From: linux@horizon.com
To: Valdis.Kletnieks@vt.edu
Cc: linux-kernel@vger.kernel.org
Subject: Re: [Announcement] "Exec Shield", new Linux security feature
Date: 4 May 2003 15:24:05 -0000 [thread overview]
Message-ID: <20030504152405.7501.qmail@science.horizon.com> (raw)
In-Reply-To: <200305032300.h43N0UX9006675@turing-police.cc.vt.edu>
On Sat, 03 May 2003 13:19:52 -0000, linux@horizon.com said:
> An interesting question arises: is the number of useful interpreter
> functions (system, popen, exec*) sufficiently low that they could be
> removed from libc.so entirely and only staticly linked, so processes
> that didn't use them wouldn't even have them in their address space,
> and ones that did would have them at less predictible addresses?
>
> Right now, I'm thinking only of functions that end up calling execve();
> are there any other sufficiently powerful interpreters hiding in common
> system libraries? regexec()?
To which Valdis.Kletnieks replied:
> This does absolutely nothing to stop an exploit from providing its own
> inline version of execve(). There's nothing in libc that a process can't
> do itself, inline.
Ah, but with a non-executable stack, how do you arrange the inline code?
if you include it in the buffer overflow on the stack, it's in the
non-executable range.
You could arrange a return to memcpy(), with a stack like this:
[Address of memcpy()]
[Exploit target address (return address from memcpy)]
[Exploit target address (destination of memcpy)]
[Address of code on stack (source of memcpy)]
[Length of code on stack]
[Exploit code]
This would work if you had an "exploit target address" that was
writeable and executable, which this could copy the code to, but that's
hard to come by.
Now, we could stick a call to mprotect on the stack before that, but
it's hard to get the protection flags past the kernel test:
mm/mprotect.c, like 237:
if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
return -EINVAL;
When your exploit can't include any null bytes.
Arjan's idea about a CAP_EXEC would be better, if it could be dropped
automagically by linker magic on existing code.
In fact, there are several other capabilities that would be nice to
have droppable:
- Ability to open an existing regular file or device (seekable,
persistent storage) for writing. An SMTP daemon could probably
drop this.
- Ability to create an externally accessible listening socket
(listen() on non-PF_UNIX)
- Ability to connect to an external address (connect() on non-PF_UNIX)
The PF_UNIX exception is for /dev/log.
next prev parent reply other threads:[~2003-05-04 15:11 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-03 13:19 [Announcement] "Exec Shield", new Linux security feature linux
2003-05-03 23:00 ` Valdis.Kletnieks
2003-05-04 7:03 ` Calin A. Culianu
2003-05-04 8:49 ` Arjan van de Ven
2003-05-05 13:35 ` Jesse Pollard
2003-05-04 15:24 ` linux [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-05-05 7:14 Ingo Molnar
2003-05-04 23:55 Chuck Ebbert
2003-05-05 3:14 ` H. Peter Anvin
2003-05-04 16:20 Yoav Weiss
[not found] <Pine.LNX.4.44.0305040404300.12757-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
[not found] ` <Pine.LNX.4.44.0305040448250.24497-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
2003-05-04 15:48 ` Andi Kleen
2003-05-04 14:25 Chuck Ebbert
2003-05-04 22:22 ` Richard Henderson
2003-05-05 0:41 ` H. Peter Anvin
2003-05-04 11:19 Yoav Weiss
2003-05-04 13:51 ` Ingo Molnar
2003-05-02 22:46 Chuck Ebbert
[not found] <Pine.LNX.4.44.0305021325130.6565-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
[not found] ` <200305021829.h42ITclA000178@81-2-122-30.bradfords.org.uk.suse.lists.linux.kernel>
[not found] ` <b8udjm$cgq$1@cesium.transmeta.com.suse.lists.linux.kernel>
2003-05-02 20:51 ` Andi Kleen
2003-05-02 20:56 ` H. Peter Anvin
2003-05-02 21:07 ` Andi Kleen
2003-05-02 21:09 ` H. Peter Anvin
2003-05-02 21:25 ` Andi Kleen
2003-05-02 16:37 Ingo Molnar
2003-05-02 17:05 ` Matthias Andree
2003-05-02 17:12 ` Marc-Christian Petersen
2003-05-02 17:12 ` Davide Libenzi
2003-05-02 17:18 ` Arjan van de Ven
2003-05-02 17:32 ` Ingo Molnar
2003-05-02 18:29 ` John Bradford
2003-05-02 18:32 ` H. Peter Anvin
2003-05-02 19:09 ` David Mosberger
2003-05-02 18:51 ` Davide Libenzi
[not found] ` <20030502172011$0947@gated-at.bofh.it>
2003-05-02 18:17 ` Florian Weimer
2003-05-02 18:29 ` Davide Libenzi
2003-05-02 18:32 ` Florian Weimer
2003-05-02 18:50 ` Davide Libenzi
2003-05-02 21:48 ` Carl-Daniel Hailfinger
2003-05-03 6:52 ` Ingo Molnar
2003-05-03 9:56 ` Carl-Daniel Hailfinger
2003-05-03 12:48 ` Arjan van de Ven
2003-05-04 6:52 ` Calin A. Culianu
2003-05-04 8:10 ` Ingo Molnar
2003-05-04 8:52 ` Ingo Molnar
2003-05-04 15:40 ` Calin A. Culianu
2003-05-04 15:48 ` Sean Neakums
2003-05-04 15:23 ` Calin A. Culianu
2003-05-04 20:07 ` H. Peter Anvin
2003-05-04 20:57 ` Kasper Dupont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030504152405.7501.qmail@science.horizon.com \
--to=linux@horizon.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).