1 |
On 15 Feb 2008 at 14:14, Geoff Kassel wrote: |
2 |
|
3 |
> > that would work except writing something like that is very hard, definitely |
4 |
> > beyond my time just for the sake to handle something that a coredump |
5 |
> > accomplishes well sans resurrection ability. |
6 |
> |
7 |
> > on a sidenote, why would it be acceptable to store a process image on disk |
8 |
> > whereas a coredump isn't? |
9 |
> |
10 |
> Hmm... I didn't know that you could restore a process fully from a core dump - |
11 |
> hence the question. |
12 |
|
13 |
note the 'sans resurrection ability' above ;). coredumps are for post mortem |
14 |
analysis only. |
15 |
|
16 |
> Memory check-pointing to disk for quick recovery from critical faults (such as |
17 |
> power failure or exploit attempts) |
18 |
|
19 |
trust me, you don't want to resurrect from an exploit attempt ;) |
20 |
|
21 |
> > uhm, but you already have such a control over per-process PaX features. |
22 |
> > either paxctl (which marks the executable's ELF header) or MAC system |
23 |
> > (both grsec and RSBAC provide controls). or i must be not getting your |
24 |
> > problem ;-). |
25 |
> |
26 |
> Having read a little more deeply into the inner workings of PAGEEXEC, |
27 |
> SEGMEXEC, and MPROTECT now, I see now what I was asking is already achievable |
28 |
> by just by removing PAGEEXEC or SEGMEXEC protections for Java or Mono, but |
29 |
> not MPROTECT. |
30 |
|
31 |
it's the exact opposite: you keep the basic non-exec page implementation |
32 |
but omit the strict access control over it (MPROTECT) so that properly |
33 |
written apps can generate code at runtime. Java et al can these days work |
34 |
with only MPROTECT disabled, that wasn't always true due to various bad |
35 |
implementation issues (e.g., for a long time libjvm.so used to have some |
36 |
FPU initialization code in its .data segment, that didn't get far under |
37 |
PaX as you can imagine ;). in an ideal world the non-exec options would |
38 |
just be permanently enabled and only MPROTECT would be a real choice. |
39 |
|
40 |
> However - while I temporarily have your ear :) I'm interested about being able |
41 |
> to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a process in |
42 |
> real-time - while a process is running, or in the hypothetical 'suspended |
43 |
> awaiting administrative approval to continue' state I keep talking about. |
44 |
> |
45 |
> Is such a real-time removal of protections possible with the way PaX is |
46 |
> currently implemented? If not, I think it'd be an interesting feature in the |
47 |
> eventuality of such a process suspension feature being developed. |
48 |
|
49 |
it's obviously possible but it raises more problems than it solves. for |
50 |
one, who would make the decision about forward progress? it obviously can't |
51 |
be the process itself as it's jut got suspended, so it must be some external |
52 |
monitor or a human. in either case, on what grounds would they make this |
53 |
decision? either has various failure modes that would nicely allow an exploit |
54 |
to succeed. |
55 |
|
56 |
-- |
57 |
gentoo-hardened@l.g.o mailing list |