From: John Richard Moser <nigelenki@comcast.net>
To: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@osdl.org>,
Arjan van de Ven <arjan@infradead.org>,
Christoph Hellwig <hch@infradead.org>,
Dave Jones <davej@redhat.com>, Andrew Morton <akpm@osdl.org>,
marcelo.tosatti@cyclades.com, Greg KH <greg@kroah.com>,
chrisw@osdl.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: thoughts on kernel security issues
Date: Wed, 19 Jan 2005 12:20:39 -0500 [thread overview]
Message-ID: <41EE96E7.3000004@comcast.net> (raw)
In-Reply-To: <20050119103020.GA4417@elte.hu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ingo Molnar wrote:
> * John Richard Moser <nigelenki@comcast.net> wrote:
>
>
>>>There was a kernel-based randomization patch floating around at some
>>>point, though. I think it's part of PaX. That's the one I hated.
>>
>>PaX and Exec Shield both have them; personally I believe PaX is a more
>>mature technology, since it's 1) still actively developed, and 2) been
>>around since late 2000. The rest of the community dissagrees with me
>>of course, [...]
>
>
> might this disagreement be based on the fact that exec-shield _is_ being
> actively developed and is in active use in Fedora/RHEL, and that split
> out portions of exec-shield (e.g. flexmmap, PT_GNU_STACK, NX) are
> already in the upstream kernel?
>
ES has been actively developed since it was poorly implemented in 2003.
PaX has been actively developed since it was poorly implemented in
2000. PaX has had about 4 times longer to go from a poor
proof-of-concept NX emulation patch based on the plex86 announcement to
a full featured security system, and is written by a competant security
developer rather than a competant scheduler developer.
Split-out portions of PaX (and of ES) don't make sense. ASLR can be
evaded pretty easily: inject code, read %efp, find the GOT, read
addresses. The NX protections can be evaded by using ret2libc. on x86,
you need emulation to make an NX bit or the NX protections are useless.
So every part prevents every other part from being pushed gently aside.
PT_GNU_STACK annoys me :P I'm more interested in 1) PaX' full set of
markings (-ps for NX, -m for mprotect(), r for randmmap, x for
randexec), 2) getting rid of the need for anything but -m, and 3)
eliminating relocations. Sometimes they don't patch GLIBC here and
Firefox won't load flash or Java because they're PT_GNU_STACK and don't
really need it (the java executables are marked, but the java plug-in
doesn't need PT_GNU_STACK).
I guess it works on Exec Shield, but it frightens me that I have to
audit every library an executable uses for a PT_GNU_STACK marking to see
if it has an executable stack.
> (but no doubt PaX is fine and protects against exploits at least as
> effectively as (and in some cases more effectively than) exec-shield, so
> you've definitely not made a bad choice.)
>
Either or if it stops an exploit; there's no "stopping an exploit
better," just stopping more of them and having fewer loopholes. As I
understand, ES' NX approximation fails if you relieve protections on a
higher mapping-- which confuses me, isn't vsyscall() a high-address
executable mapping, which would disable NX protection for the full
address space?
PaX disables vsyscall when using PAGEEXEC on x86 because (since 2.6.6 or
so) pipacs uses the same method as ExecShield as a best-effort, falling
back to kernel-assisted MMU walking if that fails. Wasted effort with
vsyscall.
PaX though gives me powerful, flexible administrative control over
executable space protections as a privileged resource.
mprotect(PROT_EXEC|PROT_WRITE) isn't something normal programs need; so
it's not something I allow everyone to do.
Aside from that, I just trust the PaX developer more. He's already got
a more developed product; he's a security developer instead of a
scheduler developer; and he reads CPU manuals for breakfast. I think a
lot of PaX is developed without real hardware-- I know he at least
doesn't have an AMD64 (which is what I use PaX on-- and yes I use the
regression tests), and he does a fine job anyway. This indicates to me
that this is a serious project with someone who knows what he's doing,
so I trust it more.
