Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
Hi,
On Sat, Sep 12, 2020 at 10:48:39PM +0200, Ondrej Mosnacek wrote:
> On Sat, Sep 12, 2020 at 4:51 PM Mel Gorman wrote:
> > On Sat, Sep 12, 2020 at 11:36:52AM +0200, John Wood wrote:
> > > On Sat, Sep 12, 2020 at 12:56:18AM -0700, Kees Cook wrote:
> > > > On Sat, Sep 12, 2020 at 10:03:23AM +1000, James Morris wrote:
> > > > > On Thu, 10 Sep 2020, Kees Cook wrote:
> > > > >
> > > > > > [kees: re-sending this series on behalf of John Wood
> > > > > >
> > > > > > also visible at https://github.com/johwood/linux fbfam]
> > > > > >
> > > > > > From: John Wood
> > > > >
> > > > > Why are you resending this? The author of the code needs to be able to
> > > > > send and receive emails directly as part of development and
> > > > > maintenance.
> > >
> > > I tried to send the full patch serie by myself but my email got blocked.
> > > After
> > > get support from my email provider it told to me that my account is young,
> > > and due to its spam policie I am not allow, for now, to send a big amount
> > > of mails in a short period. They also informed me that soon I will be able
> > > to send more mails. The quantity increase with the age of the account.
> > >
> >
> > If you're using "git send-email" then specify --confirm=always and
> > either manually send a mail every few seconds or use an expect script
> > like
> >
> > #!/bin/bash
> > EXPECT_SCRIPT=
> > function cleanup() {
> > if [ "$EXPECT_SCRIPT" != "" ]; then
> > rm $EXPECT_SCRIPT
> > fi
> > }
> > trap cleanup EXIT
> >
> > EXPECT_SCRIPT=`mktemp`
> > cat > $EXPECT_SCRIPT < > spawn sh ./SEND
> > expect {
> > "Send this email" { sleep 10; exp_send y\\r; exp_continue }
> > }
> > EOF
> >
> > expect -f $EXPECT_SCRIPT
> > exit $?
> >
> > This will work if your provider limits the rate mails are sent rather
> > than the total amount.
Yes, it seems to be what is happening.
> ...or you could keep it simple and just pass "--batch-size 1
> --relogin-delay 10" to git send-email ;)
Mel and Ondrej thanks a lot for the proposed solutions. I'm sure some of
your solutions will be used soon.
> --
> Ondrej Mosnacek
> Software Engineer, Platform Security - SELinux kernel
> Red Hat, Inc.
Regards,
John Wood
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Sat, Sep 12, 2020 at 4:51 PM Mel Gorman wrote:
> On Sat, Sep 12, 2020 at 11:36:52AM +0200, John Wood wrote:
> > On Sat, Sep 12, 2020 at 12:56:18AM -0700, Kees Cook wrote:
> > > On Sat, Sep 12, 2020 at 10:03:23AM +1000, James Morris wrote:
> > > > On Thu, 10 Sep 2020, Kees Cook wrote:
> > > >
> > > > > [kees: re-sending this series on behalf of John Wood
> > > > >
> > > > > also visible at https://github.com/johwood/linux fbfam]
> > > > >
> > > > > From: John Wood
> > > >
> > > > Why are you resending this? The author of the code needs to be able to
> > > > send and receive emails directly as part of development and maintenance.
> >
> > I tried to send the full patch serie by myself but my email got blocked.
> > After
> > get support from my email provider it told to me that my account is young,
> > and due to its spam policie I am not allow, for now, to send a big amount
> > of mails in a short period. They also informed me that soon I will be able
> > to send more mails. The quantity increase with the age of the account.
> >
>
> If you're using "git send-email" then specify --confirm=always and
> either manually send a mail every few seconds or use an expect script
> like
>
> #!/bin/bash
> EXPECT_SCRIPT=
> function cleanup() {
> if [ "$EXPECT_SCRIPT" != "" ]; then
> rm $EXPECT_SCRIPT
> fi
> }
> trap cleanup EXIT
>
> EXPECT_SCRIPT=`mktemp`
> cat > $EXPECT_SCRIPT < spawn sh ./SEND
> expect {
> "Send this email" { sleep 10; exp_send y\\r; exp_continue }
> }
> EOF
>
> expect -f $EXPECT_SCRIPT
> exit $?
>
> This will work if your provider limits the rate mails are sent rather
> than the total amount.
