Re: Linux Exec Shield (was: Linux (in)security)

[Chris Ruvolo <chris+fulldisc () ruvolo net>]

On Thu, Oct 23, 2003 at 02:39:08PM +0200, Peter Busser wrote:
> > Speaking about kernel hardening, I was wondering if anyone on the list could
> > comment on Ingo Molnar's Exec Shield Linux kernel patches.
>
> You can find out the facts for yourself by running paxtest. Paxtest can be
> obtained from the PaX homepage at: http://pageexec.virtualave.net/. The
> latest version is v0.9.4, which should be available from there soon. In
> the meantime, you can download it from
> http://mail.adamantix.org/paxtest-0.9.4.tar.gz.

Peter, thanks for letting me know about this test.  Googling for "exec
shield paxtest" gives some results for comparison.  Indeed, Adamantix's
kernel appears less vulnerable.

Do you know if any of these protections also apply to non-x86 kernels?

> What I don't like about exec-shield, is that it is based on a few
> assumptions.  One of the assumptions is that stack overflows are only
> possible with ASCII data (which is what the ASCII-shield refers to). As if
> memcpy() to a buffer will never cause any overflows. 

Yes.  But string buffer attacks are more common, no?  Its a good first step.

That said, if PaX/grsecurity uses the same methods, I'm not sure what the
benefit of Ingo's implementation is.

> The effectiveness remains to be seen. In the short term, using something like
> PaX is certainly effective, as can be seen here:
> http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it
>
> 37 break ins in a year on normal Linux, 0 on a PaX kernel.

This kind of report makes me nervous.  What known remote exploits are there
against a Debian Woody box that has all of Debian's security updates?

> On the long term, people will probably find ways around it. But it should
> raise the bar and make it more difficult for some (but not all) remote
> exploits.

I hope so.  But not local exploits?

Thanks,
-Chris

Attachment: _bin
Description: