Hacker News new | past | comments | ask | show | jobs | submit login

A stupid 1am question: is it common among ops teams to replace these "common" binaries by a honeypot-like wrapper which notifies the security team immediately, just in case of a complete meltdown on the web developer side?

Sorry, I don't have an answer to your question, but in theory, how would it detect an intrusion for automatic notification? It seems to me that detecting a bad operation from a good operation is the same thing as securing the system. A vulnerability would likely sail past any such notification system.

A naive approach could be defining that the software stack to use is under /opt/twitter/ and everything under /usr/bin/ and /bin/ is just a honeypot, so any legitimate developer using those would also trigger a notification. But anyhow, it smells like overkill, the wrong place and not worth the extra mileage. The only case I can think of where this would be useful is when management or timing problems prevent proper and secure development -- which is not a problem ops should solve. Would still be interesting if someone actually does this.

Well, it would shield against simplistic attempts at exploiting setuid binaries, certainly, but beyond that its effectiveness would probably be limited, especially as it became more widely known.

Another interesting strategy, particularly in the age of widespread use of VMs and containers, might be to extend the basic idea of ASLR beyond address space. Randomize paths and filenames and system call numbers, for example. You'd need to build all your binaries yourself, of course, and run scripts through some sort of mangler (for maximum effectiveness, do this per-VM/container). You'd want to encrypt non-user-visible strings, too.

There'd be a lot of tooling work necessary to make this practical in the real world, of course.

(Edit: Just found this, which looks relevant: http://research.microsoft.com/en-us/um/people/helenw/papers/... )

The iron box approach?

I've never heard of anyone actually using it. It would be a huge pain and wreak havoc on sysadmins. Also, really nasty attacks are capable of bringing exploit code with them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact