Re: thoughts on kernel security issues

From: John Richard Moser
Date: Wed Jan 19 2005 - 15:14:52 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Valdis.Kletnieks@xxxxxx wrote:
> On Wed, 19 Jan 2005 13:50:23 EST, John Richard Moser said:
>
>>Arjan van de Ven wrote:
>>
>>>>Split-out portions of PaX (and of ES) don't make sense.
>>>
>>>they do. Somewhat.
>
>
>>They do to "break all existing exploits" until someone takes 5 minutes
>>to make a slight alteration. Only the reciprocating combinations of
>>each protection can protect the others from being exploited and create a
>>truly secure environment.
>
>
> OK, for those who tuned in late to the telecast of "Kernel Development Process
> for Newbies":
>
> It *DOES NOT MATTER* that PaX and ES "don't make sense" split out into 5 or
> 6 pieces. We merge in stuff *ALL THE TIME* in 20 or 30 chunks, where it
> doesn't make any real sense unless all 20 or 30 go in. Just today, there was
> a 29-patch monster replacing kexec, and another 12-patcher replacing something
> else. And I don't think anybody claims that many of those 29 patches stand
> totally by themselves. You install 25 of them, you probably don't have a working
> kexec, which is the goal of the patch series.
>
> The point is that *each* of those 29 patches is small and self-contained enough
> to review for breakage of current stuff, elegance of coding, and so on. Now
> let's look at grsecurity:
>
> % wc grsecurity-2.1.0-2.6.10-200501071049.patch
> 23539 89686 700414 grsecurity-2.1.0-2.6.10-200501071049.patch
>
> 700K. In one patch. If PAX is available for 2.6.10 by itself, it certainly
> hasn't been posted to http://pax.grsecurity.net - that's still showing a 2.6.7
> patch. But even there, that's a single monolithic 280K patch. That's never
> going to get merged, simply because *nobody* can review a single patch that big.
>

PaX is available for 2.6.10, but it's in the testing phase. I've had
good results.

> Now look at http://www.kernel.org/pub/linux/kernel/people/arjan/execshield/.
> 4 separate hunks, the biggest is under 7K. Other chunks of similar size
> for non-exec stack and NX support are already merged.
>
> And why were they merged? Because they showed up in 4-8K chunks.
>

so you want 90-200 split out patches for GrSecurity?

>
>>Split-out portions of PaX (and of ES) don't make sense. ASLR can be
>>evaded pretty easily: inject code, read %efp, find the GOT, read
>>addresses. The NX protections can be evaded by using ret2libc. on x86,
>>you need emulation to make an NX bit or the NX protections are useless.
>>So every part prevents every other part from being pushed gently aside.
>
>
> Right. But if you *submit* them as "a chunk to add x86 emulation of an NX
> bit", "a chunk to add ASLR", "a chunk to add NX", "a chunk to do FOO with the
> vsyscall page", and so on, they might actually have a snowball's chance of
> being included.
>
> If nothing else, the fact they're posted as different patches means each can be
> used as the anchor for a thread discussing the merits of *that* patch. Adrian
> Bunk has been submitting patches for the last several weeks which probably
> total *well* over the size of the PAX patch. And since they show up as
> separate patches, the non-controversial ones can sail by, the ALSA crew can
> comment when he hits an ALSA module, the filesystem people can comment when he
> hits one of their files, and so on.

ok ok ok. I get the point: I'm the only person in the world who can
swallow a twinkie whole, the rest of you need to chew.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB7r8UhDd4aOud5P8RAg6tAJ4uWXxFSVcLhfB/QwWcBR0rTS/WKgCcD5ga
S1xb603WKqgk2Bq5/zhpSXw=
=aHEb
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/