Re: [Announcement] "Exec Shield", new Linux security feature

From: Davide Libenzi (davidel@xmailserver.org)
Date: Fri May 02 2003 - 12:12:56 EST

Next message: Marc-Christian Petersen: "Re: [Announcement] "Exec Shield", new Linux security feature"
Previous message: Matthias Andree: "Re: [Announcement] "Exec Shield", new Linux security feature"
In reply to: Ingo Molnar: "[Announcement] "Exec Shield", new Linux security feature"
Next in thread: Arjan van de Ven: "Re: [Announcement] "Exec Shield", new Linux security feature"
Reply: Arjan van de Ven: "Re: [Announcement] "Exec Shield", new Linux security feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 May 2003, Ingo Molnar wrote:

>
> We are pleased to announce the first publically available source code
> release of a new kernel-based security feature called the "Exec Shield",
> for Linux/x86. The kernel patch (against 2.4.21-rc1, released under the
> GPL/OSL) can be downloaded from:
>
> http://redhat.com/~mingo/exec-shield/
>
> The exec-shield feature provides protection against stack, buffer or
> function pointer overflows, and against other types of exploits that rely
> on overwriting data structures and/or putting code into those structures.
> The patch also makes it harder to pass in and execute the so-called
> 'shell-code' of exploits. The patch works transparently, ie. no
> application recompilation is necessary.

[ very cool stuff ]

Ingo, do you want protection against shell code injection ? Have the
kernel to assign random stack addresses to processes and they won't be
able to guess the stack pointer to place the jump. I use a very simple
trick in my code :

#define MAX_STKSHIFT 1024

struct thrunner {
int (*proc)(void *);
void *data;
}

static int thread_runner(void *data) {
struct thrunner *thr = data;

alloca(myrand(MAX_STKSHIFT));
return thr->proc(thr->data);
}

int my_thread_create(int (*proc)(void *), void *data) {
        struct thrunner *thr;
        ...
        thr->proc = proc;
        thr->data = data;
        pthread_create(..., thread_runner, thr, ... );
        ...
}

int main(int argc, char *argv[]) {

mysrand();
...
}

Same thing can be done for non threaded programs :

int main(int argc, char *argv[]) {

        mysrand();
        alloca(myrand(MAX_STKSHIFT));
        return real_main(argc, argv);
}

Yes, there's still the possibility that an attacker get lucky ( this get
lower increasing MAX_STKSHIFT ) and yes you waste some stack space. But,
oh well, it works w/out any kernel modification and it's portable on all
systems that have alloca().

- Davide

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marc-Christian Petersen: "Re: [Announcement] "Exec Shield", new Linux security feature"
Previous message: Matthias Andree: "Re: [Announcement] "Exec Shield", new Linux security feature"
In reply to: Ingo Molnar: "[Announcement] "Exec Shield", new Linux security feature"
Next in thread: Arjan van de Ven: "Re: [Announcement] "Exec Shield", new Linux security feature"
Reply: Arjan van de Ven: "Re: [Announcement] "Exec Shield", new Linux security feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed May 07 2003 - 22:00:16 EST