From: John Richard Moser <nigelenki@comcast.net>
To: Arjan van de Ven <arjan@infradead.org>
Cc: Ingo Molnar <mingo@elte.hu>, Linus Torvalds <torvalds@osdl.org>,
Christoph Hellwig <hch@infradead.org>,
Dave Jones <davej@redhat.com>, Andrew Morton <akpm@osdl.org>,
marcelo.tosatti@cyclades.com, Greg KH <greg@kroah.com>,
chrisw@osdl.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: thoughts on kernel security issues
Date: Wed, 19 Jan 2005 13:50:23 -0500 [thread overview]
Message-ID: <41EEABEF.5000503@comcast.net> (raw)
In-Reply-To: <1106157152.6310.171.camel@laptopd505.fenrus.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arjan van de Ven wrote:
>>ES has been actively developed since it was poorly implemented in 2003.
>> PaX has been actively developed since it was poorly implemented in
>>2000. PaX has had about 4 times longer to go from a poor
>>proof-of-concept NX emulation patch based on the plex86 announcement to
>>a full featured security system, and is written by a competant security
>>developer rather than a competant scheduler developer.
>
>
> I would call that an insult to Ingo.
>
You're reading too deeply then.
>
>
>>Split-out portions of PaX (and of ES) don't make sense.
>
>
> they do. Somewhat.
They do to "break all existing exploits" until someone takes 5 minutes
to make a slight alteration. Only the reciprocating combinations of
each protection can protect the others from being exploited and create a
truly secure environment.
Ingo said there's other stuff in ES that this doesn't apply to but
*shrug* again, beyond what I intended when I said that.
>
>>ASLR can be
>>evaded pretty easily: inject code, read %efp, find the GOT, read
>>addresses. The NX protections can be evaded by using ret2libc. on x86,
>>you need emulation to make an NX bit or the NX protections are useless.
>
>
> actually modern x86 cpus have hardware NX.
not my point. . .
>
>
>>PT_GNU_STACK annoys me :P I'm more interested in 1) PaX' full set of
>>markings (-ps for NX, -m for mprotect(), r for randmmap, x for
>>randexec), 2) getting rid of the need for anything but -m, and 3)
>>eliminating relocations. Sometimes they don't patch GLIBC here and
>>Firefox won't load flash or Java because they're PT_GNU_STACK and don't
>>really need it (the java executables are marked, but the java plug-in
>>doesn't need PT_GNU_STACK).
>
>
> so remark them.
Manually. Annoying because now I'm doing PaX AND Exec Shield markings,
but I do remark them anyway. This wasn't meant to sound like it was a
major problem, just to be a side comment.
>
>
>>I guess it works on Exec Shield, but it frightens me that I have to
>>audit every library an executable uses for a PT_GNU_STACK marking to see
>>if it has an executable stack.
>
>
> there is lsexec which does this automatic for you based on running
> propcesses
>
I don't want to run something potentially dangerous. Think secret
military installation with no name and blank checks made out to nobody.
The security has to scale up and down; it has to be useful for the home
user, for the business, and for those that don't officially exist.
>
>>Either or if it stops an exploit; there's no "stopping an exploit
>>better," just stopping more of them and having fewer loopholes. As I
>>understand, ES' NX approximation fails if you relieve protections on a
>>higher mapping
>
>
> which is REALLY rare for programs to do
>
True, but PaX has a failsafe in PAGEEXEC, and doesn't suffer this in
SEGMEXEC.
>
>>-- which confuses me, isn't vsyscall() a high-address
>>executable mapping, which would disable NX protection for the full
>>address space?
>
>
> just like PaX, execshield has to disable the vsyscall page.
> Exec-Shield actually has the code to 1) move the vsyscall page down in
> the address space and 2) randomize it per process, but that is inactive
> right now since it needs a bit of help from the VM that isn't provided
> anymore since 2.6.8 or so.
>
>
ah.
>
>>PaX though gives me powerful, flexible administrative control over
>>executable space protections as a privileged resource.
>>mprotect(PROT_EXEC|PROT_WRITE) isn't something normal programs need; so
>>it's not something I allow everyone to do.
>
>
> it's a balance between compatibility and security. PaX strikes a
> somewhat different balance from E-S. E-S goes a long way to avoid
> breaking things that posix requires, even if they are silly and rare.