...or you could keep it simple and just pass "--batch-size 1
--relogin-delay 10" to git send-email ;)
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Sat, Sep 12, 2020 at 11:36:52AM +0200, John Wood wrote:
> On Sat, Sep 12, 2020 at 12:56:18AM -0700, Kees Cook wrote:
> > On Sat, Sep 12, 2020 at 10:03:23AM +1000, James Morris wrote:
> > > On Thu, 10 Sep 2020, Kees Cook wrote:
> > >
> > > > [kees: re-sending this series on behalf of John Wood
> > > > also visible at https://github.com/johwood/linux fbfam]
> > > >
> > > > From: John Wood
> > >
> > > Why are you resending this? The author of the code needs to be able to
> > > send and receive emails directly as part of development and maintenance.
>
> I tried to send the full patch serie by myself but my email got blocked. After
> get support from my email provider it told to me that my account is young,
> and due to its spam policie I am not allow, for now, to send a big amount
> of mails in a short period. They also informed me that soon I will be able
> to send more mails. The quantity increase with the age of the account.
>
If you're using "git send-email" then specify --confirm=always and
either manually send a mail every few seconds or use an expect script
like
#!/bin/bash
EXPECT_SCRIPT=
function cleanup() {
if [ "$EXPECT_SCRIPT" != "" ]; then
rm $EXPECT_SCRIPT
fi
}
trap cleanup EXIT
EXPECT_SCRIPT=`mktemp`
cat > $EXPECT_SCRIPT <
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Sat, Sep 12, 2020 at 12:55:03AM -0700, Kees Cook wrote: > On Fri, Sep 11, 2020 at 04:48:06PM +0200, John Wood wrote: > > My original patch serie is composed of 9 patches, so the 3 lasts are lost. > > Kees: Have you removed them for some reason? Can you send them for review? > > > > security/fbfam: Add two new prctls to enable and disable the fbfam feature > > https://github.com/johwood/linux/commit/8a36399847213e7eb7b45b853568a53666bd0083 > > > > Documentation/security: Add documentation for the fbfam feature > > https://github.com/johwood/linux/commit/fb46804541f5c0915f3f48acefbe6dc998815609 > > > > MAINTAINERS: Add a new entry for the fbfam feature > > https://github.com/johwood/linux/commit/4303bc8935334136c6ef47b5e50b87cd2c472c1f > > Oh, hm, I'm not sure where they went. I think they were missing from my > inbox when I saved your series from email. An oversight on my part; > apologies! I sent the full serie to Matthew Wilcox only, as he wanted to help re-sending the full serie. Then I saw that only 6 patches appeared in the linux-doc mailing list. I can try to send the three pending patches in different stages (for example one patch every 4 or 5 hours) to avoid blocking my email. I hope. Or I can send the three pending patches only to the kernel-hardening mailing list and you re-send to all the people involved. Or any other solution you propose. It's up to you. > > Is there a problem if I ask for some guidance (replying to this thread) > > during the process to do my second patch series? > > Please feel free! I'm happy to help. :) It's a pleasure working with you. Thanks a lot. > -- > Kees Cook Regards, John Wood
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Sat, Sep 12, 2020 at 12:56:18AM -0700, Kees Cook wrote: > On Sat, Sep 12, 2020 at 10:03:23AM +1000, James Morris wrote: > > On Thu, 10 Sep 2020, Kees Cook wrote: > > > > > [kees: re-sending this series on behalf of John Wood > > > also visible at https://github.com/johwood/linux fbfam] > > > > > > From: John Wood > > > > Why are you resending this? The author of the code needs to be able to > > send and receive emails directly as part of development and maintenance. I tried to send the full patch serie by myself but my email got blocked. After get support from my email provider it told to me that my account is young, and due to its spam policie I am not allow, for now, to send a big amount of mails in a short period. They also informed me that soon I will be able to send more mails. The quantity increase with the age of the account. I hope that for the next version all works as expected. Apologies. > I wanted to flush it from my "review" TODO list, mainly. Thanks Kees for the re-send and review. > -- > Kees Cook Regards, John Wood
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Sat, Sep 12, 2020 at 10:03:23AM +1000, James Morris wrote: > On Thu, 10 Sep 2020, Kees Cook wrote: > > > [kees: re-sending this series on behalf of John Wood > > also visible at https://github.com/johwood/linux fbfam] > > > > From: John Wood > > Why are you resending this? The author of the code needs to be able to > send and receive emails directly as part of development and maintenance. I wanted to flush it from my "review" TODO list, mainly. -- Kees Cook
