Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261829AbVASSAR (ORCPT ); Wed, 19 Jan 2005 13:00:17 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261790AbVASR5e (ORCPT ); Wed, 19 Jan 2005 12:57:34 -0500 Received: from canuck.infradead.org ([205.233.218.70]:60938 "EHLO canuck.infradead.org") by vger.kernel.org with ESMTP id S261818AbVASRwu (ORCPT ); Wed, 19 Jan 2005 12:52:50 -0500 Subject: Re: thoughts on kernel security issues From: Arjan van de Ven To: John Richard Moser Cc: Ingo Molnar , Linus Torvalds , Christoph Hellwig , Dave Jones , Andrew Morton , marcelo.tosatti@cyclades.com, Greg KH , chrisw@osdl.org, Alan Cox , Kernel Mailing List In-Reply-To: <41EE96E7.3000004@comcast.net> References: <20050112205350.GM24518@redhat.com> <20050112182838.2aa7eec2.akpm@osdl.org> <20050113033542.GC1212@redhat.com> <20050113082320.GB18685@infradead.org> <1105635662.6031.35.camel@laptopd505.fenrus.org> <41E6BE6B.6050400@comcast.net> <20050119103020.GA4417@elte.hu> <41EE96E7.3000004@comcast.net> Content-Type: text/plain Date: Wed, 19 Jan 2005 18:52:31 +0100 Message-Id: <1106157152.6310.171.camel@laptopd505.fenrus.org> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit X-Spam-Score: 4.1 (++++) X-Spam-Report: SpamAssassin version 2.63 on canuck.infradead.org summary: Content analysis details: (4.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.3 RCVD_NUMERIC_HELO Received: contains a numeric HELO 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [] 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address [80.57.133.107 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [80.57.133.107 listed in dnsbl.sorbs.net] X-SRS-Rewrite: SMTP reverse-path rewritten from by canuck.infradead.org See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3059 Lines: 75 > ES has been actively developed since it was poorly implemented in 2003. > PaX has been actively developed since it was poorly implemented in > 2000. PaX has had about 4 times longer to go from a poor > proof-of-concept NX emulation patch based on the plex86 announcement to > a full featured security system, and is written by a competant security > developer rather than a competant scheduler developer. I would call that an insult to Ingo. > Split-out portions of PaX (and of ES) don't make sense. they do. Somewhat. > ASLR can be > evaded pretty easily: inject code, read %efp, find the GOT, read > addresses. The NX protections can be evaded by using ret2libc. on x86, > you need emulation to make an NX bit or the NX protections are useless. actually modern x86 cpus have hardware NX. > PT_GNU_STACK annoys me :P I'm more interested in 1) PaX' full set of > markings (-ps for NX, -m for mprotect(), r for randmmap, x for > randexec), 2) getting rid of the need for anything but -m, and 3) > eliminating relocations. Sometimes they don't patch GLIBC here and > Firefox won't load flash or Java because they're PT_GNU_STACK and don't > really need it (the java executables are marked, but the java plug-in > doesn't need PT_GNU_STACK). so remark them. > > I guess it works on Exec Shield, but it frightens me that I have to > audit every library an executable uses for a PT_GNU_STACK marking to see > if it has an executable stack. there is lsexec which does this automatic for you based on running propcesses > > Either or if it stops an exploit; there's no "stopping an exploit > better," just stopping more of them and having fewer loopholes. As I > understand, ES' NX approximation fails if you relieve protections on a > higher mapping which is REALLY rare for programs to do > -- which confuses me, isn't vsyscall() a high-address > executable mapping, which would disable NX protection for the full > address space? just like PaX, execshield has to disable the vsyscall page. Exec-Shield actually has the code to 1) move the vsyscall page down in the address space and 2) randomize it per process, but that is inactive right now since it needs a bit of help from the VM that isn't provided anymore since 2.6.8 or so. > PaX though gives me powerful, flexible administrative control over > executable space protections as a privileged resource. > mprotect(PROT_EXEC|PROT_WRITE) isn't something normal programs need; so > it's not something I allow everyone to do. it's a balance between compatibility and security. PaX strikes a somewhat different balance from E-S. E-S goes a long way to avoid breaking things that posix requires, even if they are silly and rare. Apps don't DO PROT_EXEC|PROT_WRITE normally after all.. so this added "protect" is to a point artifical. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/