> Ingo
>
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB7pbmhDd4aOud5P8RAuV2AJ44dE9gvqZ9xwfENaWA6Hm81ALcfQCaA7mk
QFZejeyBBLd1sdtSj3o4Avk=
=hNuJ
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-01-19 17:23 UTC|newest]
Thread overview: 212+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-12 17:48 thoughts on kernel security issues Chris Wright
2005-01-12 15:06 ` Marcelo Tosatti
2005-01-12 18:49 ` Chris Wright
2005-01-12 18:05 ` Linus Torvalds
2005-01-12 18:44 ` Chris Wright
2005-01-12 18:57 ` Linus Torvalds
2005-01-12 19:21 ` Chris Wright
2005-01-12 20:59 ` Jesper Juhl
2005-01-12 21:27 ` Greg KH
2005-01-12 18:51 ` Greg KH
2005-01-12 19:01 ` Linus Torvalds
2005-01-12 16:12 ` Marcelo Tosatti
2005-01-12 20:00 ` Linus Torvalds
2005-01-12 17:42 ` Marcelo Tosatti
2005-01-13 15:36 ` Alan Cox
2005-01-13 17:22 ` Marcelo Tosatti
2005-01-13 21:20 ` Alan Cox
2005-01-13 17:52 ` Florian Weimer
2005-01-13 19:42 ` Marek Habersack
2005-01-13 19:19 ` Alan Cox
2005-01-13 20:44 ` Marek Habersack
2005-01-14 10:22 ` Wichert Akkerman
2005-01-14 12:10 ` Julian T. J. Midgley
2005-01-14 14:52 ` Florian Weimer
2005-01-14 15:12 ` Julian T. J. Midgley
2005-01-15 0:33 ` Alan Cox
2005-01-14 13:55 ` Marek Habersack
2005-01-13 19:50 ` Chris Wright
2005-01-13 20:29 ` Marek Habersack
2005-01-13 19:41 ` Alan Cox
2005-01-13 20:57 ` Arjan van de Ven
2005-01-13 21:22 ` Linus Torvalds
2005-01-13 21:15 ` Alan Cox
2005-01-13 22:41 ` Linus Torvalds
2005-01-13 21:41 ` Arjan van de Ven
2005-01-13 21:02 ` Marek Habersack
2005-01-13 21:30 ` Dave Jones
2005-01-13 21:48 ` Marek Habersack
2005-01-13 22:06 ` Dave Jones
2005-01-13 22:21 ` Marek Habersack
2005-01-13 23:30 ` Jesper Juhl
2005-01-15 0:34 ` Alan Cox
2005-01-15 2:56 ` Marcin Dalecki
2005-01-13 20:03 ` Dave Jones
2005-01-13 20:10 ` Linus Torvalds
2005-01-13 19:27 ` Alan Cox
2005-01-13 21:03 ` Linus Torvalds
2005-01-13 21:25 ` Alan Cox
2005-01-13 22:47 ` Linus Torvalds
2005-01-13 23:15 ` Chris Wright
2005-01-14 18:34 ` Theodore Ts'o
2005-01-14 19:15 ` Linus Torvalds
2005-01-14 22:13 ` Theodore Ts'o
2005-01-14 22:51 ` Linus Torvalds
2005-01-15 0:34 ` Alan Cox
2005-01-15 4:19 ` Linus Torvalds
2005-01-15 5:36 ` Rik van Riel
2005-01-18 22:27 ` Bill Davidsen
2005-01-19 2:34 ` Alban Browaeys
2005-01-19 19:13 ` Bill Davidsen
2005-01-13 20:32 ` Marek Habersack
2005-01-12 20:27 ` Chris Wright
2005-01-12 20:57 ` Greg KH
2005-01-13 15:36 ` Alan Cox
2005-01-12 21:20 ` Andrea Arcangeli
2005-01-12 20:28 ` Linus Torvalds
2005-01-12 18:03 ` Marcelo Tosatti
2005-01-13 3:18 ` Christian
2005-01-12 20:53 ` Dave Jones
2005-01-12 20:59 ` Greg KH
2005-01-13 2:09 ` Linus Torvalds
