Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3413940pxb; Mon, 9 Nov 2020 10:27:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJyjraBr8HJzYv7EwLJ/e2ogm1LFPA2/tD92pKdRBU9OLZBIiYQdPkuPNzUxSUEclNij+Sv9 X-Received: by 2002:a17:906:fcdb:: with SMTP id qx27mr16577510ejb.470.1604946475956; Mon, 09 Nov 2020 10:27:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604946475; cv=none; d=google.com; s=arc-20160816; b=COW6mSmkdzeJs7uIVt8PR3IPddbHbbghDnBuDA9MwGA+vfKgwWSHA7tmJGOkyZ81w4 +seEeXmI3cnpFBNTIDLSrePhmvlvdTctIFR2Ulvl68biMJ6wOX5LhT7eNA+rzgoGDKGa RaUohEJXpJlYUj+T6bhcP+drhKy7cgnXA4kBgJHGZ2hUMQ0PIw/Odqlrx2fmbmZ+BMW3 efmuBxS92gNl6TxNSo/m81FtsOhv+Y7HQBMGgt8q4O7FT6S7bVoco4d1/0E72claPBMo ht1NHVoODmCfbdfKIsTngKlnZ4TDwTFL9tJJrBVpQPvfQaj08KCYsjOk2Kn6yyL0zkEh e99A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=WqIeflJSIlbYefgQQeWSGrItmuRntyT1T0hegn+ItPU=; b=J4pdSUBT48nm1iJofNPLymE7kXIBK9/ao1YjpgaLD56VFHxUh2TBclwxZonEu6ICHV raMomitrAqZZNPONMPIyI9aDIgDhaVqOebjU8zcjusW3+8L5EwUgVTgaNopImSzLHy3G hXYl1Mdjn8LelhTvWOQNSI1LcTYTlTMnA58xWRDh4gQtcF4ci8quaoN3eoP1b1clX0A6 GWE/vfx9QGGwKCUsrJoptNQrEWcqK5MNK470e6VNJ4gNIfnYrFqVsP0BDncXLBF4F4xW zFdEz7o5h+7pqmcuJydo+ZxEuTYvaQwAhcvoPKiTXrHWsmyjsPs6ciSiPl5qIxrZ6ewO mOJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=XCdtV1bl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si7405209ejr.690.2020.11.09.10.27.32; Mon, 09 Nov 2020 10:27:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=XCdtV1bl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729897AbgKISYg (ORCPT + 99 others); Mon, 9 Nov 2020 13:24:36 -0500 Received: from mout.gmx.net ([212.227.17.21]:41837 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729119AbgKISYg (ORCPT ); Mon, 9 Nov 2020 13:24:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1604946242; bh=WqIeflJSIlbYefgQQeWSGrItmuRntyT1T0hegn+ItPU=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=XCdtV1blAQXrTCOSFtrBcv8Mh9UbKawLpFL3nZHFRYfna4OsIJ9yF6C6pAvhAAuDl /4h3bASY0Ivfwp82T9gQSHpralUDDjpWg0kSSlRBYhaMGc+f/wRhDdp/zqyI72fU1v WRudfFToHwR7fyK1w+SIrckkx4kjx/4ePBaPlcDk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.231.59]) by mail.gmx.com (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MhU5b-1k7Y371Ht5-00ecTa; Mon, 09 Nov 2020 19:24:02 +0100 Date: Mon, 9 Nov 2020 19:23:48 +0100 From: John Wood To: Randy Dunlap , Kees Cook , Jann Horn Cc: John Wood , Jonathan Corbet , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v2 7/8] Documentation: Add documentation for the Brute LSM Message-ID: <20201109182348.GA3110@ubuntu> References: <20201025134540.3770-1-john.wood@gmx.com> <20201025134540.3770-8-john.wood@gmx.com> <2ab35578-832a-6b92-ca9b-2f7d42bc0792@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2ab35578-832a-6b92-ca9b-2f7d42bc0792@infradead.org> X-Provags-ID: V03:K1:WdI92dEESOw+IgoEK7rINKMLkOZRlvr4IU++VYFxIy5Ur0nV16w Sqk+PhsyjhswmvKyBUujNzib3b/wlEFMi39I/2/Bce6C0eAMeXnWS9YK6rlW9reHWAz9Szd ICX7ASR+WHwx4BL2+H8Aeq3GTAh49+HVm+XJdYJvJgA4+9gc3QJYZQFBI08chIEExKq2+yS nAguvprm3r390hvh6TrRQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:98HlGKz9byI=:y9WvS6BYmDogmfNlP3PqZd sWZq3sMViZO0xAzwsWRVGRHjkt5YyU+C1AqB2JSCjSM8i69/rcn4dBDna+E1t83MSnIjZpQvW NeaZmFproIgh57IAwipps3xUj8zq8vmjCGqZten0jYdleE7hRN3Nhn14vdrxjnB/0SS9obIgK hKFu5IIEC7sLEHovDjYww3kv6l9ZR89B229SvWx5jTYSCgkAfZ1xNL5C/Blv9gPDFlzMOAtUV EzrWNW/1W8gfPufebymUZYPomyz2Jf+5LBPugLT+m1ZTLzo1rA9O7lp+AO5GH+uF3/wnMMNkE pCsMl0RqRKJN4L1OoegURKyPmqH7zY/60BThS4RNQ29yB7LGF+usuXQoQneqHgcoWXXBZ4NWM XFNXjfRKoGwgo/VHiNcf+UcyBHpoTEoPTIA0D2LnpyuAZW8YTg5zrf5CSS+j2maMyxiIMLvlw qwdUB8yW7LmJJMdfU75NWEcxLnj4KOi6RhddjfM1q61f9QSPwNjdnbNtDT6wCW9Sb+lefroBS GxNkPOp+8dPaCGGKxJO7iOm5EZPjpusjupOGqBwQb0B7TrK9lJTJmu3YRVBNA4hWjzliTvFzx fkSGuTLCStJJi1Jc9aocu5R4O2TZlWWTYpx2M/w30puxorF4WzvWs5JpsEi3DByYIVRBikAVZ IkW1mGIFY+Nd2/tQDrSQxe+uLBejHR0k0nc2ihQsGOSXotUvJdkW1PtuMOZ4u+ydyoB2wnmAI wCUaD9Bn+3gNcjb7H8+lM9PGYm/jhSY/5rUE6qA3wpgMdNL3JeQmLe3Pdk0JFcVCTjfGxQDNu /I/dZ44v3f2rv4wu0X/LaNajwe5DtUSwdq5gUB6dVKSbaQt8qPUXpgKBabvA2gk9QWKHmwmz5 coBqJksRfE5u8uNHeX9Q== Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Thanks for the typos corrections. Will be corrected in the next patch version. On Sun, Nov 08, 2020 at 08:31:13PM -0800, Randy Dunlap wrote: > > So an app could read crash_period_threshold and just do a new fork every > threshold + 1 time units, right? and not be caught? Yes, you are right. But we must set a crash_period_threshold that does not make an attack feasible. For example, with the default value of 30000 ms, an attacker can break the app only once every 30 seconds. So, to guess canaries or break ASLR, the attack needs a big amount of time. But it is possible. So, I think that to avoid this scenario we can add a maximum number of faults per fork hierarchy. Then, the mitigation will be triggered if the application crash period falls under the period threshold or if the number of faults exceed the maximum commented. This way, if an attack is of long duration, it will also be detected and mitigated. What do you think? > > thanks for the documentation. > -- > ~Randy > Thanks, John Wood