Date: Tue, 25 Aug 1998 13:27:23 -0500 (CDT) From: Joel Ray Holveck <joelh@gnu.org> To: joelh@gnu.org Cc: rotel@indigo.ie, dyson@iquest.net, imp@village.org, dkelly@hiwaay.net, rabtter@aye.net, hackers@FreeBSD.ORG Subject: Re: I want to break binary compatibility. Message-ID: <199808251827.NAA00645@detlev.UUCP> In-Reply-To: <199808251811.NAA00561@detlev.UUCP> (message from Joel Ray Holveck on Tue, 25 Aug 1998 13:11:44 -0500 (CDT)) References: <199808242136.WAA00657@indigo.ie> <199808251811.NAA00561@detlev.UUCP>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> Try modifying your system so that one of the flags bits is required to >>> run a program. It would the require both the flags bit and the executable >>> bit. Make sure the system cannot allow anyone but root set the chosen >>> flags bit. Maybe you could use the immutable flag, for this so that you >>> get theoretical immutability along with the ability to run code. You >>> might want to relax the restriction for root, but maybe not (depending >>> on how your admin scheme is setup.) >> None of these hacks achieve security. You, of all people, should >> know better. The original poster should figure out how they are >> breaking in and close the hole, obfuscation schemes like the above >> are a waste of time. > Actually, Dyson's idea is the only one I've seen so far that is actual > security instead of obfuscation; that is, it is the only suggestion > that makes it (theoretically) impossible for an intruder to generate > (and run) an arbitrary executable. The others just make the file > difficult to generate, and also require things like custom > cross-compilers. > However, Dyson forgot another modification that must go along with > this: ld.so must also be modified to ignore most environment > variables. Otherwise, it would be trivial to execute arbitrary bits > of code. > Something in the back of my mind says that there's still one more hole > dealing with mmap, but I can't place it right now. Then again, I'm > running on four hours of sleep I got in a truck stop parking lot. Actually, having said this, I'll have to say that something else is mulling around involving the a race condition similar to suid sh scripts, rtld's loading of libraries, chroot, and my three pet ferrets. I'm not sure how much of that is relevant. But just to be on the safe side, if there are no objections, I would recommend requiring the dyson bit (TM) to be set in order to mmap with PROT_EXEC in any case. Best, joelh -- Joel Ray Holveck - joelh@gnu.org - http://www.wp.com/piquan Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808251827.NAA00645>