Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)

[Jann Horn]

On Thu, Sep 10, 2020 at 10:21 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> [kees: re-sending this series on behalf of John Wood <john.wood@xxxxxxx>
> also visible at https://github.com/johwood/linux fbfam]
[...]
> The goal of this patch serie is to detect and mitigate a fork brute force
> attack.
>
> Attacks with the purpose to break ASLR or bypass canaries traditionaly use
> some level of brute force with the help of the fork system call. This is
> possible since when creating a new process using fork its memory contents
> are the same as those of the parent process (the process that called the
> fork system call). So, the attacker can test the memory infinite times to
> find the correct memory values or the correct memory addresses without
> worrying about crashing the application.

For the next version of this patchset, you may want to clarify that
this is intended to stop brute force attacks *against vulnerable
userspace processes* that fork off worker processes. I was halfway
through the patch series before I realized that.