> Apps don't DO PROT_EXEC|PROT_WRITE normally after all.. so this added
> "protect" is to a point artifical.
>
>
The actual threat this mitigates is that the app may be ret2libc'd to
mprotect() (possible with unrandomized ET_EXEC?), but in reality a more
complex attack can accomplish the same thing. I prefer it more as a
speed bump to expose broken code to me or at least give me an idea of
what to audit. If something HAS to mprotect() the stack, then I HAVE to
make sure that program is audited, or I'm just being a dumbass and
waiting to be infected with a cheap worm some scriptkiddie wrote using a
build-your-own-virus program.
>
>
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7qvthDd4aOud5P8RAhbVAJ9Jdxp/mKByxWChjM1bQMVZaIN4JACfaJ1I
Rezv+g9BE7ezKwHB5UCvdnk=
=EEu/
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-01-19 18:50 UTC|newest]
Thread overview: 212+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-12 17:48 thoughts on kernel security issues Chris Wright
2005-01-12 15:06 ` Marcelo Tosatti
2005-01-12 18:49 ` Chris Wright
2005-01-12 18:05 ` Linus Torvalds
2005-01-12 18:44 ` Chris Wright
2005-01-12 18:57 ` Linus Torvalds
2005-01-12 19:21 ` Chris Wright
2005-01-12 20:59 ` Jesper Juhl
2005-01-12 21:27 ` Greg KH
2005-01-12 18:51 ` Greg KH
2005-01-12 19:01 ` Linus Torvalds
2005-01-12 16:12 ` Marcelo Tosatti
2005-01-12 20:00 ` Linus Torvalds
2005-01-12 17:42 ` Marcelo Tosatti
2005-01-13 15:36 ` Alan Cox
2005-01-13 17:22 ` Marcelo Tosatti
2005-01-13 21:20 ` Alan Cox
2005-01-13 17:52 ` Florian Weimer
2005-01-13 19:42 ` Marek Habersack
2005-01-13 19:19 ` Alan Cox
2005-01-13 20:44 ` Marek Habersack
2005-01-14 10:22 ` Wichert Akkerman
2005-01-14 12:10 ` Julian T. J. Midgley
2005-01-14 14:52 ` Florian Weimer
2005-01-14 15:12 ` Julian T. J. Midgley
2005-01-15 0:33 ` Alan Cox
2005-01-14 13:55 ` Marek Habersack
2005-01-13 19:50 ` Chris Wright
2005-01-13 20:29 ` Marek Habersack
2005-01-13 19:41 ` Alan Cox
2005-01-13 20:57 ` Arjan van de Ven
2005-01-13 21:22 ` Linus Torvalds
2005-01-13 21:15 ` Alan Cox
2005-01-13 22:41 ` Linus Torvalds
2005-01-13 21:41 ` Arjan van de Ven
2005-01-13 21:02 ` Marek Habersack
2005-01-13 21:30 ` Dave Jones
2005-01-13 21:48 ` Marek Habersack
2005-01-13 22:06 ` Dave Jones
2005-01-13 22:21 ` Marek Habersack
2005-01-13 23:30 ` Jesper Juhl
2005-01-15 0:34 ` Alan Cox
2005-01-15 2:56 ` Marcin Dalecki
2005-01-13 20:03 ` Dave Jones
2005-01-13 20:10 ` Linus Torvalds
2005-01-13 19:27 ` Alan Cox
2005-01-13 21:03 ` Linus Torvalds
2005-01-13 21:25 ` Alan Cox
2005-01-13 22:47 ` Linus Torvalds
2005-01-13 23:15 ` Chris Wright
2005-01-14 18:34 ` Theodore Ts'o
2005-01-14 19:15 ` Linus Torvalds
2005-01-14 22:13 ` Theodore Ts'o
2005-01-14 22:51 ` Linus Torvalds
2005-01-15 0:34 ` Alan Cox
2005-01-15 4:19 ` Linus Torvalds
2005-01-15 5:36 ` Rik van Riel
2005-01-18 22:27 ` Bill Davidsen
