From: Julien TINNES <julien.tinnes.NOSPAM@francetelecom.REMOVE.com>
To: Ingo Molnar <mingo@elte.hu>
Cc: linux-kernel@vger.kernel.org,
Arjan van de Ven <arjanv@redhat.com>,
"Theodore Ts'o" <tytso@mit.edu>
Subject: Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)
Date: Tue, 08 Feb 2005 15:25:30 +0100 [thread overview]
Message-ID: <4208CBDA.5010903@francetelecom.REMOVE.com> (raw)
In-Reply-To: <20050208134156.GA5017@elte.hu>
> i'm just curious, assuming that all those conditions are true, do you
> consider PaX a 100% sure solution against 'code injection' attacks?
> (assuming that the above PaX and access-control feature implementations
> are correct.) Do you think the upstream kernel could/should integrate it
> as a solution against code injection attacks?
>
> Ingo
It depends on what you call 'code injection'.
- If code injection is the introduction of a new piece of directly
executable-by-processor opcodes (I exclude interpreted code here) into a
running process:
1. If you trust the Linux kernel, your processor, etc..
2. If you have a non executable pages semantics implementation
3. If you have a restriction preventing PROT_EXEC|PROT_WRITE mappings
from existing and any new PROT_EXEC mapping (meaning giving an existing
mapping PROT_EXEC or creating a new PROT_EXEC mapping) from being created.
then the answer is yes.
PaX does 2 fully, and 3 partially:
- It does'nt prevent executable file mapping (access control system must)
- .text relocations are detected and permited if the option is enabled
(necessary if you don't have PIC code)
- there is an option that can be enable to emulate trampolines
But if you consider code injection as in your previous post:
>btw., do you consider PaX as a 100% sure solution against 'code
>injection' attacks (meaning that the attacker wants to execute an
>arbitrary piece of code, and assuming the attacked application has a
>stack overflow)? I.e. does PaX avoid all such attacks in a guaranteed
>way?
then the answer to your question is no because a stack overflow usually
allows two things: injection of new code, and execution flow redirection.
While the former is prevented, the later is not and the attacker could
use chaining techniques as in [1] to execute "arbitrary code" (but not
directly as an arbitrary, newly injected sequence of opcodes).
Address space obfuscation (address space layout randomization is one
way) is making it harder (but not impossible, esp. if you don't have
anything preventing the attacker from bruteforcing...) to use existing code.
[1]: Nergal, Advanced return into-lib(c)
http://www.phrack.org/show.php?p=58&a=4
--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
next prev parent reply other threads:[~2005-02-08 14:24 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-02 16:51 Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer) Ingo Molnar
2005-02-02 22:08 ` pageexec
2005-02-03 9:44 ` Ingo Molnar
2005-02-03 14:20 ` pageexec
2005-02-03 20:20 ` Ingo Molnar
2005-02-07 14:23 ` pageexec
2005-02-07 21:08 ` Ingo Molnar
2005-02-08 12:27 ` pageexec
2005-02-08 21:23 ` Ingo Molnar
2005-02-07 22:36 ` Ingo Molnar
2005-02-08 12:27 ` pageexec
2005-02-08 13:41 ` Ingo Molnar
2005-02-08 14:25 ` Julien TINNES [this message]
2005-02-08 16:56 ` Ingo Molnar
2005-02-08 16:48 ` the "Turing Attack" (was: Sabotaged PaXtest) Ingo Molnar
2005-02-08 22:08 ` Ingo Molnar
2005-02-10 13:43 ` Ingo Molnar
2005-02-10 13:58 ` Jakob Oestergaard
2005-02-10 15:21 ` Ingo Molnar
2005-02-10 20:03 ` David Weinehall
2005-02-11 8:51 ` Mika Bostrom
2005-02-08 22:41 ` H. Peter Anvin
2005-02-03 13:55 ` Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer) Peter Busser
2005-02-03 14:39 ` Roman Zippel
2005-02-07 12:23 ` pageexec
2005-02-07 18:31 ` John Richard Moser
[not found] <200501311015.20964.arjan@infradead.org>
2005-01-31 12:57 ` Peter Busser
2005-01-31 16:41 ` Arjan van de Ven
2005-02-01 9:44 ` Peter Busser
2005-02-01 11:46 ` Ingo Molnar
2005-02-01 14:48 ` Peter Busser
2005-02-01 21:39 ` Diego Calleja
2005-02-02 0:15 ` Theodore Ts'o
2005-02-02 8:26 ` Theodore Ts'o
2005-02-02 9:55 ` Peter Busser
2005-02-02 9:35 ` Peter Busser
2005-02-02 9:52 ` Arjan van de Ven
2005-02-02 12:18 ` pageexec
2005-02-02 13:13 ` Peter Busser
2005-02-02 14:12 ` Ingo Molnar
2005-02-02 18:02 ` Olivier Galibert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4208CBDA.5010903@francetelecom.REMOVE.com \
--to=julien.tinnes.nospam@francetelecom.remove.com \
--cc=arjanv@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox