From: Amon Ott <ao@rsbac.org>
Subject: Re: 1.0.9c-pre4 / 1.1.0-pre1
Date: Fri, 10 Nov 2000 09:38:49 +0100
Next Article (by Subject): Re: 1.0.9c-pre4 Jörgen Sigvardsson
Previous Article (by Subject): 1.0.9c-pre4 Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]
On Don, 09 Nov 2000 Amon Ott wrote: > - New EXECUTE requests in sys_mmap and sys_mprotect. Jörgen correctly pointed > out that mmap can be used to bypass EXECUTE via READ_OPEN and provided a demo > patch. > Note: We now have EXECUTE requests for target NONE (SCD other in RC and > ACL), if no file can be determined for the code to be turned executable. You > might have to adjust your configuration. The default settings are of course > working. I forgot to explain the reason behind: When a process wants to execute additional code from a file, e.g. from a library, it has to READ_OPEN the file, mmap it with PROT_EXEC and execute the code. The new interception takes place whenever a process requests a data segment to be turned executable. Thanks to Jörgen for pointing all this out! The new behaviour lets you distinguish between libraries and non-libraries in administration. But be warned: This is no protection against a malicious program, because on i386 platform the hardware cannot distinguish between read and execute segments. Unfortunately, i386 being misdesigned, the Linux kernel seems to treat other archs the same way. This leads to the problem that a process can mmap a file as PROT_READ (without EXEC!) and then happily execute the code. Even with real memory protection, a process could still copy a file to memory by hand, close it and set PROT_EXEC on the memory segment. In this case, you will see an EXECUTE request on target NONE (SCD 'other' in RC and ACL). However, a malicious program has to be run in the first place, and then it can already contain the code instead of loading it as a library. And you are of course all preventing execution of unchecked programs, are you not?-) > This version is my release candidate, so please all beat on it and report. I > need your reports! Last night I remembered some infinished logging work in RC syscalls. This will be added, but is very straight-forward and not bug prone. Being so satisfied with this release, I also decided to give it release number 1.1.0. :) Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): Re: 1.0.9c-pre4 Jörgen Sigvardsson
Previous Article (by Subject): 1.0.9c-pre4 Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]