From: Ingo Molnar <mingo@elte.hu>
To: pageexec@freemail.hu
Cc: linux-kernel@vger.kernel.org,
Arjan van de Ven <arjanv@redhat.com>,
"Theodore Ts'o" <tytso@mit.edu>
Subject: Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)
Date: Mon, 7 Feb 2005 22:08:09 +0100 [thread overview]
Message-ID: <20050207210809.GA9781@elte.hu> (raw)
In-Reply-To: <42080689.15768.1B0C5E5F@localhost>
* pageexec@freemail.hu <pageexec@freemail.hu> wrote:
> > still wrong. What you get this way is a nice, complicated NOP.
>
> not only a nop but also a likely crash given that i didn't adjust
> the declaration of some_function appropriately ;-). let's cater
> for less complexity too with the following payload (of the 'many
> other ways' kind):
>
> [field1 and other locals replaced with shellcode]
> [space to cover the locals of __libc_dlopen_mode()]
yes, i agree with you, __libc_dlopen_mode() is an easier target (but not
_that_ easy of a target, see further down), and your code looks right -
but what this discussion was about was the _dl_make_stack_executable()
function. Similar 'protection' techniques can be used for
__libc_dlopen_mode() too, and it's being fixed.
(you'd be correct to point out that what cannot be 'fixed' even this way
are libdl.so using applications and the dlopen() symbol - for them, if
randomization is not enough, PaX or SELinux is the fix.)
> one disadvantage of this approach is that now not only the randomness
> in libc.so has to be found but also that of the stack (repeating parts
> of the payload would help reduce it though), and if user_input itself
> is on the heap (and there're no copies on the stack), we'll need that
> randomness too.
such an attack needs to get 2 or 3 random values right - which,
considering 13-bits randomization per value is still 26-39 bits (minus
the constant number of bits you can get away via replication). If the
stack wasnt nonexec then the attack would need to get only 1 random
value right. In that sense it still makes quite a difference in
increasing the complexity of the attack, do you agree?
Yes, the drastic method is to disable the adding of code to a process
image altogether (PaX did this first, and does a nice job in that, and
SELinux is catching up as well), but that clearly was not a product
option when PT_GNU_STACK was written. As you can see on lkml, people are
resisting changes hard that affect 2-3 apps. What chances do changes
have that break dozens of common applications? PT_GNU_STACK is not
perfect, but it was the maximum we could get away on the non-selinux
side of the distribution, mapping many of the dependencies and
assumptions of apps.
So PT_GNU_STACK is certainly a beginning, and as the end result
(hopefully soon) we can do away with libraries having any RWE
PT_GNU_STACK markings (so that only binaries can carry RWE) and can move
make_stacks_executable() from libc.so. You seem to consider these steps
of how Fedora 'morphs' into a productized version of SELinux as 'fully
vulnerable' (and despise it), there's no way around walking that walk
and persuading users to actually follow - which is the hardest part.
Ingo
next prev parent reply other threads:[~2005-02-07 21:09 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-02 16:51 Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer) Ingo Molnar
2005-02-02 22:08 ` pageexec
2005-02-03 9:44 ` Ingo Molnar
2005-02-03 14:20 ` pageexec
2005-02-03 20:20 ` Ingo Molnar
2005-02-07 14:23 ` pageexec
2005-02-07 21:08 ` Ingo Molnar [this message]
2005-02-08 12:27 ` pageexec
2005-02-08 21:23 ` Ingo Molnar
2005-02-07 22:36 ` Ingo Molnar
2005-02-08 12:27 ` pageexec
2005-02-08 13:41 ` Ingo Molnar
2005-02-08 14:25 ` Julien TINNES
2005-02-08 16:56 ` Ingo Molnar
2005-02-08 16:48 ` the "Turing Attack" (was: Sabotaged PaXtest) Ingo Molnar
2005-02-08 22:08 ` Ingo Molnar
2005-02-10 13:43 ` Ingo Molnar
2005-02-10 13:58 ` Jakob Oestergaard
2005-02-10 15:21 ` Ingo Molnar
2005-02-10 20:03 ` David Weinehall
2005-02-11 8:51 ` Mika Bostrom
2005-02-08 22:41 ` H. Peter Anvin
2005-02-03 13:55 ` Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer) Peter Busser
2005-02-03 14:39 ` Roman Zippel
2005-02-07 12:23 ` pageexec
2005-02-07 18:31 ` John Richard Moser
[not found] <200501311015.20964.arjan@infradead.org>
2005-01-31 12:57 ` Peter Busser
2005-01-31 16:41 ` Arjan van de Ven
2005-02-01 9:44 ` Peter Busser
2005-02-01 11:46 ` Ingo Molnar
2005-02-01 14:48 ` Peter Busser
2005-02-01 21:39 ` Diego Calleja
2005-02-02 0:15 ` Theodore Ts'o
2005-02-02 8:26 ` Theodore Ts'o
2005-02-02 9:55 ` Peter Busser
2005-02-02 9:35 ` Peter Busser
2005-02-02 9:52 ` Arjan van de Ven
2005-02-02 12:18 ` pageexec
2005-02-02 13:13 ` Peter Busser
2005-02-02 14:12 ` Ingo Molnar
2005-02-02 18:02 ` Olivier Galibert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050207210809.GA9781@elte.hu \
--to=mingo@elte.hu \
--cc=arjanv@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.