| 1 |
On 15 Feb 2008 at 14:14, Geoff Kassel wrote: |
| 2 |
|
| 3 |
> > that would work except writing something like that is very hard, definitely |
| 4 |
> > beyond my time just for the sake to handle something that a coredump |
| 5 |
> > accomplishes well sans resurrection ability. |
| 6 |
> |
| 7 |
> > on a sidenote, why would it be acceptable to store a process image on disk |
| 8 |
> > whereas a coredump isn't? |
| 9 |
> |
| 10 |
> Hmm... I didn't know that you could restore a process fully from a core dump - |
| 11 |
> hence the question. |
| 12 |
|
| 13 |
note the 'sans resurrection ability' above ;). coredumps are for post mortem |
| 14 |
analysis only. |
| 15 |
|
| 16 |
> Memory check-pointing to disk for quick recovery from critical faults (such as |
| 17 |
> power failure or exploit attempts) |
| 18 |
|
| 19 |
trust me, you don't want to resurrect from an exploit attempt ;) |
| 20 |
|
| 21 |
> > uhm, but you already have such a control over per-process PaX features. |
| 22 |
> > either paxctl (which marks the executable's ELF header) or MAC system |
| 23 |
> > (both grsec and RSBAC provide controls). or i must be not getting your |
| 24 |
> > problem ;-). |
| 25 |
> |
| 26 |
> Having read a little more deeply into the inner workings of PAGEEXEC, |
| 27 |
> SEGMEXEC, and MPROTECT now, I see now what I was asking is already achievable |
| 28 |
> by just by removing PAGEEXEC or SEGMEXEC protections for Java or Mono, but |
| 29 |
> not MPROTECT. |
| 30 |
|
| 31 |
it's the exact opposite: you keep the basic non-exec page implementation |
| 32 |
but omit the strict access control over it (MPROTECT) so that properly |
| 33 |
written apps can generate code at runtime. Java et al can these days work |
| 34 |
with only MPROTECT disabled, that wasn't always true due to various bad |
| 35 |
implementation issues (e.g., for a long time libjvm.so used to have some |
| 36 |
FPU initialization code in its .data segment, that didn't get far under |
| 37 |
PaX as you can imagine ;). in an ideal world the non-exec options would |
| 38 |
just be permanently enabled and only MPROTECT would be a real choice. |
| 39 |
|
| 40 |
> However - while I temporarily have your ear :) I'm interested about being able |
| 41 |
> to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a process in |
| 42 |
> real-time - while a process is running, or in the hypothetical 'suspended |
| 43 |
> awaiting administrative approval to continue' state I keep talking about. |
| 44 |
> |
| 45 |
> Is such a real-time removal of protections possible with the way PaX is |
| 46 |
> currently implemented? If not, I think it'd be an interesting feature in the |
| 47 |
> eventuality of such a process suspension feature being developed. |
| 48 |
|
| 49 |
it's obviously possible but it raises more problems than it solves. for |
| 50 |
one, who would make the decision about forward progress? it obviously can't |
| 51 |
be the process itself as it's jut got suspended, so it must be some external |
| 52 |
monitor or a human. in either case, on what grounds would they make this |
| 53 |
decision? either has various failure modes that would nicely allow an exploit |
| 54 |
to succeed. |
| 55 |
|
| 56 |
-- |
| 57 |
gentoo-hardened@l.g.o mailing list |
Archives