On Sun, Mar 07, 2021 at 07:19:20AM -0800, Andi Kleen wrote:
Sorry for the late answer. I somehow missed your email earlier.
As a mitigation method, all the offending tasks involved in the attack are killed. Or in other words, all the tasks that share the same statistics (statistics showing a fast crash rate) are killed.
So systemd will just restart the network daemon and then the attack works again?
Sorry, but I think my last explanation is not clear enough. If the network daemon crashes repeatedly in a short period of time it will trigger a brute force attack through the fork system call. Then this daemon and all the fork processes created from it will be killed. If the systemd restart the network daemon and it will crash again, then the systemd will be killed. I think this way the attack is fully mitigated.
Or if it's a interactive login you log in again.
First the login will be killed (if it fails with a fatal signal) and if it is restarted, the process that exec() it again will be killed. In this case I think that the threat is also completely mitigated.
I think it might be useful even with these limitations, but it would be good to spell out the limitations of the method more clearly.
I suspect to be useful it'll likely need some user space configuration changes too.
In the v2 version there were some sysctl attributes to fine tuning the detection. The following two paragraph are extracted from the documentation patch of this version:
To customize the detection's sensibility there are two new sysctl attributes that allow to set the last crashes timestamps list size and the application crash period threshold (in milliseconds). Both are accessible through the following files respectively.
/proc/sys/kernel/brute/timestamps_list_size /proc/sys/kernel/brute/crash_period_threshold
However, Kees Cook suggested that if we narrow the attack detection focusing in the crossing of privilege boundaries and signals delivered only by the kernel, it seems not necessary the customization of this feature by the user. I aggree with that.
-Andi
I have sent a v6 version with the documentation improved.
Thanks for your comments, John Wood