Originally posted by marios
View Post
Attacker having to work harder to exploit a known exploit could be to point that if they tried for the complete life time they might only have 1 chance that it works.
There are documented examples where the old PAX RANDKSTACK predecessor to this current work made particular attacks history totally impractical for attacker to pull off with odds of success that low that those attacks were not worth trying against a Linux kernel with PAX RANDSTACK. Yes does not make the attack not doable but can at times reduce the old to the point the attack will be unlike to work once in your life time with the randomisation compared to 100 percent success without it.
Attacker might have to work harder. The thing you did not consider is how much harder that is going to be. The randomisation can make it for all practical usages make the unknown exploit impossible but still technically possible just due to how hard the randomisation makes it.
Remember you have this mixed with other features like kfence in the Linux kernel that can make errors on the stack be fatal as well.
This randomising stack offsets this does not make doing exploits depending on stack a little harder instead makes performing those attacks massively harder to the point that the failure rate(as in the number of attempts at the exploit you have to do to get a successful exploit) is that bad majority of this kind of attack comes unpractical on systems with this feature turned on.
There is a key feature to this protection do notice that is randomizing stack offsets per syscall. This means you prior attempts don't provide any useful data to work around the randomisation. Yes with kfence also enabled in the kernel a screwed up stack attack caused by the randomizing of stack could have been system fatal so kicking you all the way back out.
Attacker does not have unlimited resources or time to perform attacks on stack weaknesses and avoid detection. If they attempt brute forcing what the alteration of randomizing stack offsets does it will make their presence more noticed.
marios ideal world you want to fix security flaws. But stack randomisation does render a class of attacks totally impractical to be used even if you never know the exact flaws. This is like the 99.9999999999999% uptime equal of a security fix yes the 15 9 is based on probability of success from what PAX RANDKSTACK showed.there is no reason to believe this change will be any different 0.0000000000001% chance of attacker having this class of exploit successfully work. This is not just a work harder you will get there level of difficulty change. From 100% always works to 0.0000000000001% is a massive change its not 100 percent fixed security fault but at that low of chance of working the flaws basically not usable to attackers.
The hard reality here is you could have a massively security flawed OS on paper but if the chance of success is low enough it comes basically impossible for an attacker to exploit in their life time even if you never fix the flaws.
Lot OS hardening theory is not about making a OS secure but make os have low in chance of exploits working that exploits are basically useless to attackers due to how low the odds of success are.
Comment