Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3606439pxb; Mon, 9 Nov 2020 16:12:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjJuk+6rQIzLhiTaSNxVmnFXVRpGyZGgsf9CBiHagC1c+ZW4/m7bb9YsmbfJ2+DtAtIvEP X-Received: by 2002:a17:906:4712:: with SMTP id y18mr17312940ejq.51.1604967140095; Mon, 09 Nov 2020 16:12:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604967140; cv=none; d=google.com; s=arc-20160816; b=mc+SIACRzoRAgRIR9M4aaRuTjQXjPWgMa6u26C6wYmy3WxPgXS3gPeLFyLQL/eWb8p Nf7VXnXP2rv3nYk+P5OqY/YrNvKMYJyYbmOtF1EOv5bsB6Fb1Ms2mnBCNv7g7EMVchfH Ye62QiVkHAXZblyt4cRpl+AM9x6K5iQ8sJbQSsr3E5cVXvliiX+ypc2v6H7ChgHsrHdm HbPaN9RM1WBBkWm3KUHpzUO60gNbl5s1/M3yXWLHpGrv7/qAO4+cnhkvUVQftrDeMmOE 3vnvdRtS+J6PFHGiHR2fCPfwBEahCkgYMWyQOsCRjrMNve04oO1lLffUZwKp92xzMzFu b+Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=rzp6w6LtmUWYCvcLAbZq+3lrgpo1QeVmRmbMbPfRlA4=; b=R5u9UwYqySolWXxNw5QejzmMDBW89aVoGhLUu1bLO85llD+ngG/HmjKY3Z4L9I291+ sbVRlaHOn/aW5MCbK75vObO2KVaQSEEmc/+58RXScEN4k5nVLPHkk2DTtDzGqGiQ059s kJvMyKSeKAE78bKWZEC7C/jv5/uTYjMARiCWMbe5FoUxVjVaPVCvVJpawwKcc7vf3QrP 13BT6Q+pUlH7oaRyhrwl2G/mAMoZ0iUsy9fGvyuRFrferdmFqT3cAPNf64bfOE29y4v/ M/+wxwKm81cYVuE3WNtqFz0RfitdgiK0bR8Pp4QRTQ8beOCmXL7CvocsDrOtwqXhov4Q JywA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=PeY6e3zO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b9si8034682ejk.456.2020.11.09.16.11.44; Mon, 09 Nov 2020 16:12:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=PeY6e3zO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729493AbgKJAJd (ORCPT + 99 others); Mon, 9 Nov 2020 19:09:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40570 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727311AbgKJAJc (ORCPT ); Mon, 9 Nov 2020 19:09:32 -0500 Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63E77C0613CF; Mon, 9 Nov 2020 16:09:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description; bh=rzp6w6LtmUWYCvcLAbZq+3lrgpo1QeVmRmbMbPfRlA4=; b=PeY6e3zOfq5yS87w5dYJX/bGHU 0REP48EkwsDG5m7klT2SuoL4SXj5mtINLieWT2kOXu6cJloGAgN8NfBRdfXPfJqI5on3Z93hqhNLG XoP6pB92jSfHtSjTjpPb76VEkGhBctEK9wofFyjmKDJnCHfNagS3jkiK1fwvrZZ8wGNG6t0QsaTDA KqLwapDqkD41gHfNybnPHfi+o+7N+deUWW6Chv5AtCJWsLeNvmhYgiGwo85CsY+y70Gc8ZLGGpqjs MQhX9+BMCIWGJVFDn7WLAyysztTMmp4xiRl47fTxGBLkvqUJc+WwFvh5xHcgA05u0wQsR/RLk1xY0 vs2Wj6Qw==; Received: from [2601:1c0:6280:3f0::662d] by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1kcHDy-0000jO-Ae; Tue, 10 Nov 2020 00:09:26 +0000 Subject: Re: [PATCH v2 7/8] Documentation: Add documentation for the Brute LSM To: John Wood , Kees Cook , Jann Horn Cc: Jonathan Corbet , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com References: <20201025134540.3770-1-john.wood@gmx.com> <20201025134540.3770-8-john.wood@gmx.com> <2ab35578-832a-6b92-ca9b-2f7d42bc0792@infradead.org> <20201109182348.GA3110@ubuntu> From: Randy Dunlap Message-ID: Date: Mon, 9 Nov 2020 16:09:21 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201109182348.GA3110@ubuntu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/9/20 10:23 AM, John Wood wrote: > Hi, > Thanks for the typos corrections. Will be corrected in the next patch > version. > > On Sun, Nov 08, 2020 at 08:31:13PM -0800, Randy Dunlap wrote: >> >> So an app could read crash_period_threshold and just do a new fork every >> threshold + 1 time units, right? and not be caught? > > Yes, you are right. But we must set a crash_period_threshold that does not > make an attack feasible. For example, with the default value of 30000 ms, > an attacker can break the app only once every 30 seconds. So, to guess > canaries or break ASLR, the attack needs a big amount of time. But it is > possible. > > So, I think that to avoid this scenario we can add a maximum number of > faults per fork hierarchy. Then, the mitigation will be triggered if the > application crash period falls under the period threshold or if the number > of faults exceed the maximum commented. > > This way, if an attack is of long duration, it will also be detected and > mitigated. > > What do you think? Hi, That sounds reasonable to me. thanks. -- ~Randy