2005-01-13 2:28 ` Andrew Morton
2005-01-13 2:51 ` Linus Torvalds
2005-01-13 3:05 ` David Blomberg
2005-01-13 2:56 ` Greg KH
2005-01-13 3:01 ` Chris Wright
2005-01-13 3:35 ` Dave Jones
2005-01-13 3:42 ` Andrew Morton
2005-01-13 3:54 ` Chris Wright
2005-01-13 4:49 ` William Lee Irwin III
2005-01-13 6:54 ` Andrew Morton
2005-01-13 7:19 ` William Lee Irwin III
2005-01-13 7:25 ` Matt Mackall
2005-01-13 4:48 ` Linus Torvalds
2005-01-13 5:51 ` Barry K. Nathan
2005-01-13 7:28 ` Matt Mackall
2005-01-13 7:42 ` Willy Tarreau
2005-01-13 8:02 ` David Lang
2005-01-13 10:05 ` Willy Tarreau
2005-01-13 8:23 ` Christoph Hellwig
2005-01-13 16:38 ` Linus Torvalds
2005-01-13 16:12 ` Alan Cox
2005-01-13 17:33 ` Linus Torvalds
2005-01-13 17:49 ` Chris Wright
2005-01-13 18:53 ` Alan Cox
2005-01-13 18:59 ` John Richard Moser
2005-01-13 19:22 ` Norbert van Nobelen
2005-01-13 19:35 ` John Richard Moser
2005-01-13 19:46 ` Linus Torvalds
2005-01-13 19:57 ` John Richard Moser
2005-01-14 12:39 ` Horst von Brand
2005-01-14 15:45 ` Linus Torvalds
2005-01-14 15:52 ` Arjan van de Ven
2005-01-14 15:57 ` Stephen Smalley
2005-01-14 16:17 ` Stephen Smalley
2005-01-15 0:33 ` Alan Cox
2005-01-13 17:01 ` Arjan van de Ven
2005-01-13 17:19 ` Linus Torvalds
2005-01-13 17:45 ` Arjan van de Ven
2005-01-13 18:31 ` John Richard Moser
2005-01-19 10:30 ` Ingo Molnar
2005-01-19 17:20 ` John Richard Moser [this message]
2005-01-19 17:47 ` Ingo Molnar
2005-01-19 18:35 ` John Richard Moser
2005-01-19 18:55 ` Arjan van de Ven
2005-01-19 19:46 ` John Richard Moser
2005-01-19 19:53 ` Arjan van de Ven
2005-01-20 8:46 ` [Lists-linux-kernel-news] " Ingo Molnar
2005-01-20 8:35 ` Ingo Molnar
2005-01-20 10:44 ` Ingo Molnar
2005-01-20 18:16 ` John Richard Moser
2005-01-20 18:53 ` Valdis.Kletnieks
2005-01-20 18:55 ` Arjan van de Ven
2005-01-20 19:17 ` John Richard Moser
2005-01-20 19:22 ` Christoph Hellwig
2005-01-20 21:24 ` John Richard Moser
2005-01-19 17:52 ` Arjan van de Ven
2005-01-19 18:50 ` John Richard Moser
2005-01-19 19:47 ` Valdis.Kletnieks
2005-01-19 19:53 ` Arjan van de Ven
2005-01-19 20:44 ` Valdis.Kletnieks
2005-01-19 20:12 ` John Richard Moser
2005-01-19 20:42 ` Valdis.Kletnieks
2005-01-19 21:03 ` John Richard Moser
2005-01-19 22:02 ` Splitting up grsecurity and PAX (was " Valdis.Kletnieks
2005-01-19 20:47 ` Diego Calleja
2005-01-25 15:05 ` Bill Davidsen
2005-01-25 15:52 ` Linus Torvalds
2005-01-25 17:27 ` Bill Davidsen
2005-01-25 18:01 ` John Richard Moser
2005-01-25 18:30 ` Linus Torvalds
2005-01-25 18:37 ` John Richard Moser
2005-01-25 18:57 ` Dmitry Torokhov
2005-01-25 19:56 ` John Richard Moser
2005-01-25 20:25 ` J. Bruce Fields
2005-01-25 20:29 ` John Richard Moser
