Hello.
MAC can prevent execution of programs that are not
permitted by security policy.
Some exploits sends shellcodes containing execve("/bin/sh") like
while (1) {
update_condition();
if (condition_is_met) execve("/bin/sh");
};
and the victim server process executes
while (1) {
update_condition();
if (condition_is_met) execve("/bin/sh");
};
while execve("/bin/sh") is denied by security policy.
The result is that the victim server process eats
100% of CPU resource and will affect other normal processes.
May be there is a daemon that is monitoring CPU usage and
the daemon kills processes eating 100% CPU.
But just eating 100% CPU is not a good criteria for killing.
So, I wonder somehow we can avoid eating CPU resource
without external monitoring process.
For example, parry attacker's demand by replacing
the current process's image with different program (e.g. /bin/true)
rather than just returning an error code.
For example, sleep for a few seconds before returning an error code.
There are some LSM hooks that are related with do_execve().
I thought I can replace execve("/bin/sh") by execve("/bin/true")
like what load_script() in fs/binfmt_script.c is doing.
/bin/true can be any program (e.g. dummy-shell or /usr/bin/logger
or /bin/mail to collect attacking information and share with other hosts).
Any opinions?
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
