1 |
Hi, |
2 |
|
3 |
i came across this today -- sorry if it's old news to you but i hadn't |
4 |
heard about it and thought some of you might be interested as well: |
5 |
|
6 |
I saw a news item on heise (German computer magazine publisher) [1] that |
7 |
has a reference to an article by Sebastian Krahmer [2] that describes |
8 |
possible exploits cirumventing the NX protection of the stack. |
9 |
|
10 |
Apparently, you can use repeated jumps to libc to slowly fill the |
11 |
registers with values you need for your finall call to libc, which would |
12 |
then run a "/bin/bash", "rm -rf /" or whatever via system() -- at least |
13 |
that's what i understood. |
14 |
|
15 |
I'm no security expert -- i know the basics about how these exploits |
16 |
work, but have never cared to get into all the hairy details, so here |
17 |
are my questions: |
18 |
|
19 |
Do we currently have address space layout randomization on amd64 (or |
20 |
other archs), and will it actually help in these sort of attacks? |
21 |
I saw a mention of adding it to the kernel in [3], has that gone through? |
22 |
|
23 |
Do we have stack-smashing protection, and can this actually help against |
24 |
return to libc attacks? Judging from the gcc USE flags, it seems to be |
25 |
there at least -- is it also activated automatically? |
26 |
|
27 |
I'm currently reading up on all this stuff, as well as looking at the |
28 |
hardened profile and all the other gentoo security stuff, but if anyone |
29 |
has a quick answer to my questions i'd be very grateful! |
30 |
|
31 |
Cheers, |
32 |
Marco |
33 |
|
34 |
[1] http://www.heise.de/newsticker/meldung/64624 (in german) |
35 |
[2] http://www.suse.de/~krahmer/no-nx.pdf (english) |
36 |
[3] http://lwn.net/Articles/121845/ |
37 |
-- |
38 |
gentoo-amd64@g.o mailing list |