Full Disclosure mailing list archives
Re: Buffer overflow prevention
From: Stephen Clowater <steve () stevesworld hopto org>
Date: Thu, 14 Aug 2003 16:24:07 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On August 14, 2003 03:36 pm, you wrote:
De : Stephen Clowater [mailto:steve () stevesworld hopto org] Envoyé : 14 août, 2003 13:12 Objet : Re: Buffer overflow prevention[SNIP]GRsecurity is a kernel patch wich allows such things as random memallc bases and random tcp stacks, as well as a non-executeable stack if you can manage this (not to mention a utility to change the PAX flags for indidual binarys that may need executable stack). This would work much better because it dosnt need to be compiled into anything but the kernel. If you turn on GRsecurty's randomizations for memory addresses and tcp stacks (wich I have tested, you can do this safely without breaking any software). If you do this, then a attacker trying to overflow a return address has a 1 in 2^32 chance of the exploit actually overflowing the address. You can do this and not have any impact on speed, and all of your software is protected with this level without having to recompile with a gcc flag.If I remember correctly, the GRsec patch is a single option in the kernel config. I heard about some problems induced by GRsec so I didn't compile it with the kernel. Is it possible to select different parts of the patch (like the random tcp stacks), independantly of the rest of GRsec? Or, even
There are some problems with some applications with parts of the patch. For example, turning on the non-executeable stack will break anything that uses an executeable stack. ie: X, java, or wine, now you can use chpax and give each of these a non executable stack. There are also some problems with the way grsecurity gets a little to restrictive with things like restericting filesystems ect. All of these can be overcome, however, you need to do some magic to get some of these things to work, and frankly, some of it really isnt worth it. There are several options inside the grsecurity patch that you can choose. What you can safely turn on in GRsecurity without breaking anything is: - -Address Space Protection -Address Space Layout Randomization -Randomize kernel stack base -Randomize user stack base -Randomize mmap() base - -Filesystem Protections Everything under this option is safe to include - -Kernel Auditing Everything under this option is safe to include - -Executable Protections Everything under this option is safe to incude except: -Partially restrict non-root users - -Network Protections Everything under this option is safe to include - -Sysctl support This is usefull to enable, but not necesary Compile everything staticly and you shold be fine. I have tested this on production servers, and desktop boxes in mass and its come out fine for x86 and sparc. I havent tried it on ppc but for the most part it is safe, and it is also safe for production envoirnments.
it shouldn't cause a problem on a production server?
in Gentoo, gentoo-sources is a very nice package, it already has Grsecurity patched properly for you, and you may want to inculde POSIX ACL's, and the crypto-loop stuff. Mount your filesystems with -o acl,user_xattr and merge acl and you can use setfacl and getfacl to set/view control lists on each individual file in your filesystems. (after you include POSIX acl lists) - -- - - ****************************************************************************** Stephen Clowater ... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War" The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/O+HXcyHa6bMWAzYRAofxAKCNd+fu8yV6hFVZqjoOxoJEZmpbwgCffied egTteYNbcKO2pso+ZJemhoc= =V6z4 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Buffer overflow prevention Stephen Clowater (Aug 14)
- <Possible follow-ups>
- Re: Buffer overflow prevention Mariusz Woloszyn (Aug 14)
- Re: Re: Buffer overflow prevention KF (Aug 14)
- Re: Re: Buffer overflow prevention Peter Busser (Aug 20)
- Re: Re: Buffer overflow prevention Valdis . Kletnieks (Aug 20)
- Re: Buffer overflow prevention Stephen Clowater (Aug 14)
- Re: Buffer overflow prevention pageexec (Aug 18)