From: Davide Libenzi <davidel@xmailserver.org>
To: Ingo Molnar <mingo@redhat.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [Announcement] "Exec Shield", new Linux security feature
Date: Fri, 2 May 2003 10:12:56 -0700 (PDT) [thread overview]
Message-ID: <Pine.LNX.4.50.0305020948550.1904-100000@blue1.dev.mcafeelabs.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0305021217090.17548-100000@devserv.devel.redhat.com>
On Fri, 2 May 2003, Ingo Molnar wrote:
>
> We are pleased to announce the first publically available source code
> release of a new kernel-based security feature called the "Exec Shield",
> for Linux/x86. The kernel patch (against 2.4.21-rc1, released under the
> GPL/OSL) can be downloaded from:
>
> http://redhat.com/~mingo/exec-shield/
>
> The exec-shield feature provides protection against stack, buffer or
> function pointer overflows, and against other types of exploits that rely
> on overwriting data structures and/or putting code into those structures.
> The patch also makes it harder to pass in and execute the so-called
> 'shell-code' of exploits. The patch works transparently, ie. no
> application recompilation is necessary.
[ very cool stuff ]
Ingo, do you want protection against shell code injection ? Have the
kernel to assign random stack addresses to processes and they won't be
able to guess the stack pointer to place the jump. I use a very simple
trick in my code :
#define MAX_STKSHIFT 1024
struct thrunner {
int (*proc)(void *);
void *data;
}
static int thread_runner(void *data) {
struct thrunner *thr = data;
alloca(myrand(MAX_STKSHIFT));
return thr->proc(thr->data);
}
int my_thread_create(int (*proc)(void *), void *data) {
struct thrunner *thr;
...
thr->proc = proc;
thr->data = data;
pthread_create(..., thread_runner, thr, ... );
...
}
int main(int argc, char *argv[]) {
mysrand();
...
}
Same thing can be done for non threaded programs :
int main(int argc, char *argv[]) {
mysrand();
alloca(myrand(MAX_STKSHIFT));
return real_main(argc, argv);
}
Yes, there's still the possibility that an attacker get lucky ( this get
lower increasing MAX_STKSHIFT ) and yes you waste some stack space. But,
oh well, it works w/out any kernel modification and it's portable on all
systems that have alloca().
- Davide
next prev parent reply other threads:[~2003-05-02 16:59 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-02 16:37 [Announcement] "Exec Shield", new Linux security feature Ingo Molnar
2003-05-02 17:05 ` Matthias Andree
2003-05-02 17:12 ` Marc-Christian Petersen
2003-05-02 17:12 ` Davide Libenzi [this message]
2003-05-02 17:18 ` Arjan van de Ven
2003-05-02 17:32 ` Ingo Molnar
2003-05-02 18:29 ` John Bradford
2003-05-02 18:32 ` H. Peter Anvin
2003-05-02 19:09 ` David Mosberger
2003-05-02 18:51 ` Davide Libenzi
[not found] ` <20030502172011$0947@gated-at.bofh.it>
2003-05-02 18:17 ` Florian Weimer
2003-05-02 18:29 ` Davide Libenzi
2003-05-02 18:32 ` Florian Weimer
2003-05-02 18:50 ` Davide Libenzi
2003-05-02 21:48 ` Carl-Daniel Hailfinger
2003-05-03 6:52 ` Ingo Molnar
2003-05-03 9:56 ` Carl-Daniel Hailfinger
2003-05-03 12:48 ` Arjan van de Ven
2003-05-04 6:52 ` Calin A. Culianu
2003-05-04 8:10 ` Ingo Molnar
2003-05-04 8:52 ` Ingo Molnar
2003-05-04 15:40 ` Calin A. Culianu
2003-05-04 15:48 ` Sean Neakums
2003-05-04 15:23 ` Calin A. Culianu
2003-05-04 20:07 ` H. Peter Anvin
2003-05-04 20:57 ` Kasper Dupont
2003-05-05 16:20 ` [patch] exec-shield-2.4.21-rc1-C5 Ingo Molnar
[not found] <Pine.LNX.4.44.0305021325130.6565-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
[not found] ` <200305021829.h42ITclA000178@81-2-122-30.bradfords.org.uk.suse.lists.linux.kernel>
[not found] ` <b8udjm$cgq$1@cesium.transmeta.com.suse.lists.linux.kernel>
2003-05-02 20:51 ` [Announcement] "Exec Shield", new Linux security feature Andi Kleen
2003-05-02 20:56 ` H. Peter Anvin
2003-05-02 21:07 ` Andi Kleen
2003-05-02 21:09 ` H. Peter Anvin
2003-05-02 21:25 ` Andi Kleen
2003-05-02 22:46 Chuck Ebbert
2003-05-03 13:19 linux
2003-05-03 23:00 ` Valdis.Kletnieks
2003-05-04 7:03 ` Calin A. Culianu
2003-05-04 8:49 ` Arjan van de Ven
2003-05-05 13:35 ` Jesse Pollard
2003-05-04 15:24 ` linux
2003-05-04 11:19 Yoav Weiss
2003-05-04 13:51 ` Ingo Molnar
2003-05-04 14:25 Chuck Ebbert
2003-05-04 22:22 ` Richard Henderson
2003-05-05 0:41 ` H. Peter Anvin
[not found] <Pine.LNX.4.44.0305040404300.12757-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
[not found] ` <Pine.LNX.4.44.0305040448250.24497-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
2003-05-04 15:48 ` Andi Kleen
2003-05-04 16:20 Yoav Weiss
2003-05-04 23:55 Chuck Ebbert
2003-05-05 3:14 ` H. Peter Anvin
2003-05-05 7:14 Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.50.0305020948550.1904-100000@blue1.dev.mcafeelabs.com \
--to=davidel@xmailserver.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).