| 1 |
> note the 'sans resurrection ability' above ;). coredumps are for post |
| 2 |
> mortem analysis only. |
| 3 |
|
| 4 |
Okay, then my original point stands - memory check-pointing or |
| 5 |
serialisation-to-disk on fault is useful, because they give a chance to |
| 6 |
revive a process which has been terminated because of a security violation - |
| 7 |
which is likely not have been the user-desired outcome. |
| 8 |
|
| 9 |
> trust me, you don't want to resurrect from an exploit attempt ;) |
| 10 |
|
| 11 |
With a memory check-pointing system, you could resurrect safely from a stage |
| 12 |
prior to the successful exploit - i.e. prior to the insertion or execution of |
| 13 |
the malicious code. With PaX guarding the system, you know when the exploit |
| 14 |
has occurred, because a stack smashing or similar exploit technique gets |
| 15 |
blocked by PaX. You can then resume the affected process from the check point |
| 16 |
immediately prior to the exploit attempt in a limited VM for safety (so that |
| 17 |
the exploit achieves nothing, if the vector is still present), allowing the |
| 18 |
user the chance to rescue any pertinent data, and exit 'normally'. |
| 19 |
|
| 20 |
> it's the exact opposite: you keep the basic non-exec page implementation |
| 21 |
> but omit the strict access control over it (MPROTECT) so that properly |
| 22 |
> written apps can generate code at runtime. |
| 23 |
|
| 24 |
How embarrassing. I'm still misunderstanding the workings of PaX. Thanks for |
| 25 |
the clarification. |
| 26 |
|
| 27 |
> it's obviously possible but it raises more problems than it solves. for |
| 28 |
> one, who would make the decision about forward progress? it obviously can't |
| 29 |
> be the process itself as it's jut got suspended, so it must be some |
| 30 |
> external monitor or a human. in either case, on what grounds would they |
| 31 |
> make this decision? either has various failure modes that would nicely |
| 32 |
> allow an exploit to succeed. |
| 33 |
|
| 34 |
I was talking about an external monitor with some human intervention, yes. The |
| 35 |
grounds by which the external monitor makes decisions - automated or |
| 36 |
otherwise - depends on pre-determined security policy extensible on-the-fly, |
| 37 |
with a hard-coded minimum set of rules to keep the core utilities running |
| 38 |
safely and securely. (How I gather SELinux works, barring the on-the-fly |
| 39 |
extensibility.) Rules for applications start out with values deemed safe by |
| 40 |
the community (or the enterprise security administrator), but a user with |
| 41 |
sufficient privileges may override them when such restrictions become |
| 42 |
bothersome - at their own risk, of course. |
| 43 |
|
| 44 |
Some things may not be allowed to be overridden at all, such as stack-smashing |
| 45 |
attacks - because there's no way ordinarily to safely restore from these. |
| 46 |
(Besides rolling back to a known-good memory check-point, if that capability |
| 47 |
exists.) Other less-critical conditions may be announced or just flagged |
| 48 |
silently on a per-application or user basis, depending on personal preference |
| 49 |
or other damage-limiting environmental factors. (i.e. no network or file |
| 50 |
access for the process because of MAC restrictions, etc.) |
| 51 |
|
| 52 |
Does this make more sense? |
| 53 |
|
| 54 |
I'm curious as to what failure modes you see, though. I see social engineering |
| 55 |
attacks, like those currently with the Windows Firewall/Vista UAC (malware |
| 56 |
that leads with 'when prompted, click allow access' before attempting a |
| 57 |
suspicious activity.) This works in Windows because nearly every user is |
| 58 |
running as an administrator, so no further action is required to allow a |
| 59 |
suspicious activity to proceed. In Unix-style systems, this isn't so |
| 60 |
effective, because a separate step of privilege escalation is needed. |
| 61 |
|
| 62 |
This extra step gives the user more time to think about what they're doing, |
| 63 |
and perhaps enough hesitation to force a consult with someone who knows what |
| 64 |
should be done before proceeding to override the default security settings. |
| 65 |
|
| 66 |
What other possible attacks have I missed? |
| 67 |
|
| 68 |
On Fri, 15 Feb 2008, pageexec@××××××××.hu wrote: |
| 69 |
> On 15 Feb 2008 at 14:14, Geoff Kassel wrote: |
| 70 |
> > > that would work except writing something like that is very hard, |
| 71 |
> > > definitely beyond my time just for the sake to handle something that a |
| 72 |
> > > coredump accomplishes well sans resurrection ability. |
| 73 |
> > > |
| 74 |
> > > on a sidenote, why would it be acceptable to store a process image on |
| 75 |
> > > disk whereas a coredump isn't? |
| 76 |
> > |
| 77 |
> > Hmm... I didn't know that you could restore a process fully from a core |
| 78 |
> > dump - hence the question. |
| 79 |
> |
| 80 |
> note the 'sans resurrection ability' above ;). coredumps are for post |
| 81 |
> mortem analysis only. |
| 82 |
> |
| 83 |
> > Memory check-pointing to disk for quick recovery from critical faults |
| 84 |
> > (such as power failure or exploit attempts) |
| 85 |
> |
| 86 |
> trust me, you don't want to resurrect from an exploit attempt ;) |
| 87 |
> |
| 88 |
> > > uhm, but you already have such a control over per-process PaX features. |
| 89 |
> > > either paxctl (which marks the executable's ELF header) or MAC system |
| 90 |
> > > (both grsec and RSBAC provide controls). or i must be not getting your |
| 91 |
> > > problem ;-). |
| 92 |
> > |
| 93 |
> > Having read a little more deeply into the inner workings of PAGEEXEC, |
| 94 |
> > SEGMEXEC, and MPROTECT now, I see now what I was asking is already |
| 95 |
> > achievable by just by removing PAGEEXEC or SEGMEXEC protections for Java |
| 96 |
> > or Mono, but not MPROTECT. |
| 97 |
> |
| 98 |
> it's the exact opposite: you keep the basic non-exec page implementation |
| 99 |
> but omit the strict access control over it (MPROTECT) so that properly |
| 100 |
> written apps can generate code at runtime. Java et al can these days work |
| 101 |
> with only MPROTECT disabled, that wasn't always true due to various bad |
| 102 |
> implementation issues (e.g., for a long time libjvm.so used to have some |
| 103 |
> FPU initialization code in its .data segment, that didn't get far under |
| 104 |
> PaX as you can imagine ;). in an ideal world the non-exec options would |
| 105 |
> just be permanently enabled and only MPROTECT would be a real choice. |
| 106 |
> |
| 107 |
> > However - while I temporarily have your ear :) I'm interested about being |
| 108 |
> > able to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a |
| 109 |
> > process in real-time - while a process is running, or in the hypothetical |
| 110 |
> > 'suspended awaiting administrative approval to continue' state I keep |
| 111 |
> > talking about. |
| 112 |
> > |
| 113 |
> > Is such a real-time removal of protections possible with the way PaX is |
| 114 |
> > currently implemented? If not, I think it'd be an interesting feature in |
| 115 |
> > the eventuality of such a process suspension feature being developed. |
| 116 |
> |
| 117 |
> it's obviously possible but it raises more problems than it solves. for |
| 118 |
> one, who would make the decision about forward progress? it obviously can't |
| 119 |
> be the process itself as it's jut got suspended, so it must be some |
| 120 |
> external monitor or a human. in either case, on what grounds would they |
| 121 |
> make this decision? either has various failure modes that would nicely |
| 122 |
> allow an exploit to succeed. |
| 123 |
|
| 124 |
-- |
| 125 |
gentoo-hardened@l.g.o mailing list |
Archives