mailing list archives
Re: Announcing RSX - non exec stack/heap module
From: Crispin Cowan <crispin () wirex com>
Date: Wed, 06 Jun 2001 12:16:54 -0700
Paul Starzetz wrote:
I´m announcing a novell Linux kernel security module implementing
non-exec stack and non-exec heap. I think this is the first Linux module
providing non-exec heap areas.
It's not the first. This Oct. 28/2000 Bugtraq post
http://www.securityfocus.com/archive/1/141901 announces "PAX"
http://pageexec.virtualave.net/ which also provides a non-executable heap
Then there is the ensuing discussion over the relative merrits of this and
various other forms of buffer overflow defense in these threads:
Summary of my personal view only:
* non-executable segments do add some security value
* non-executable segments is argualy an obscurity defense, because
attacks exploiting overflow vulnerabilities that are stopped by
non-executable segments can always be re-worked to be "return into
libc" style attacks that bypass the non-executable segment by pointing
directly at code in the code segment
* this obscurity defense arguably has value, because writing
return-into-libc exploits is hard, and hard to make scriptable,
because the offsets are fussy
Folks unfamiliar with this area should probably read my survey paper that
compares various buffer overflow defenses
Tecnically RSX provides on the fly page remapping as well as segment
descriptor exchanging for particular processes. In the default
configuration the remapping base is set to 0x50000000. This cause
problems with kernels configured to support 2 GB of RAM because the
physical RAM is mapped to the region beginning at 0x80000000. Different
workarounds are imaginable but I don't have the time at the moment to
It would appearat first glance that RSX uses the same technique as PAX.
Naturally, the PAX and RSX teams should confer to make a definitive
statement on similarities and differences.
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com//Products/Immunix/purchase.html