Re: Unexecutable Stack / Buffer Overflow Exploits...

Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Mon, 3 Jan 2000 09:45:40 -0600 (CST)

From: Horst von Brand <vonbrand@sleipnir.valparaiso.cl>
>
> "Jakma, Paul" <Paul.Jakma@compaq.com> said:
>
> [...]
>
> > Let's look at your argument:
> >
> > Given: we have a process with an exploitable buffer overflow.

Let me insert a slight modification -

Given: we have a process which may or may not have an exploitable buffer
overflow.
>
> And a fix for said bug. What is better: Paper over the bug, creating a DoS
> in the process, or fix the bug?

First, detect the potential bug. After detection you actually have a bug.

> > Case A, stack is executable: your process stays up despite buffer overflows,
> > and crackers silently get root on your machine.

ie. you don't detect the bug...

> > Case B, stack is non-executable: your process dies. Crackers don't get root.
> > Your log screams at you that your process has security problems.

And now you know that a bug exists. Doesn't matter wether or not the bug
is detected during testing or in production. At least it has been detected.

> Case C, stack nonexecutable deosn't matter: Process is cracked. Continue as
> (A), just sysadmin feeles secure
>
> > And you are saying you prefer Case A? Wow..
>
> C isn't any better than A...
>

C will occur much less often since B can be used to detect the/a buffer
overflow will be detected during testing/acceptance/production.

> > In an ideal world people would write good code, and we could allow the stack
> > to be executable. But it's not an ideal world, and admin's don't have the
> > time to audit every daemon they run.
>
> In the real world, daemons get written carefully and are audited. If they
> aren't, there are plenty of other attacks available (stack smashing is just
> _one_ way to take advantage of a poorly written program).

The do get tested.. but without the ability to deny stack execution, you
may not detect the failure.

>
> > IMO non-exe stack should be a compile option, so that those who need/like
> > paranoid setups can have that small extra bit of security. Granted, most
> > people don't need it, and most people shouldn't use it. And support for
> > various trampoline formats should be kept to a minimum. But it should be an
> > option.
>
> Get the patch and apply it. I prefer not to rely on papering over the
> holes.

I would prefer to have the option to detect A.

If I am not permitted to reject the program just because it has a stack
exploit, I need the ability to at least reduce the chance of case A and
case C.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/