Re: [Announcement] "Exec Shield", new Linux security feature

From: Valdis.Kletnieks@vt.edu
Date: Sat May 03 2003 - 18:00:30 EST

On Sat, 03 May 2003 13:19:52 -0000, linux@horizon.com said:

> An interesting question arises: is the number of useful interpreter
> functions (system, popen, exec*) sufficiently low that they could be
> removed from libc.so entirely and only staticly linked, so processes
> that didn't use them wouldn't even have them in their address space,
> and ones that did would have them at less predictible addresses?
>
> Right now, I'm thinking only of functions that end up calling execve();
> are there any other sufficiently powerful interpreters hiding in common
> system libraries? regexec()?

This does absolutely nothing to stop an exploit from providing its own
inline version of execve(). There's nothing in libc that a process can't
do itself, inline.

A better bet is using an LSM module that prohibits exec() calls from any
unauthorized combinations of running program/user/etc.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Wed May 07 2003 - 22:00:19 EST