Home page logo

bugtraq logo Bugtraq mailing list archives

Announcing RSX - non exec stack/heap module
From: Paul Starzetz <paul () starzetz de>
Date: Wed, 06 Jun 2001 13:23:08 +0200

Hi folks,

I´m announcing a novell Linux kernel security module implementing
non-exec stack and non-exec heap. I think this is the first Linux module
providing non-exec heap areas. The project can be found at




Here a short description from the included Readme file:


1. Introduction

RSX is a Runtime addressSpace eXtender providing on-the fly code
remapping of existing Linux binaries in order to implement
non-executable stack as well as non-exec short/long heap areas. RSX
targets common buffer-overflow problems preventing code execution in
mapped data-only areas. Currently a 2.4.x version of the kernel module
is available.


3. How it works?

The Linux kernel implements a flat-memory modell under the assumption
logical address == virtual address. This basically means that the
code/data/stack segment selectors have the BASE filed set to 0x00000000
and the LIMIT field set to cover the whole 32bit address range.
Unfortunatelly the i386 hardware doesn't provide page-level execution
controll over memory regions. So implementing non-executable memory
areas relly heavily on segmentation. On common i386 Linux systems the
memory mapping looks somewhat like that:

0x08000000      program binary, text, bss, data
                        short heap
                        dynamic libs
                        dynamic libs bss, data

0x40000000      ld.so and its logical parts
                        long heap

0xbfffffff      growing downwards stack area
0xc0000000      unaccessible kernel pages

However, common ELF programms have predefined static mapping and will
never touch the segment registers cs, ds, es, fs, gs, ss. We now use the
following trick:

virtual_address_1 == base1 + offset1
virtual_address_2 == base2 + offset1

where virtual_address_1 is the address the binary has been compiled for,
virtual_address_2 is the address the binary will access if we change the
base1 (for example pointed by the cs register) to be base2. This
technique implies that at the resulting virtual_address_2 there will be
the same physical memory as at the virtual_address_1. This is the point
where we come in. Even if this technique may not work for some weird
binaries, experiments prove that it harmonizes with nearly 100% of
todays ELF binaries. 

Tecnically RSX provides on the fly page remapping as well as segment
descriptor exchanging for particular processes. In the default
configuration the remapping base is set to 0x50000000. This cause
problems with kernels configured to support 2 GB of RAM because the
physical RAM is mapped to the region beginning at 0x80000000. Different
workarounds are imaginable but I don't have the time at the moment to
support this. 


There are few things on my TODO list and I´m working on some
optimisation of the code. However, the module has been tested in the
wild and is working without any problems on about half dozen machines. 

Please send comments to paul () starzetz de


ps. I´m looking for a security developer position now.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]