Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Dec 1996 09:01:41 +1100 (EST)
From:      proff@suburbia.net
To:        jdowdal@destiny.erols.com (John Dowdal)
Cc:        steve@edmweb.com, hackers@freebsd.org, security@freebsd.org
Subject:   Re: questions...
Message-ID:  <19961214220141.6371.qmail@suburbia.net>
In-Reply-To: <Pine.BSI.3.95.961214162415.20730A-100000@destiny.erols.com> from John Dowdal at "Dec 14, 96 04:28:36 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, 15 Dec 1996 proff@suburbia.net wrote:
> 
> > Unfortunately this isn't a total cure, because there are 1001 stack overflows
> > in NON-suid programs.
> 
> So what.  The programs will just core dump if they stack overflow, else
> just not work right.  Since they are not SUID and not run as root [inetd,
> ...], they won't be able to get root if they blow up.
> 
> John
> 
> 

You miss the point. There are kernel level bugs, and bugs in
suid programs often requires executable trigger code.  The design
goal behind the file system layout I presented is to prevent
execution of any attacker designed code. This is not possible due
to stack over-write conditions in NON suid programs.

Decent mmu's, such is found on alpha cpu's have real PROT_EXEC
memory protections, which is turned off for the stack segment. It
is still possible to exploit stack over-flows as the pc is usurpable.
Finding existing code to point it to that will achieve your ends
however is very difficult. Which reminds me. Several mmu changes
were introduced with the P6 including 2Mb pages and 36 bit addressing
modes. Has anyone verified that real exec protections didn't also
make their way in? I don't know much about P5/P6 hardware
break-point/watch support, but I can't help wondering if it will
take ranges, rather than just fixed locations and for exec
instead of r/w. Can someone who knows more about the P5/6
enhancements than myself comment?

Note that sunos4.1.x is not vulnerable to noexec subversion by
LD_PRELOADing, as mmap's of PROT_EXEC fail on noexec file systems.
I haven't examined FreeBSD's vm system in this regard, but clearly
the sun behaviour is correct, as is refusing mprotect() changes to
fd's on noexec vnodes.

btw (dyson?) are union mounts working correctly yet? Seems like the
ideal solution for ro file systems with site modifications.

-Julian A. (proff@suburbia.net)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19961214220141.6371.qmail>