Re: [RFC] prevention of syscalls from writable segments, breaking bug exploits

From: Gerhard Mack (gmack@innerfire.net)
Date: Thu Jan 04 2001 - 02:09:49 EST


On Wed, 3 Jan 2001, Dan Hollis wrote:

> On Wed, 3 Jan 2001, Gerhard Mack wrote:
> > On Wed, 3 Jan 2001, Dan Hollis wrote:
> > > On Wed, 3 Jan 2001, Gerhard Mack wrote:
> > > > Your comparing actual security with stack guarding? Stack guarding mearly
> > > > makes the attack diffrent.. rootkits are already available to defeat it.
> > > url?
> > Ugh do you have any idea how hard it is to find 2 year old exploits?
> > Heres the best I could find on short notice:
> > http://www.insecure.org/sploits/non-executable.stack.problems.html
> > http://darwin.bio.uci.edu/~mcoogan/bugtraq/msg00335.html
>
> You said there were rootkits specifically targetting stackguard.
>
> These URLs simply describe attacks on stackguard, where are the
> stackguard rootkits?

I'll correct myself then: there were non exec stack patches. Keep in
mind part of the problem is that some compilors actually use that feature
look up "trampolines" for more info.

Also I was in error to refer to it as stack guarding.. Stack guard is a
compilor. I acually use libsafe it's preferable for 2 reasons.
  1 It's entirely userspace and it works fine.
  2 If someone manages to render it useless I'll simply uninstall it.

        Gerhard

PS Although personally I think linux reoutation is most harmed by distribs
who insists on installing software with bad security records. But that's
not relevent to linux-kernel.

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 07 2001 - 21:00:17 EST