Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Announcing RSX - non exec stack/heap module
From: Crispin Cowan <crispin () wirex com>
Date: Wed, 06 Jun 2001 12:16:54 -0700

Paul Starzetz wrote:

Hi folks,

I´m announcing a novell Linux kernel security module implementing
non-exec stack and non-exec heap. I think this is the first Linux module
providing non-exec heap areas.

It's not the first.  This Oct. 28/2000 Bugtraq post
http://www.securityfocus.com/archive/1/141901 announces "PAX"
http://pageexec.virtualave.net/ which also provides a non-executable heap
segment.

Then there is the ensuing discussion over the relative merrits of this and
various other forms of buffer overflow defense in these threads:

   * http://www.securityfocus.com/archive/1/142819
   * http://www.securityfocus.com/archive/1/141980
   * http://www.securityfocus.com/archive/1/142688

Summary of my personal view only:

   * non-executable segments do add some security value
   * non-executable segments is argualy an obscurity defense, because
     attacks exploiting overflow vulnerabilities that are stopped by
     non-executable segments can always be re-worked to be "return into
     libc" style attacks that bypass the non-executable segment by pointing
     directly at code in the code segment
   * this obscurity defense arguably has value, because writing
     return-into-libc exploits is hard, and hard to make scriptable,
     because the offsets are fussy

Folks unfamiliar with this area should probably read my survey paper that
compares various buffer overflow defenses
http://immunix.org/StackGuard/discex00.pdf


Tecnically RSX provides on the fly page remapping as well as segment
descriptor exchanging for particular processes. In the default
configuration the remapping base is set to 0x50000000. This cause
problems with kernels configured to support 2 GB of RAM because the
physical RAM is mapped to the region beginning at 0x80000000. Different
workarounds are imaginable but I don't have the time at the moment to
support this.

It would appearat first glance  that RSX uses the same technique as PAX.
Naturally, the PAX and RSX teams should confer to make a definitive
statement on similarities and differences.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com//Products/Immunix/purchase.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]