2005-01-25 20:46 ` J. Bruce Fields
2005-01-25 20:53 ` Valdis.Kletnieks
2005-01-25 20:59 ` John Richard Moser
2005-01-25 21:05 ` linux-os
2005-01-25 21:20 ` John Richard Moser
2005-01-26 15:15 ` Jesse Pollard
2005-01-26 16:09 ` Linus Torvalds
2005-01-26 19:15 ` Olaf Hering
2005-01-26 19:28 ` Linus Torvalds
2005-01-26 19:38 ` Olaf Hering
2005-01-26 19:53 ` Linus Torvalds
2005-01-30 15:39 ` Alan Cox
2005-01-26 19:24 ` John Richard Moser
2005-01-26 19:56 ` Bill Davidsen
2005-01-27 16:37 ` Jesse Pollard
2005-01-27 17:18 ` Zan Lynx
2005-01-27 22:18 ` Jesse Pollard
2005-01-27 23:20 ` Bill Davidsen
2005-01-27 23:36 ` John Richard Moser
2005-01-28 0:23 ` linux-os
2005-01-28 0:15 ` Krzysztof Halasa
2005-01-26 0:01 ` Bill Davidsen
2005-01-26 0:40 ` John Richard Moser
2005-01-25 19:05 ` Linus Torvalds
2005-01-25 20:03 ` John Richard Moser
2005-01-25 21:17 ` Al Viro
2005-01-26 16:06 ` Sytse Wielinga
2005-01-26 19:31 ` John Richard Moser
2005-01-26 19:50 ` Valdis.Kletnieks
2005-01-26 20:02 ` John Richard Moser
2005-01-26 20:26 ` Sytse Wielinga
2005-01-26 20:39 ` John Richard Moser
2005-01-26 20:49 ` Sytse Wielinga
2005-01-25 18:08 ` Linus Torvalds
2005-01-14 21:57 ` Russell King
2005-01-19 12:56 ` Pavel Machek
2005-01-19 20:02 ` Bill Davidsen
2005-01-13 4:49 ` William Lee Irwin III
2005-01-13 5:19 ` Dave Jones
2005-01-13 15:36 ` Alan Cox
2005-01-13 3:25 ` Dave Jones
2005-01-13 3:53 ` Marek Habersack
2005-01-13 5:38 ` Barry K. Nathan
2005-01-13 8:59 ` Florian Weimer
2005-01-13 15:31 ` Barry K. Nathan
2005-01-13 15:36 ` Alan Cox
2005-01-13 19:25 ` thoughts on kernel security issuesiig Marek Habersack
2005-01-13 15:36 ` thoughts on kernel security issues Alan Cox
2005-01-13 19:25 ` Christoph Hellwig
2005-01-13 19:33 ` Dave Jones
2005-01-13 19:35 ` Christoph Hellwig
2005-01-13 18:55 ` Alan Cox
2005-01-13 19:59 ` Dave Jones
2005-01-13 19:36 ` Marek Habersack
2005-01-13 8:23 ` Florian Weimer
2005-01-13 16:00 ` Kristofer T. Karas
2005-01-13 3:37 ` Rik van Riel
2005-01-12 19:18 ` Greg KH
2005-01-12 19:38 ` Chris Wright
2005-01-12 19:41 ` Florian Weimer
2005-01-12 23:10 ` Chris Wright
2005-01-12 19:43 ` Florian Weimer
2005-01-12 22:46 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2005-01-12 20:49 Hubert Tonneau
2005-01-13 17:29 ` Chris Wright
2005-02-27 12:38 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41EE96E7.3000004@comcast.net \
--to=nigelenki@comcast.net \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=chrisw@osdl.org \
--cc=davej@redhat.com \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
--cc=mingo@elte.hu \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox