Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 toreduce ease of attacking

[Ingo Molnar]

* Willy Tarreau <w@xxxxxx> wrote:

> [...] I was explaining that doing this will not prevent them from guessing the 
> precise kernel version, [...]

Well, which is exactly what i have said to Marcus early on in this discussion:

 |
 | What i suggested in later parts of my mail might provide more security: to sandbox 
 | kernel version information from unprivileged user-space - if we decide that we 
 | want to sandbox kernel version information ...
 |
 | That is a big if, because it takes a considerable amount of work. Would be worth 
 | trying it - but feel-good non-solutions that do not bring much improvement to the 
 | majority of users IMHO hinder such efforts.
 |

The 'considerable amount of work' refers not to the utsname version fuzzing patch 
(it's a 10-liner patch, literally), but to controlling the channels of version 
information you mentioned (uptime, the /boot timestamp), and some other channels you 
did not mention: dmesg, various /sys and /proc entries that leak version 
information, etc.

All must be closed down for unprivileged user-space, for this to be effective, 
obviously.

( Note that there will also be some channels of information that cannot
  realistically be closed down (such as the presence of sys_perf_event_open()
  indicates a v2.6.32+ kernel - or a backported, patched kernel) - but what matters
  mostly is to fuzz the _precise_ version information, to inject uncertainty into
  the equation of attackers. Combined with honeypot silent alarm functionality it
  turns the equation around and creates an outright risk of detection. )

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/