1 |
On Sunday, January 28, 2007 02:44, pageexec@××××××××.hu wrote: |
2 |
> On 28 Jan 2007 at 3:22, gentoo-hardened-ml-01@××××××.org wrote: |
3 |
> > Ok, I think I have it. PaX detects and intercepts attempts to execute |
4 |
> > code on a non-executable stack. SSP/ProPolice detects actual overflows |
5 |
> > upon return to the caller, but will not necessarily stop a program from |
6 |
> > "legitimately" executing a non-executable stack if that execution would |
7 |
> > not result in a stack overflow. Is this correct? |
8 |
> |
9 |
> almost ;-). PaX catches execution attempts in any kind of non-exec |
10 |
> memory, be that the stack or heap or something else. |
11 |
> |
12 |
> second, ssp does not concern itself with code execution on the stack |
13 |
> per se, rather, it wants to ensure that the saved return address on |
14 |
> the stack isn't modified by a buffer overflow (these two things are |
15 |
> orthogonal, you can execute code on the stack without overflowing any |
16 |
> buffer, and you can overflow a buffer without triggering code execution |
17 |
> on the stack). |
18 |
> |
19 |
> on a non-executable stack (e.g., that PaX creates) nothing can be |
20 |
> executed, regardless of ssp (that's why it's called non-executable). |
21 |
> ssp also doesn't prevent legitimate stack execution attempts (e.g., |
22 |
> nested function trampolines) because they're not triggered by stack |
23 |
> overflows. |
24 |
> |
25 |
> lastly, i think you meant "would not be the result of" instead of |
26 |
> "would not result in" (in an attack, shellcode execution follows the |
27 |
> overflow, not the other way around), and yes, ssp isn't triggered |
28 |
> as long as its canary is left intact. |
29 |
|
30 |
All the detail I could want and much, much more. Thank you kind sir. I think |
31 |
I will use PIE/PIC gcc specs only until the SSP bugs get worked out, so that |
32 |
I can atleast enable CONFIG_PAX_NOELFRELOCS in the kernel. But it is good to |
33 |
know that when they do, SSP should be just fine for my purposes. |
34 |
-- |
35 |
gentoo-hardened@g.o mailing list |