1 |
> note the 'sans resurrection ability' above ;). coredumps are for post |
2 |
> mortem analysis only. |
3 |
|
4 |
Okay, then my original point stands - memory check-pointing or |
5 |
serialisation-to-disk on fault is useful, because they give a chance to |
6 |
revive a process which has been terminated because of a security violation - |
7 |
which is likely not have been the user-desired outcome. |
8 |
|
9 |
> trust me, you don't want to resurrect from an exploit attempt ;) |
10 |
|
11 |
With a memory check-pointing system, you could resurrect safely from a stage |
12 |
prior to the successful exploit - i.e. prior to the insertion or execution of |
13 |
the malicious code. With PaX guarding the system, you know when the exploit |
14 |
has occurred, because a stack smashing or similar exploit technique gets |
15 |
blocked by PaX. You can then resume the affected process from the check point |
16 |
immediately prior to the exploit attempt in a limited VM for safety (so that |
17 |
the exploit achieves nothing, if the vector is still present), allowing the |
18 |
user the chance to rescue any pertinent data, and exit 'normally'. |
19 |
|
20 |
> it's the exact opposite: you keep the basic non-exec page implementation |
21 |
> but omit the strict access control over it (MPROTECT) so that properly |
22 |
> written apps can generate code at runtime. |
23 |
|
24 |
How embarrassing. I'm still misunderstanding the workings of PaX. Thanks for |
25 |
the clarification. |
26 |
|
27 |
> it's obviously possible but it raises more problems than it solves. for |
28 |
> one, who would make the decision about forward progress? it obviously can't |
29 |
> be the process itself as it's jut got suspended, so it must be some |
30 |
> external monitor or a human. in either case, on what grounds would they |
31 |
> make this decision? either has various failure modes that would nicely |
32 |
> allow an exploit to succeed. |
33 |
|
34 |
I was talking about an external monitor with some human intervention, yes. The |
35 |
grounds by which the external monitor makes decisions - automated or |
36 |
otherwise - depends on pre-determined security policy extensible on-the-fly, |
37 |
with a hard-coded minimum set of rules to keep the core utilities running |
38 |
safely and securely. (How I gather SELinux works, barring the on-the-fly |
39 |
extensibility.) Rules for applications start out with values deemed safe by |
40 |
the community (or the enterprise security administrator), but a user with |
41 |
sufficient privileges may override them when such restrictions become |
42 |
bothersome - at their own risk, of course. |
43 |
|
44 |
Some things may not be allowed to be overridden at all, such as stack-smashing |
45 |
attacks - because there's no way ordinarily to safely restore from these. |
46 |
(Besides rolling back to a known-good memory check-point, if that capability |
47 |
exists.) Other less-critical conditions may be announced or just flagged |
48 |
silently on a per-application or user basis, depending on personal preference |
49 |
or other damage-limiting environmental factors. (i.e. no network or file |
50 |
access for the process because of MAC restrictions, etc.) |
51 |
|
52 |
Does this make more sense? |
53 |
|
54 |
I'm curious as to what failure modes you see, though. I see social engineering |
55 |
attacks, like those currently with the Windows Firewall/Vista UAC (malware |
56 |
that leads with 'when prompted, click allow access' before attempting a |
57 |
suspicious activity.) This works in Windows because nearly every user is |
58 |
running as an administrator, so no further action is required to allow a |
59 |
suspicious activity to proceed. In Unix-style systems, this isn't so |
60 |
effective, because a separate step of privilege escalation is needed. |
61 |
|
62 |
This extra step gives the user more time to think about what they're doing, |
63 |
and perhaps enough hesitation to force a consult with someone who knows what |
64 |
should be done before proceeding to override the default security settings. |
65 |
|
66 |
What other possible attacks have I missed? |
67 |
|
68 |
On Fri, 15 Feb 2008, pageexec@××××××××.hu wrote: |
69 |
> On 15 Feb 2008 at 14:14, Geoff Kassel wrote: |
70 |
> > > that would work except writing something like that is very hard, |
71 |
> > > definitely beyond my time just for the sake to handle something that a |
72 |
> > > coredump accomplishes well sans resurrection ability. |
73 |
> > > |
74 |
> > > on a sidenote, why would it be acceptable to store a process image on |
75 |
> > > disk whereas a coredump isn't? |
76 |
> > |
77 |
> > Hmm... I didn't know that you could restore a process fully from a core |
78 |
> > dump - hence the question. |
79 |
> |
80 |
> note the 'sans resurrection ability' above ;). coredumps are for post |
81 |
> mortem analysis only. |
82 |
> |
83 |
> > Memory check-pointing to disk for quick recovery from critical faults |
84 |
> > (such as power failure or exploit attempts) |
85 |
> |
86 |
> trust me, you don't want to resurrect from an exploit attempt ;) |
87 |
> |
88 |
> > > uhm, but you already have such a control over per-process PaX features. |
89 |
> > > either paxctl (which marks the executable's ELF header) or MAC system |
90 |
> > > (both grsec and RSBAC provide controls). or i must be not getting your |
91 |
> > > problem ;-). |
92 |
> > |
93 |
> > Having read a little more deeply into the inner workings of PAGEEXEC, |
94 |
> > SEGMEXEC, and MPROTECT now, I see now what I was asking is already |
95 |
> > achievable by just by removing PAGEEXEC or SEGMEXEC protections for Java |
96 |
> > or Mono, but not MPROTECT. |
97 |
> |
98 |
> it's the exact opposite: you keep the basic non-exec page implementation |
99 |
> but omit the strict access control over it (MPROTECT) so that properly |
100 |
> written apps can generate code at runtime. Java et al can these days work |
101 |
> with only MPROTECT disabled, that wasn't always true due to various bad |
102 |
> implementation issues (e.g., for a long time libjvm.so used to have some |
103 |
> FPU initialization code in its .data segment, that didn't get far under |
104 |
> PaX as you can imagine ;). in an ideal world the non-exec options would |
105 |
> just be permanently enabled and only MPROTECT would be a real choice. |
106 |
> |
107 |
> > However - while I temporarily have your ear :) I'm interested about being |
108 |
> > able to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a |
109 |
> > process in real-time - while a process is running, or in the hypothetical |
110 |
> > 'suspended awaiting administrative approval to continue' state I keep |
111 |
> > talking about. |
112 |
> > |
113 |
> > Is such a real-time removal of protections possible with the way PaX is |
114 |
> > currently implemented? If not, I think it'd be an interesting feature in |
115 |
> > the eventuality of such a process suspension feature being developed. |
116 |
> |
117 |
> it's obviously possible but it raises more problems than it solves. for |
118 |
> one, who would make the decision about forward progress? it obviously can't |
119 |
> be the process itself as it's jut got suspended, so it must be some |
120 |
> external monitor or a human. in either case, on what grounds would they |
121 |
> make this decision? either has various failure modes that would nicely |
122 |
> allow an exploit to succeed. |
123 |
|
124 |
-- |
125 |
gentoo-hardened@l.g.o mailing list |