| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Apr 13 10:23:18 2005 From: pageexec at freemail.hu (pageexec@...email.hu) Subject: linux bugs (survival stories)? > Now this, unlike the /lib/ld-linux.so hack, is a still-existing issue. it's not just 'an issue', it makes the whole exercise pointless, that's The Issue. that is, if someone has the capability to write to a noexec mount (and only noexec mounts of course, else this whole scenario is irrelevant), then he can easily circumvent the current linux noexec handling - what's the point then? > However, this is getting rather far afield, because: > > 1) This is quite arguably a "design decision" rather than an outright bug. depends on what the original 'design' was. if it wanted to close the ld-linux.so method, then it's fine because it does that. if it wanted to actually enforce the noexec mount option then it's not fine because it doesn't do that. you and many other people have been selling this feature as the latter, not the former, whereas the current mount manpage clearly states that it's the former only (inasmuch 'direct execution' means 'mmap' there, the manpage could be more clear on this so that people don't mistake it for proper noexec enforcement). > 2) Whether it's a bug or not, it only impacts userspace security - and we not quite, because exploiting a kernel bug requires, well, an exploit and if you already have control over runtime code generation (PaX) then the only other intrusion vector will be through the filesystem, that's where the noexec mount option can play a role in prevention. obviously it's a very coarse grained control mechanism, but i can imagine that in some situations it's useful (else the whole noexec option wouldn't need to exist ;-), provided it actually does its advertized job. > started off discussing protecting the kernel itself from kernel bugs.... ok, let's talk about it a bit then as well. first, the exact topic was about the value of defense mechanisms against kernel bugs, the OP didn't specify whether he was interested in the userland or the kernel impact of them (the answers are a bit different). let's see the userland impact: since in the UNIX model the kernel itself is considered the trusted computing base (actually, it's more than that, but let's no diverge), any (memory corruption) bug in there can naturally compromise at least the userland privilege info, so escalating userland privileges is a given and it's very hard to directly protect against that, i'd say 'impossible' for practical purposes (note 'directly' here, by that i mean "allow the bug to manifest (say an overflow) but still prevent exploitation"). on the other hand we can try to prevent exploitation in indirect ways, but their actual value/feasibility depends on the circumstances, they're not generic. one such approach is to enforce W^X over the filesystem (in addition to doing it on process memory) for a given (otherwise unprivileged) user, then you can at least prevent the execution of machine code (it's another question if that's enough to prevent exploitation, it again depends on the circumstances). obviously if we have to allow untrusted users to generate (and run) executable code on the machine (which i guess is the more common real life scenario), then we lose, we can at most detect a successful intrusion after the fact. onto the kernel impact of kernel bugs: just like for the userland case, the kernel's (writable) data cannot be protected reliably (and efficiently), so if an intrusion can achieve its objectives by mere data modification, then we lose. on the other hand it's possible to protect the kernel's code, that is, we can prevent direct machine code execution in the kernel (an incomplete but already useful example would be PaX's KERNEXEC, which contrary to your statement does not address userspace bugs but those of the kernel). > (Not that I'm adverse to a thread on "what the kernel could do to harden > userspace" - but somebody needs to change the Subject: line if we go that way...) hey, it's not like i started to divert it ;-), it's just that you said that "The last really big "trivial" issue with bypassing noexec on mounted filesystems was closed" whereas it's simply not true, better not spread this.
Powered by blists - more mailing lists