The key to these exploits is the ability to hijack the thread
of execution by overwriting the return address on the stack.
There are a couple of x86 mechanisms that could be used to
stop the hijack:
1) The limit portion of the processes' CS segment descriptor
could be adjusted downwards, so the stack addresses would not
be executable and attempting would trigger a #GP exception.
2) On syscall entry, the kernel could check the page tables
to be sure that the return address is from code pages (read-only),
and not from data pages (read-write). The kernel would log and
terminate any such process. Kill some nasty bugs this way too.
This assumes an exploit can do limited damage without syscalls.
I believe that even root processes really are running at
Intel Ring3 privilige level. This greatly limits what bare
code can do. AFAIK, only the kernel runs in Ring0.
Of course, either or both of these might break some poorly
behaved applications.
-- Robert
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/