2005-01-19 2:34 ` Alban Browaeys
2005-01-19 19:13 ` Bill Davidsen
2005-01-13 20:32 ` Marek Habersack
2005-01-12 20:27 ` Chris Wright
2005-01-12 20:57 ` Greg KH
2005-01-13 15:36 ` Alan Cox
2005-01-12 21:20 ` Andrea Arcangeli
2005-01-12 20:28 ` Linus Torvalds
2005-01-12 18:03 ` Marcelo Tosatti
2005-01-13 3:18 ` Christian
2005-01-12 20:53 ` Dave Jones
2005-01-12 20:59 ` Greg KH
2005-01-13 2:09 ` Linus Torvalds
2005-01-13 2:28 ` Andrew Morton
2005-01-13 2:51 ` Linus Torvalds
2005-01-13 3:05 ` David Blomberg
2005-01-13 2:56 ` Greg KH
2005-01-13 3:01 ` Chris Wright
2005-01-13 3:35 ` Dave Jones
2005-01-13 3:42 ` Andrew Morton
2005-01-13 3:54 ` Chris Wright
2005-01-13 4:49 ` William Lee Irwin III
2005-01-13 6:54 ` Andrew Morton
2005-01-13 7:19 ` William Lee Irwin III
2005-01-13 7:25 ` Matt Mackall
2005-01-13 4:48 ` Linus Torvalds
2005-01-13 5:51 ` Barry K. Nathan
2005-01-13 7:28 ` Matt Mackall
2005-01-13 7:42 ` Willy Tarreau
2005-01-13 8:02 ` David Lang
2005-01-13 10:05 ` Willy Tarreau
2005-01-13 8:23 ` Christoph Hellwig
2005-01-13 16:38 ` Linus Torvalds
2005-01-13 16:12 ` Alan Cox
2005-01-13 17:33 ` Linus Torvalds
2005-01-13 17:49 ` Chris Wright
2005-01-13 18:53 ` Alan Cox
2005-01-13 18:59 ` John Richard Moser
2005-01-13 19:22 ` Norbert van Nobelen
2005-01-13 19:35 ` John Richard Moser
2005-01-13 19:46 ` Linus Torvalds
2005-01-13 19:57 ` John Richard Moser
2005-01-14 12:39 ` Horst von Brand
2005-01-14 15:45 ` Linus Torvalds
2005-01-14 15:52 ` Arjan van de Ven
2005-01-14 15:57 ` Stephen Smalley
2005-01-14 16:17 ` Stephen Smalley
2005-01-15 0:33 ` Alan Cox
2005-01-13 17:01 ` Arjan van de Ven
2005-01-13 17:19 ` Linus Torvalds
2005-01-13 17:45 ` Arjan van de Ven
2005-01-13 18:31 ` John Richard Moser
2005-01-19 10:30 ` Ingo Molnar
2005-01-19 17:20 ` John Richard Moser
2005-01-19 17:47 ` Ingo Molnar
2005-01-19 18:35 ` John Richard Moser
2005-01-19 18:55 ` Arjan van de Ven
2005-01-19 19:46 ` John Richard Moser
2005-01-19 19:53 ` Arjan van de Ven
2005-01-20 8:46 ` [Lists-linux-kernel-news] " Ingo Molnar
2005-01-20 8:35 ` Ingo Molnar
2005-01-20 10:44 ` Ingo Molnar
2005-01-20 18:16 ` John Richard Moser
2005-01-20 18:53 ` Valdis.Kletnieks
2005-01-20 18:55 ` Arjan van de Ven
2005-01-20 19:17 ` John Richard Moser
2005-01-20 19:22 ` Christoph Hellwig
2005-01-20 21:24 ` John Richard Moser
2005-01-19 17:52 ` Arjan van de Ven
2005-01-19 18:50 ` John Richard Moser [this message]
2005-01-19 19:47 ` Valdis.Kletnieks
2005-01-19 19:53 ` Arjan van de Ven
2005-01-19 20:44 ` Valdis.Kletnieks
2005-01-19 20:12 ` John Richard Moser
2005-01-19 20:42 ` Valdis.Kletnieks
2005-01-19 21:03 ` John Richard Moser
2005-01-19 22:02 ` Splitting up grsecurity and PAX (was " Valdis.Kletnieks
2005-01-19 20:47 ` Diego Calleja
2005-01-25 15:05 ` Bill Davidsen
2005-01-25 15:52 ` Linus Torvalds
2005-01-25 17:27 ` Bill Davidsen
2005-01-25 18:01 ` John Richard Moser
