| |||||||||||||
Security-improving technologies which could be deployed nowSecurity-improving technologies which could be deployed nowPosted Oct 21, 2004 21:23 UTC (Thu) by bluefoxicy (guest, #25366)In reply to: Security-improving technologies which could be deployed now by job Parent article: Security-improving technologies which could be deployed now
PaX is not obscurity. It is impossible to directly inject code in a full PaX environment; and it is not guaranteeable to attempt to execute pre-existing functions which are stored at an unknown address. You would be able to write executable code to a file, mmap() it, and execute it; but only if you could guess where mmap() is.
A system relying on security through obscurity may
-- http://en.wikipedia.org/wiki/Security_by_obscurity
If you examine a system for a month, all of it existing on read-only media (such as a Live CD), you can gather all useful information out of it. Then, the machine is rebooted, and the system comes back up, no alterations. Everything useful about address space layouts you have is lost, assuming you could gather that anyway (obscured /proc/<pid>/maps would prevent that). Using just the information you now have, you can't figure out where sshd, Mozilla, or apache have libc (and thus mmap()).
This isn't obscurity. You as the attacker know that you can still ret2libc, and you know all about the randomization. You can't from your end examine the address space and gather the data that you need to perform an attack. This is somewhat analogous to guessing a randomly generated password that changes every time the program is run.
So what you have here is that it's actually impossible to inject code directly; and that indirectly injecting code requires the execution of pre-existing code. The execution of pre-existing code can't be guaranteed any more than (on x86) guessing a 2.5 (3.75 on amd64) character aA1# password (92 possible values per character) in your very best case; except every failed attempt causes the "password" in this analogy to be recreated from random data independent of its previous values. Have fun, good luck, and learn to pray.
The point here isn't to hide things from the attacker; it's to make things unpredictable, AND hide them from the attacker. If the attacker can't predict the value of something he needs, then he's for all intents and purposes shooting at a silent, moving target while blindfolded; whereas with security by obscurity he's shooting at a fixed target that he can simply hammer repetedly once he's learned its location.
(Log in to post comments)
Security-improving technologies which could be deployed now Posted Oct 21, 2004 21:30 UTC (Thu) by bluefoxicy (guest, #25366) [Link] "Then, the machine is rebooted,""Using just the information you now have, you can't figure out where sshd, Mozilla, or apache have libc"
"changes every time the program is run"
I feel I need to clarify here that the reboot in the example was done to rerun *everything*, including init and all services. You could also init -U to reload init; telinit 1 to return to maintenance mode; restart all base system services; and then go back to normal mode and log back in. This route would accomplish the same thing--reloading all programs. It would, of course, be a long and annoying process that would be more quickly completed by a reboot (or kexec).
In short, the kernel does not need to be reloaded to rerandomize the address space of individual applications.
Also notable here is that I'm not contending bugs at kernel level, or information leaking bugs which you may have discovered during the month of examination; these are natural bugs which must be fixed, since they can't be protected against anyway and are thus out of scope.
|
|||||||||||||