From owner-freebsd-hackers Tue Aug 25 11:13:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07374 for freebsd-hackers-outgoing; Tue, 25 Aug 1998 11:13:15 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from mail.camalott.com ([208.203.140.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07369 for ; Tue, 25 Aug 1998 11:13:12 -0700 (PDT) (envelope-from joelh@gnu.org) Received: from detlev.UUCP (tex-111.camalott.com [208.229.74.111]) by mail.camalott.com (8.8.7/8.8.5) with ESMTP id NAA31189; Tue, 25 Aug 1998 13:13:54 -0500 Received: (from joelh@localhost) by detlev.UUCP (8.9.1/8.9.1) id NAA00561; Tue, 25 Aug 1998 13:11:44 -0500 (CDT) (envelope-from joelh) Date: Tue, 25 Aug 1998 13:11:44 -0500 (CDT) Message-Id: <199808251811.NAA00561@detlev.UUCP> To: rotel@indigo.ie CC: dyson@iquest.net, imp@village.org, dkelly@hiwaay.net, rabtter@aye.net, hackers@FreeBSD.ORG In-reply-to: <199808242136.WAA00657@indigo.ie> (message from Niall Smart on Mon, 24 Aug 1998 22:36:24 +0000) Subject: Re: I want to break binary compatibility. From: Joel Ray Holveck Reply-to: joelh@gnu.org References: <199808242136.WAA00657@indigo.ie> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >> Try modifying your system so that one of the flags bits is required to >> run a program. It would the require both the flags bit and the executable >> bit. Make sure the system cannot allow anyone but root set the chosen >> flags bit. Maybe you could use the immutable flag, for this so that you >> get theoretical immutability along with the ability to run code. You >> might want to relax the restriction for root, but maybe not (depending >> on how your admin scheme is setup.) > None of these hacks achieve security. You, of all people, should > know better. The original poster should figure out how they are > breaking in and close the hole, obfuscation schemes like the above > are a waste of time. Actually, Dyson's idea is the only one I've seen so far that is actual security instead of obfuscation; that is, it is the only suggestion that makes it (theoretically) impossible for an intruder to generate (and run) an arbitrary executable. The others just make the file difficult to generate, and also require things like custom cross-compilers. However, Dyson forgot another modification that must go along with this: ld.so must also be modified to ignore most environment variables. Otherwise, it would be trivial to execute arbitrary bits of code. Something in the back of my mind says that there's still one more hole dealing with mmap, but I can't place it right now. Then again, I'm running on four hours of sleep I got in a truck stop parking lot. Best, joelh -- Joel Ray Holveck - joelh@gnu.org - http://www.wp.com/piquan Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message