2005-01-25 18:30 ` Linus Torvalds
2005-01-25 18:37 ` John Richard Moser
2005-01-25 18:57 ` Dmitry Torokhov
2005-01-25 19:56 ` John Richard Moser
2005-01-25 20:25 ` J. Bruce Fields
2005-01-25 20:29 ` John Richard Moser
2005-01-25 20:46 ` J. Bruce Fields
2005-01-25 20:53 ` Valdis.Kletnieks
2005-01-25 20:59 ` John Richard Moser
2005-01-25 21:05 ` linux-os
2005-01-25 21:20 ` John Richard Moser
2005-01-26 15:15 ` Jesse Pollard
2005-01-26 16:09 ` Linus Torvalds
2005-01-26 19:15 ` Olaf Hering
2005-01-26 19:28 ` Linus Torvalds
2005-01-26 19:38 ` Olaf Hering
2005-01-26 19:53 ` Linus Torvalds
2005-01-30 15:39 ` Alan Cox
2005-01-26 19:24 ` John Richard Moser
2005-01-26 19:56 ` Bill Davidsen
2005-01-27 16:37 ` Jesse Pollard
2005-01-27 17:18 ` Zan Lynx
2005-01-27 22:18 ` Jesse Pollard
2005-01-27 23:20 ` Bill Davidsen
2005-01-27 23:36 ` John Richard Moser
2005-01-28 0:23 ` linux-os
2005-01-28 0:15 ` Krzysztof Halasa
2005-01-26 0:01 ` Bill Davidsen
2005-01-26 0:40 ` John Richard Moser
2005-01-25 19:05 ` Linus Torvalds
2005-01-25 20:03 ` John Richard Moser
2005-01-25 21:17 ` Al Viro
2005-01-26 16:06 ` Sytse Wielinga
2005-01-26 19:31 ` John Richard Moser
2005-01-26 19:50 ` Valdis.Kletnieks
2005-01-26 20:02 ` John Richard Moser
2005-01-26 20:26 ` Sytse Wielinga
2005-01-26 20:39 ` John Richard Moser
2005-01-26 20:49 ` Sytse Wielinga
2005-01-25 18:08 ` Linus Torvalds
2005-01-14 21:57 ` Russell King
2005-01-19 12:56 ` Pavel Machek
2005-01-19 20:02 ` Bill Davidsen
2005-01-13 4:49 ` William Lee Irwin III
2005-01-13 5:19 ` Dave Jones
2005-01-13 15:36 ` Alan Cox
2005-01-13 3:25 ` Dave Jones
2005-01-13 3:53 ` Marek Habersack
2005-01-13 5:38 ` Barry K. Nathan
2005-01-13 8:59 ` Florian Weimer
2005-01-13 15:31 ` Barry K. Nathan
2005-01-13 15:36 ` Alan Cox
2005-01-13 19:25 ` thoughts on kernel security issuesiig Marek Habersack
2005-01-13 15:36 ` thoughts on kernel security issues Alan Cox
2005-01-13 19:25 ` Christoph Hellwig
2005-01-13 19:33 ` Dave Jones
2005-01-13 19:35 ` Christoph Hellwig
2005-01-13 18:55 ` Alan Cox
2005-01-13 19:59 ` Dave Jones
2005-01-13 19:36 ` Marek Habersack
2005-01-13 8:23 ` Florian Weimer
2005-01-13 16:00 ` Kristofer T. Karas
2005-01-13 3:37 ` Rik van Riel
2005-01-12 19:18 ` Greg KH
2005-01-12 19:38 ` Chris Wright
2005-01-12 19:41 ` Florian Weimer
2005-01-12 23:10 ` Chris Wright
2005-01-12 19:43 ` Florian Weimer
2005-01-12 22:46 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2005-01-12 20:49 Hubert Tonneau
2005-01-13 17:29 ` Chris Wright
2005-02-27 12:38 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41EEABEF.5000503@comcast.net \
--to=nigelenki@comcast.net \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=chrisw@osdl.org \
--cc=davej@redhat.com \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
--cc=mingo@elte.hu \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.