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Fri, Sep 11, 2020 at 04:48:06PM +0200, John Wood wrote: > In other words, a late reply to this serie comments is not a lack of > interest. Moreover, I think it would be better that I try to understand and > to implement your ideas before anything else. Understood! :) > My original patch serie is composed of 9 patches, so the 3 lasts are lost. > Kees: Have you removed them for some reason? Can you send them for review? > > security/fbfam: Add two new prctls to enable and disable the fbfam feature > https://github.com/johwood/linux/commit/8a36399847213e7eb7b45b853568a53666bd0083 > > Documentation/security: Add documentation for the fbfam feature > https://github.com/johwood/linux/commit/fb46804541f5c0915f3f48acefbe6dc998815609 > > MAINTAINERS: Add a new entry for the fbfam feature > https://github.com/johwood/linux/commit/4303bc8935334136c6ef47b5e50b87cd2c472c1f Oh, hm, I'm not sure where they went. I think they were missing from my inbox when I saved your series from email. An oversight on my part; apologies! > Is there a problem if I ask for some guidance (replying to this thread) > during the process to do my second patch series? Please feel free! I'm happy to help. :) > My goal is to learn as much as possible doing something useful for the > linux kernel. Sounds good; thanks! -- Kees Cook
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Thu, 10 Sep 2020, Kees Cook wrote: > [kees: re-sending this series on behalf of John Wood > also visible at https://github.com/johwood/linux fbfam] > > From: John Wood Why are you resending this? The author of the code needs to be able to send and receive emails directly as part of development and maintenance. -- James Morris
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
Hi, On Thu, Sep 10, 2020 at 04:58:29PM -0700, Kees Cook wrote: > On Thu, Sep 10, 2020 at 01:21:01PM -0700, Kees Cook wrote: > > From: John Wood > > > > The goal of this patch serie is to detect and mitigate a fork brute force > > attack. > > Thanks for this RFC! I'm excited to get this problem finally handled in > the kernel. Hopefully the feedback is useful. :) Kees and Jann, Thank you very much for your comments and advices. I'm a newbie in the linux kernel development and this is my first attempt. So, I would prefer to study all your comments before to reply since a big amount of terms you expose are unknown to me. In other words, a late reply to this serie comments is not a lack of interest. Moreover, I think it would be better that I try to understand and to implement your ideas before anything else. My original patch serie is composed of 9 patches, so the 3 lasts are lost. Kees: Have you removed them for some reason? Can you send them for review? security/fbfam: Add two new prctls to enable and disable the fbfam feature https://github.com/johwood/linux/commit/8a36399847213e7eb7b45b853568a53666bd0083 Documentation/security: Add documentation for the fbfam feature https://github.com/johwood/linux/commit/fb46804541f5c0915f3f48acefbe6dc998815609 MAINTAINERS: Add a new entry for the fbfam feature https://github.com/johwood/linux/commit/4303bc8935334136c6ef47b5e50b87cd2c472c1f Is there a problem if I ask for some guidance (replying to this thread) during the process to do my second patch series? My goal is to learn as much as possible doing something useful for the linux kernel. Thanks a lot, John Wood > -- > Kees Cook
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Thu, Sep 10, 2020 at 01:21:01PM -0700, Kees Cook wrote: > From: John Wood > > The goal of this patch serie is to detect and mitigate a fork brute force > attack. Thanks for this RFC! I'm excited to get this problem finally handled in the kernel. Hopefully the feedback is useful. :) -- Kees Cook
Re: [RESEND][RFC PATCH 0/6] Fork brute force attack mitigation (fbfam)
On Thu, Sep 10, 2020 at 10:21 PM Kees Cook wrote: > [kees: re-sending this series on behalf of John Wood > also visible at https://github.com/johwood/linux fbfam] [...] > The goal of this patch serie is to detect and mitigate a fork brute force > attack. > > Attacks with the purpose to break ASLR or bypass canaries traditionaly use > some level of brute force with the help of the fork system call. This is > possible since when creating a new process using fork its memory contents > are the same as those of the parent process (the process that called the > fork system call). So, the attacker can test the memory infinite times to > find the correct memory values or the correct memory addresses without > worrying about crashing the application. For the next version of this patchset, you may want to clarify that this is intended to stop brute force attacks *against vulnerable userspace processes* that fork off worker processes. I was halfway through the patch series before I realized that.
