Gentoo Archives: gentoo-amd64

From: Marco Matthies <marco-ml@×××.net>
To: gentoo-amd64@l.g.o
Subject: [gentoo-amd64] Questions about No Execute and security
Date: Thu, 06 Oct 2005 13:07:53
Message-Id: 43452164.2080007@gmx.net
1 Hi,
2
3 i came across this today -- sorry if it's old news to you but i hadn't
4 heard about it and thought some of you might be interested as well:
5
6 I saw a news item on heise (German computer magazine publisher) [1] that
7 has a reference to an article by Sebastian Krahmer [2] that describes
8 possible exploits cirumventing the NX protection of the stack.
9
10 Apparently, you can use repeated jumps to libc to slowly fill the
11 registers with values you need for your finall call to libc, which would
12 then run a "/bin/bash", "rm -rf /" or whatever via system() -- at least
13 that's what i understood.
14
15 I'm no security expert -- i know the basics about how these exploits
16 work, but have never cared to get into all the hairy details, so here
17 are my questions:
18
19 Do we currently have address space layout randomization on amd64 (or
20 other archs), and will it actually help in these sort of attacks?
21 I saw a mention of adding it to the kernel in [3], has that gone through?
22
23 Do we have stack-smashing protection, and can this actually help against
24 return to libc attacks? Judging from the gcc USE flags, it seems to be
25 there at least -- is it also activated automatically?
26
27 I'm currently reading up on all this stuff, as well as looking at the
28 hardened profile and all the other gentoo security stuff, but if anyone
29 has a quick answer to my questions i'd be very grateful!
30
31 Cheers,
32 Marco
33
34 [1] http://www.heise.de/newsticker/meldung/64624 (in german)
35 [2] http://www.suse.de/~krahmer/no-nx.pdf (english)
36 [3] http://lwn.net/Articles/121845/
37 --
38 gentoo-amd64@g.o mailing list

Replies