LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Virtual Machines and Memory Protections

Virtual Machines and Memory Protections

Posted Nov 22, 2006 19:28 UTC (Wed) by bluefoxicy (guest, #25366)
In reply to: Virtual Machines and Memory Protections by davecb
Parent article: Virtual Machines and Memory Protections

Exactly what the article is about. Once the JIT compiler is allowed to do such things, it's a free-for-all. They call mmap() or mprotect(), which goes into glibc, which means the kernel doesn't know who's doing what. If you happen to have exploitable code from some native library that makes up the JIT or that's called from C# code, you're allowing that native library the same permissions.

(Log in to post comments)

Virtual Machines and Memory Protections

Posted Nov 22, 2006 22:59 UTC (Wed) by davecb (subscriber, #1574) [Link]

Hmmn, I think you're assuming something I'm not...

The JIT compiler has the permission to set a page "wx", which it
employs to set the pages it writes code into as executable. When
it's actually calling mmap or mprotect, the process context is
present, and the kernel can see if it actually has the permission
before it makes the change, so arbitrary callers of mmap, mprotect
and libc can't do privilege escalation attacks.

To prevent a called library or JIT'd code from doing privilege escalation,
the compiler needs to shed any special permissions before passing
control to the compiled code. This is normal practice, rather
like doing a setuid back to the ordinary user when you're not doing
anything priviliged in security-aware programs like Samba or NFS.

Does that address the points you were referring to, or did you mean something different?

--dave

Virtual Machines and Memory Protections

Posted Nov 23, 2006 19:20 UTC (Thu) by bluefoxicy (guest, #25366) [Link]

> When it's actually calling mmap or mprotect, the process context is present, and the kernel can see if it actually has the permission before it makes the change

Consider that the kernel doesn't know who called mmap() or mprotect() though. mmap() goes into mmap@@GLIBC, which goes into syscall@@GLIBC, which enters the kernel at the syscall entry point plus the offset for mmap(). Same with mprotect().

The kernel isn't tracking code call paths (this is difficult, would be very slow, and can be spoofed); it's the entire process that's allowed to do it. If you say the JIT is allowed to call mprotect(PROT_WRITE|PROT_EXECUTE), and the JIT links with libxml2, then a bug in libxml2 will allow an attacker to mprotect(PROT_WRITE|PROT_EXECUTE) ONLY in the JIT process and not in any other program using libxml2.

I'm trying to think of a way to contextually control calls, but right now there's no mechanism and nothing I can prove secure. I will think about it.

Virtual Machines and Memory Protections

Posted Nov 24, 2006 1:16 UTC (Fri) by davecb (subscriber, #1574) [Link]

Goodness gracious! That would make it extremely difficult to
do any decison dependant on who's making the system call, which
depends on having a process context.

Are you sure that's the case in Linux? Unix from v6 onwards
certainly knows
who's calling and what permissions they have. The whole
trusted computing base work (from which fine-grained permissions
come) is completely dependant on that, and SE Linux certainly
has the user's permissions, category and security level...

I can't imagine how normal Linux might avoid that.

--dave

Virtual Machines and Memory Protections

Posted Nov 24, 2006 2:05 UTC (Fri) by bluefoxicy (guest, #25366) [Link]

You have a PROCESS context; however, a process.. let's say /bin/cat.. has libraries it uses. Any code in those libraries is running in that process' context. So if mysql uses libc6, then libc6 code is run with mysql's privileges; while if eye of gnome uses libc6, libc6 code is being executed with the user's privileges.

Look at Exec Shield even. Libraries like libgcrypt11 are marked needing an executable stack; this causes half of GNOME as well as Gaim and Firefox to have an executable stack because they use libgcrypt11. Once this was fixed in Ubuntu, a large number of programs suddenly didn't have an executable stack anymore. It's not like the stack is only executable when libgcrypt11 tries to execute it; if libpng tries to execute code on the stack and normally fails, it'll succeed just because libgcrypt11 is linked to the application.

Short version: Unix/POSIX/Linux can only distinguish between PROCESSES, not CODE. (limitation of the CPU in many, many cases)

fine-grained permissions

Posted Nov 28, 2006 2:22 UTC (Tue) by xoddam (subscriber, #2322) [Link]

I think you've missed the point about fine-grained permissions.
Presumably the JIT compiler only needs to set write+execute on a VM area
once, at startup. Once it has done that, the entire process can drop the
privilege that allows it to do so.

This does not mean that it's impossible for an exploit of a system
library to write and call into that wx VM area once it exists, but
risk-mitigation techniques like address randomisation are just as valid
for JIT object code as they are for mapped .so files.

The point stands that any system that includes 'eval' is vulnerable to
this class of attack, no matter how it is implemented.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds