Re: Stopping buffer-overflow security exploits using page protection

From: Oliver Xymoron (oxymoron@waste.org)
Date: Sat Jul 29 2000 - 12:49:54 EST


On Fri, 28 Jul 2000, Bruce Perens wrote:

> Please see http://technocrat.net/964824712/ . Is there any good
> reason that we can not run Linux executables with the execute permission
> turned off, by default, on all stack and data pages? Wouldn't this stop
> buffer-overflow security exploits that try to inject executable code onto
> the stack or into function tables? i386 won't support it, but other
> architectures do.

Writable+executable isn't the problem. Scan executable for pointers to
string "/bin/sh". Locate entry point of exec in libc. Smash the stack so
that function calls exec with "/bin/sh" as an argument. Solar Designer's
patch makes this a little trickier by making libraries have zero bytes in
their addresses, but a little knowledge of the dynamic linker got around
this. Read the exploit you linked carefully - it's exploiting things that
can't be bandaided over.

As for the number of exploits this would stop, including this in the
mainstream kernel would only be a stopgap measure. All it took to open the
floodgates for stack smashing exploits was a single well-written article -
Aleph One's "Smashing the Stack for Fun and Profit". Now writing an
exploit once you find an overflow is a cookbook exercise. A 2nd edition of
the cookbook would be all it would take to render the patch meaningless.

The problem isn't Intel's fault or any OS's, it's a problem in the C
language and compiler. There are 5 fixes:

a) write safe code (which has so far proved hard)
b) compile with bounds-checking (big performance hit)
c) compile with StackGuard, etc. (doesn't stop exploits that corrupt
   other locals)
d) separate the return address stack from the automatic variable stack
   (ditto)
e) use another language (performance)

--
 "Love the dolphins," she advised him. "Write by W.A.S.T.E.." 

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:30 EST