Gentoo Archives: gentoo-amd64

From: "Hemmann
To: gentoo-amd64@l.g.o
Subject: Re: [gentoo-amd64] Questions about No Execute and security
Date: Thu, 06 Oct 2005 19:51:34
Message-Id: 200510062150.12435.volker.armin.hemmann@tu-clausthal.de
In Reply to: Re: [gentoo-amd64] Questions about No Execute and security by Marco Matthies
1 On Thursday 06 October 2005 21:31, Marco Matthies wrote:
2 > Hemmann, Volker Armin wrote:
3 > > to do this fancy jump-around stuff, you need to know exactly where which
4 > > snippet resides in ram - one error and all your work is lost.
5 > >
6 > > So, and because on gentoo everything is compiled by yourself with a
7 > > little bit different setting like the next gentoo user, it is a lot
8 > > harder to guess the correct adresses. Not like the binary distributions,
9 > > where one is laid out like the other.
10 >
11 > Well, lets find out. On my home system, i did this:
12 >
13 > strace gzip > /dev/null
14 > hit ctrl-c
15 > find the mmap that maps /lib/libc.so.6 by:
16 > - find the open call that opens libc, note that the open call returns
17 > the file descriptor
18 > - find the next mmap that acts on that fd (second to last argument
19 > to mmap)
20 > - mmap returns the address it mmapped to
21 >
22 > Short excerpt:
23 > $ strace gzip > /dev/null
24 > [...snip...]
25 > open("/lib/libc.so.6", O_RDONLY) = 3
26 > [... reads, lseeks and fstats snipped ...]
27 > mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
28 > 0) = 0x2aaaaabc1000
29 > [...snip...]
30 >
31 > I got 0x2aaaaabc1000 on my machine, i would be interested to know what
32 > your machine did. But judging from the fact that the people from
33 > hardened added address space layout randomization, i'd guess we're going
34 > to get the same address or something that varies but not very randomly
35 > (low entropy). Make sure that you test with gzip though, other apps will
36 > have slighly different addresses as they seem to load libs in a
37 > different order -- this won't help though, as an exploit will be
38 > targeted at a specific app.
39 >
40 > But I'm still interested if we all get the same addresses or slightly
41 > different.
42 >
43
44 and I get:
45
46 strace gzip > /dev/null
47 execve("/bin/gzip", ["gzip"], [/* 63 vars */]) = 0
48 <snip>
49 open("/lib/tls/libc.so.6", O_RDONLY) = 3
50 <snip>
51 mmap(NULL, 2261000, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
52 0x2aaaaabc3000
53 <snip>
54
55 --
56 Conclusions
57 In a straight-up fight, the Empire squashes the Federation like a bug. Even
58 with its numerical advantage removed, the Empire would still squash the
59 Federation like a bug. Accept it. -Michael Wong
60 --
61 gentoo-amd64@g.o mailing list

Replies

Subject Author
Re: [gentoo-amd64] Questions about No Execute and security Marco Matthies <marco-ml@×××.net>