lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040120011334.J17455@dekadens.coredump.cx>
From: lcamtuf at coredump.cx (Michal Zalewski)
Subject: Re: January 15 is Personal Firewall Day, help
 the cause 

On Mon, 19 Jan 2004 Valdis.Kletnieks@...edu wrote:

> Well, if you consider noexec to be a feature, the /lib/ld-linux trick
> was a bug in it.

No, ld-linux functionality is not a bug in noexec. It simply is a
userspace feature of the linker. The feature is deliberate and extremely
useful in a couple of legitimate tasks.

Noexec is also a feature, but one that, with the way unix is designed, is
generally quite easy to bypass, with interpreters and various loaders,
memory corruption bugs in unprivileged applications, etc. There is simply
no way to guarantee a piece of memory that is read from a source that is
ought to be non-executable will never be executed, and since the
environment is not monolithic and consists of thousands of programs
written using different styles and skillsets, it is very difficult to
control all attack vectors at once - that is, unless you spend a
considerable amount of time creating an environment that is a very limited
subset of standard components - but then, if you just want your users to
run lynx and pine, you should reconsider the need to give shell access
with arbitrary execve() capabilities in the first place.

I said that noexec is badly broken because, with the way it is most
commonly used, it does not make the task of executing an arbitrary program
any more difficult. Quite the opposite, gives many sysadms a false sense
of security, and makes them implement more relaxed user accounting
mechanisms.

Trying to render noexec environment truly non-executable is just as
practical as spending your time to create an environment where the
attacker has no way to create an executable file to start with - you
either remove almost everything from the environment (see above: you might
be better off not providing real shell at all), or must check so many
possibilities you are almost guaranteed to overlook something - and the
efforts to audit and analyze capabilities of unprivileged userspace
applications on Linux are still not even nearing the end.

> + if ((prot & PROT_EXEC) && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)) +
> return -EPERM; + }

I (personally, and quite subjectively) think it's a silly way to address
the issue. The glibc linker happens to be working this way at the moment
(mapping input file with PROT_EXEC), but not all linkers can be reasonably
expected to do it the same way all the time [1]. On the other hand, if
some silly program passes PROT_EXEC to mmap on the input file, even though
it does not really need it, it will suddenly break on noexec partition. I
recall seeing several (admittably, less popular) apps doing this.

So, I would imagine a patch that is supposed to be a kludge to solve a
very specific case in a single piece of software ought to be put in this
software, not in kernel, and not when things may break - especially
since, should a minor change in glibc or some replacement set of
libraries alter the linking procedure, people would be exposed with no
warning. I am not saying it has to be done in libc, but if we decide to
tweak kernel, it might be more reasonable to find a better way.

On the other hand, I am just whining for no good reason - I do not think
this change is going to make my life any more difficult, nor do I have the
inclination to suggest a better solution, implement it and have it merged
with the sources, so take all this with a grain of salt ;-)

[1] One might map the file with PROT_READ to validate the executable, and
remap it with PROT_EXEC later on (sounds a more secure, actually); or read
the file into an anonymous map instead, if some environment flag is set;
and so on. I would not be shocked if some linker decides to do it at some
point.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-01-20 01:13 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