Re: announcing PaX

[Marc Esipovich <marc () CORKY NET>]

 .------[ Dylan Griffiths wrote (Mon, Oct 30, 2000 at 12:19:30PM -0600) ]------
 |
 |  Voila. You didn't have to write any code, the _only_ thing you needed to
 |  know was where the library is loaded by default. And yes, it's
 |  library-specific, but hey, you just select one specific commonly used
 |  version to crash.
 |
 |  Suddenly you have a root shell on the system.
 |
 |  So it's not only doable, it's fairly trivial to do.
 |
 |  In short, anybody who thinks that the non-executable stack gives them any
 |  real security is very very much living in a dream world. It may catch a
 |  few attacks for old binaries that have security problems, but the basic
 |  problem is that the binaries allow you to overwrite their stacks. And if
 |  they allow that, then they allow the above exploit. "
 |
 |  And, let's not forget, this has been done before in Solar Designer's patch
 |  for Linux ( http://www.openwall.com/linux/ )
 |  " Non-executable user stack area
 `-------------------------------------------------

 This thing is very much different from Solar Designer's non-exec-*stack*
patch, this thing gives you the power to set a *real* non-exec protection
on any region of memory, let it be defined as stack, heap or data, basically
anything that's non-code can be non-executable too.

 Workarounds for GCC trampolines, signal handlers and related issues are of
course needed, since most of the areas are now made non-executable.

 Like others have noted, it is still possible to exploit buffer overruns,
however, it becomes more difficult.

 Again, this is *not* a non-exec stack patch, it does a lot more than that,
read the document provided by the authors.

 bye,
        Marc.

--
marc @ corky.net

fingerprint = D1F0 5689 967F B87A 98EB  C64D 256A D6BF 80DE 6D3C

          /"\
          \ /     ASCII Ribbon Campaign
           X      Against HTML Mail
          / \