Prelink and address space randomization
Posted Jul 7, 2006 18:58 UTC (Fri) by bluefoxicy
In reply to: Prelink and address space randomization
Parent article: Prelink and address space randomization
Unfortunately some of the most security sensitive binaries aren't typically PIE'd, even on RedHat systems (at least not last I looked; I was told explicitly "network-facing daemons"). These can inclcude:
- Konqueror plug-ins (they run as separate executable)
- Web browsers (Firefox)
- Music players (playing MP3s you just downloaded from creative commons? STREAMING radio?!)
- Video players (same problem as music players)
- Gaim (Ugly away message a la CAN-2005-2103?)
- IRC programs (Xchat is stupid to run as root? Ever do a local root exploit? No we don't all have SELinux...)
If you want to nit pick, you could even say something about less obvious binaries:
- Office suites (malicious Word documents that overflow the decoder)
- File browsers (rabidly displaying thumbnails of images-- remember one day when SIX PNG EXPLOITS showed up at the same time and what FOUR of them were RCE?)
- Image editors (Here open this .psd... no I don't know how or why you would trick the user into it but it could happen)
- compression programs (zip, tar, gzip, bzip2, and p7zip; anything using libz or libbz2; etc. IIRC libz <=1.1.3 had that lovely double-free())
- Games (globulation2, Nexuiz, or Armagetron... think about it, you'll figure it out. Look up Stronghold 2 in the CVE database for a non-hypothetical)
And if you really want to go all out:
- Shells (for those days when they just don't want to deal with certain escape sequences or invalid UTF8)
- Terminal emulators (these HAVE had exploits from bad escape sequence handling)
- Script interpreters (for those days when you break the parser or a built-in function implemented in a C library)
I can't think of anything more ridiculous to exploit than a shell, sorry. 'ls' and 'cat' would be cute but I can't think of any technically feasible screw-up that would leave those exploitable. Note most of these are theoretical; I don't have real shell/script interpreter exploits in mind.
Back to the original topic, let's not forget that prelink is also available on Debian/Ubuntu and Gentoo. On Debian/Ubuntu we don't yet have pie; on Gentoo we have pie everywhere*** or nowhere. Building such binaries as PIE is a good idea and fairly non-invasive (the overhead is about 1%* in about 5-8%** of the code ever executed, so 0.05%-0.08%), but it's not wide-spread and it defeats the purpose of prelink in those cases.
* There is a 5% performance increase gained by -fomit-frame-pointer on x86, but NOT in PIC. I didn't say 6% because Ubuntu doesn't seem to use -fomit-frame-pointer anyway. On x86-64 the overhead is like 0.02% max.
** About 4-7% of the code executed on the system is in Xorg's main executable; every other program seems to execute under 1% in the main executable, most under 0.2%. This information courteous of me mass-profiling my whole damn system with oprofile because Theo de Raadt insists that PIE is "very expensive."
*** Everywhere except where it breaks things, which is a lot of places. Turn off hand-optimized assembly in everything (during ./configure or with USE flags) if you want to attempt this. It AND ProPolice used to break Xorg; I don't know if Xorg can handle it yet, I haven't used Hardened Gentoo since Ubuntu hit the map.
to post comments)