kernel modules security + Re: Unexecutable Stack / Buffer Overflow Exploits...

Gabor Lenart (lgb@oxygene.terra.vein.hu)
Wed, 5 Jan 2000 10:35:37 +0100

On Tue, Jan 04, 2000 at 06:26:01PM +0000, Matija Nalis wrote:
> I do not. As soon as it is in Linus Linux kernel, it is mainstream. As soon
> as it is mainstream, most cracks will include this fact and target against
> non-exec stack feature. So soon, no expoloits will be against executable
> stack but against non-exec stack (since they get bigger hit that way, and it
> is no more diffucult to code), and you will have an ugly and completely
> useless kludge (one which makes problems with some perfectly valid userspace
> code, BTW) in kernel.
>
> Eg. it gives you (some) additional security ONLY as long as it is NOT in
> mainstream kernel. Same kind of security as moving from i386 to Sparc
> arhitecture, for example. I use 'better security' in sense 'smaller number
> of successful attacks by random script kiddies' here, BTW.

So don't make the system more security (or don't release the source, let's
make closed source OSes) because if it will become common it will be
exploitable ? :)

There is _NO_ secure system (perfect system is impossible) there is only
MORE SECURE systems. And this patch makes it more secure. There is no solution
that makes your system perfectly secure so according your theory there is no
way to increase the security of the system ?

Of course if something new is released, exploits will be released against it.
It's something can be called 'human law'. And because it is there is no
way to fight against this fact just try to make the system MORE secure.

Your logic is more closer to closed source project: "don't release something
new source (at least not in wider range) people not to be allow to know
about it and it will be more secure in this way".

BTW: on a cracker list I heard that one of the most weak point of Linux is
kernel module concept. If a cracker craks your machine (and he don't want to
destroy it, "only" use it), he can happily install some kernel modules to
hide himself. I saw examples to modify syscall address for execve and start
a root shell on executing eg /bin/psaux - it's no important if this file is
exist or not - and an other module to hide this module and himself by altering
and hooking module related syscalls. IMHO, altering syscall table should be
switchable (to enable or disable this feature), but I don't know how many
kernel modules alters syscall table for legal purposes. (I move the syscall
table in the code segment in my kernel but I don't know if it surly helps).
The other thing is the ability to create something digitally signed kernel
modules and only allow to load modules have signature.
Is there any similar project I described ?

thx, Gabor.

-- 
 ---[ LGB/DC ]------------[ University Of Veszprém ]------[ Lénárt Gábor ]---
     "Life : Never ending story"    "Goal : 42"   "Direction : Unknown"
 ---[ 30/2270823 ]--------[ http://lgb.hal.vein.hu ]---------[ 87/477074 ]---
 finger lgb@hal2000.hal.vein.hu for more  !LINUX!  SMS : lgblgb@westel900.net


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/