Re: OS stopping stack buffer overflow exploits

Gabor Lenart (lgb@veszprog.hu)
Mon, 5 Jun 2000 12:15:12 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Momchil Velikov: "Re: [PATCH] cleaned up slab allocator"
Previous message: John D. Rowell: "IDE DMA oops with PII 82440MX on > 2.3.99pre6"

On Sat, Jun 03, 2000 at 09:06:46PM -0500, Robert Redelmeier wrote:
> While thinking about stack buffer overflow exploits (like `bind`),
> it occured to me that our beloved OS [Linux] might be able to
> provide some security for the many poorly-written suid-root apps.
>
> The key to these exploits is the ability to hijack the thread
> of execution by overwriting the return address on the stack.
> There are a couple of x86 mechanisms that could be used to
> stop the hijack:
>
> 1) The limit portion of the processes' CS segment descriptor
> could be adjusted downwards, so the stack addresses would not
> be executable and attempting would trigger a #GP exception.

This would casue to fail some already used technique like trampolines.
There's such a patch, it's named "Secure Linux" patch from Solar Designer
(I think the URL is http://www.false.com/). It can autodetect trampoline
usage too to enable them. Of course the security is not maximum in this
case but most of the cook-book exploits should be stopped by this patch
I've been using it for ages, and it's a great piece of patch.
It also contains some other security fixings. All of them can be tuned
by Linux kernel config mechanisms before compiling after you appiled the
patch.

- Gabor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Momchil Velikov: "Re: [PATCH] cleaned up slab allocator"
Previous message: John D. Rowell: "IDE DMA oops with PII 82440MX on > 2.3.99pre6"