Bugtraq mailing list archives
Re: Announcing RSX - non exec stack/heap module
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 07 Jun 2001 12:22:40 -0700
Paul Starzetz wrote:
One don't even need code in the libc. There may also be code in regular code 'segments' mmapped from the binary valuable for jumping into them.
True. "libc" is just the common point of reference, because nearly all programs link to it, so it's assured to be there.
However it is possible to develop a defense agains jumping into libc code if the performance is not the most important thing. It is not very hard to mmap the libc code as non-executable are into main memory. After the regular programm code jumps into some libc function, we can check in the gp() handler if the gp fault resulted from jumping into the libc area by a ret (the target address should still be on the stack) or by a regular call/jmp instruction.
That's an interesting idea, but the performance penalty will be substantial. You will pay for (at least) two system calls per library call. In early StackGuard research, we experimented with hardware protection methods that imposed 2 syscalls per function call, and the overhead was between 500% and 10,000%, which just isn't realistic for prodution use.
Of course this again doesn't protect against function-pointer overflows but on the other hand eliminates again 90% of the potential vulnerabilities. But can there be a 100% protection at all?
There can be 100% protection for limited threat models. Consumers of a technology need to evaluate whether the threat model matches their needs. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Current thread:
- Announcing RSX - non exec stack/heap module Paul Starzetz (Jun 06)
- Re: Announcing RSX - non exec stack/heap module Crispin Cowan (Jun 06)
- Re: Announcing RSX - non exec stack/heap module Thomas Dullien (Jun 07)
- Re: Announcing RSX - non exec stack/heap module Paul Starzetz (Jun 07)
- Re: Announcing RSX - non exec stack/heap module Paul Starzetz (Jun 07)
- Re: Announcing RSX - non exec stack/heap module Crispin Cowan (Jun 07)
- Re: Announcing RSX - non exec stack/heap module Paul Starzetz (Jun 12)
- Re: Announcing RSX - non exec stack/heap module Crispin Cowan (Jun 13)
- Re: Announcing RSX - non exec stack/heap module Paul Starzetz (Jun 13)
- Re: Announcing RSX - non exec stack/heap module Thomas Dullien (Jun 07)
- Re: Announcing RSX - non exec stack/heap module Crispin Cowan (Jun 06)
- <Possible follow-ups>
- Re: Announcing RSX - non exec stack/heap module zen-parse (Jun 13)