lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: chris+fulldisc at ruvolo.net (Chris Ruvolo)
Subject: Re: Linux Exec Shield (was: Linux (in)security)

On Thu, Oct 23, 2003 at 02:39:08PM +0200, Peter Busser wrote:
> > Speaking about kernel hardening, I was wondering if anyone on the list could
> > comment on Ingo Molnar's Exec Shield Linux kernel patches.
> 
> You can find out the facts for yourself by running paxtest. Paxtest can be
> obtained from the PaX homepage at: http://pageexec.virtualave.net/. The
> latest version is v0.9.4, which should be available from there soon. In
> the meantime, you can download it from
> http://mail.adamantix.org/paxtest-0.9.4.tar.gz.

Peter, thanks for letting me know about this test.  Googling for "exec
shield paxtest" gives some results for comparison.  Indeed, Adamantix's
kernel appears less vulnerable.

Do you know if any of these protections also apply to non-x86 kernels?

> What I don't like about exec-shield, is that it is based on a few
> assumptions.  One of the assumptions is that stack overflows are only
> possible with ASCII data (which is what the ASCII-shield refers to). As if
> memcpy() to a buffer will never cause any overflows. 

Yes.  But string buffer attacks are more common, no?  Its a good first step.

That said, if PaX/grsecurity uses the same methods, I'm not sure what the
benefit of Ingo's implementation is.

> The effectiveness remains to be seen. In the short term, using something like
> PaX is certainly effective, as can be seen here:
> http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it
> 
> 37 break ins in a year on normal Linux, 0 on a PaX kernel.

This kind of report makes me nervous.  What known remote exploits are there
against a Debian Woody box that has all of Debian's security updates?

> On the long term, people will probably find ways around it. But it should
> raise the bar and make it more difficult for some (but not all) remote
> exploits.

I hope so.  But not local exploits?

Thanks,
-Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031023/150cad39/attachment.bin

Powered by blists - more mailing lists