| 1 |
On Sunday, January 28, 2007 02:44, pageexec@××××××××.hu wrote: |
| 2 |
> On 28 Jan 2007 at 3:22, gentoo-hardened-ml-01@××××××.org wrote: |
| 3 |
> > Ok, I think I have it. PaX detects and intercepts attempts to execute |
| 4 |
> > code on a non-executable stack. SSP/ProPolice detects actual overflows |
| 5 |
> > upon return to the caller, but will not necessarily stop a program from |
| 6 |
> > "legitimately" executing a non-executable stack if that execution would |
| 7 |
> > not result in a stack overflow. Is this correct? |
| 8 |
> |
| 9 |
> almost ;-). PaX catches execution attempts in any kind of non-exec |
| 10 |
> memory, be that the stack or heap or something else. |
| 11 |
> |
| 12 |
> second, ssp does not concern itself with code execution on the stack |
| 13 |
> per se, rather, it wants to ensure that the saved return address on |
| 14 |
> the stack isn't modified by a buffer overflow (these two things are |
| 15 |
> orthogonal, you can execute code on the stack without overflowing any |
| 16 |
> buffer, and you can overflow a buffer without triggering code execution |
| 17 |
> on the stack). |
| 18 |
> |
| 19 |
> on a non-executable stack (e.g., that PaX creates) nothing can be |
| 20 |
> executed, regardless of ssp (that's why it's called non-executable). |
| 21 |
> ssp also doesn't prevent legitimate stack execution attempts (e.g., |
| 22 |
> nested function trampolines) because they're not triggered by stack |
| 23 |
> overflows. |
| 24 |
> |
| 25 |
> lastly, i think you meant "would not be the result of" instead of |
| 26 |
> "would not result in" (in an attack, shellcode execution follows the |
| 27 |
> overflow, not the other way around), and yes, ssp isn't triggered |
| 28 |
> as long as its canary is left intact. |
| 29 |
|
| 30 |
All the detail I could want and much, much more. Thank you kind sir. I think |
| 31 |
I will use PIE/PIC gcc specs only until the SSP bugs get worked out, so that |
| 32 |
I can atleast enable CONFIG_PAX_NOELFRELOCS in the kernel. But it is good to |
| 33 |
know that when they do, SSP should be just fine for my purposes. |
| 34 |
-- |
| 35 |
gentoo-hardened@g.o mailing list |
Archives