Exec-Shield and SELinux
Exec-Shield and SELinux
Posted Apr 19, 2007 20:50 UTC (Thu) by PaXTeam (guest, #24616)In reply to: Exec-Shield and SELinux by arjan
Parent article: A security analysis of two years of RHEL 4
first, the double-free protection was published by Stefan Esser (http://www.derkeiler.com/Mailing-Lists/securityfocus/bugt...) and used in at least Gentoo prior to its incorporation in glibc, it had nothing to do with Exec Shield.
second, as another commenter said, the double-free check doesn't prevent exploitation, it just makes it depend on a particular memory layout/content which may be hard or even impossible to achieve in a given situation, but without a thorough examination in every single case, you can't make a blanket statement like that - or if you do, better provide analysis of a few such bugs.
third, code execution is independent of double free exploitation - one is a bug class, the other is an exploit technique (i.e., one of many). what a double free gives you is a sort of 'mirrored write 4/8 bytes anywhere in writable memory' primitive. whether the exploit writer exploits it for code execution or something more subtle depends on what is better (and possible) for his goals. for non-control flow hijacking attacks i suggest that you read http://www.usenix.org/events/sec05/tech/chen.html .
Posted Apr 19, 2007 20:59 UTC (Thu)
by arjan (subscriber, #36785)
[Link] (2 responses)
Second, I said that the glibc checks make most double free attacks effectively impossible, because what happens in the double free (as opposed to the general heap chain corruption case) is that the free'd elenment no longer is part of the chain AT ALL anymore, so the chain checks will just catch this. (In the general heap chain corruption scenario you can argue you can plant those values, in the specific double free scenario you can't argue that)
third, in the context of this article it's about the highest class of bugs, which do imply code execution or information leak as effect.
Posted Apr 19, 2007 22:22 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (1 responses)
Posted Apr 20, 2007 1:16 UTC (Fri)
by bojan (subscriber, #14302)
[Link]
Maybe there weren't any? Given that all this stuff has been done by Red Hat, maybe all involved just had a private exchange and decided to do it. Or something like that...
yes double free checking as concept wasn't new. Getting a whole set of that into glibc was part of the Exec-Shield project. I find it curious that you claim it wasn't... I don't remember you being part of that project.Exec-Shield and SELinux
to me Exec-Shield is this: http://people.redhat.com/mingo/exec-shield/ . if you have other projects under this umbrella, i must have missed their public announcements and the related discussions. can you point to some URLs where these glibc hardening and other discussions took place (i don't mean the cvs commit logs, but the actual design/implementation stuff)?Exec-Shield and SELinux
> must have missed their public announcements and the related discussionsExec-Shield and SELinux