimes
> > DRASTICALLY (for example UUIDs are always used as unique things but still
> > in REALLY long term they are not: there are only finite number of
> > different UUIDs :-))
> >
>
> non executable stack give, as it was said before, a false sence of security;
>
And guess who said it ?
> also, the majority of recent exploit work on non exec stack as it is, at least,
> as easy to write an exploit for non executable as for executable stack.
>
Hah. HOW LONG non-executable stack prevented exploits for quite a few
peoples ? Yes, it's well-known thing now and does not work anymore.
That's why you do not want such things in mainstream kernel.
> So it will not even work on short term.
>
It works fine in short term. Non-executable stack prevented LOTS of
intrusion attempts. Yes, now this hack timed out and not so usefull
anymore but it worked. For few YEARS. Not so "short" term I want to say.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:21 EST