brute force protection - Githubissues

GrapheneOS / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.freenode.net ##linux-hardened. Currently maintained at https://github.com/anthraxx/linux-hardened.

https://grapheneos.org/

Other

390 stars 100 forks source link

brute force protection #15

Open thestinger opened 7 years ago

kees commented 7 years ago

https://lkml.org/lkml/2014/12/24/306

andyrj commented 7 years ago

I have a branch with this pretty much done, need to add back in logging and find good way to test the functionality tho... https://github.com/andyrj/linux-hardened/tree/brute

kees commented 7 years ago

int i;

for (i = 0; i < 50; i++) {
    if (fork() == 0) {
        kill(getpid(), SIGSEGV);
        exit(0);
    }
}
wait(NULL);

That should take much much longer with brute protection enabled. :)

Your tree has two features in one commit, those should probably get split. Awesome, regardless!

andyrj commented 7 years ago

Thank you kees, I'll test it out with that.

Yeah most of what the GRSEC_KERN_LOCKOUT is for PAX and UDEREF, but the part I left in was for the locking out on oops. I could easily take that part out, not sure how much benefit it is anyways with panic on oops set...

kees commented 7 years ago

Yeah, an interesting setting might be "lockout_on_oops"

sempervictus commented 6 years ago

@andyrj: any chance of this being pushed into the official kernel-hardening mailing list or this project? Any chance you could update it for 4.14? Tried getting it to merge with 4.13 current and not having a fun time cherry-picking.

andyrj commented 6 years ago

@sempervictus: I'm not involved with any of the kernel mailing lists at this point and I doubt the choices I made in my kconfig setup would be appropriate in upstreams eyes. But I can definitely rebase my fork on the latest linux-hardened 4.13 branch. I have been using a patch locally just bumping offsets and haven't updated my repo sorry about that... I have been planning to open a PR with just the brute-force portion to this project as mentioned above. I just keep getting busy on other things, ~I am updating my fork now~.

thestinger commented 6 years ago

You're better off developing for a tag and cherry-picking between them, the 4.13 branch is just a reference to the latest code and isn't a stable history since it's maintained as a clean series of patches.

Lelmister101 commented 2 years ago

There seems to be a brute force defense being developed as an LSM: https://www.openwall.com/lists/kernel-hardening/2021/06/05/1. Maybe this could be ported to this kernel version (afaik it's for the latest, and linux-hardened is on 4.14, at least the GrapheneOS one)