Re: 1.0.9c-pre4 / 1.1.0-pre1


From: Amon Ott <ao@rsbac.org>
Subject: Re: 1.0.9c-pre4 / 1.1.0-pre1
Date: Fri, 10 Nov 2000 09:38:49 +0100

Next Article (by Date): Re: 1.0.9c-pre4 Jörgen Sigvardsson
Previous Article (by Date): 1.0.9c-pre4 Amon Ott
Articles sorted by: [Date] [Author] [Subject]


On Don, 09 Nov 2000 Amon Ott wrote:
> - New EXECUTE requests in sys_mmap and sys_mprotect. Jörgen correctly pointed
> out that mmap can be used to bypass EXECUTE via READ_OPEN and provided a demo
> patch.
> Note: We now have EXECUTE requests for target NONE (SCD other in RC and
> ACL), if no file can be determined for the code to be turned executable. You
> might have to adjust your configuration. The default settings are of course
> working.

I forgot to explain the reason behind:
When a process wants to execute additional code from a file, e.g. from a
library, it has to READ_OPEN the file, mmap it with PROT_EXEC and execute the
code. The new interception takes place whenever a process requests a data
segment to be turned executable. Thanks to Jörgen for pointing all this out!

The new behaviour lets you distinguish between libraries and non-libraries in
administration.

But be warned: This is no protection against a malicious program,
because on i386 platform the hardware cannot distinguish between read and
execute segments. Unfortunately, i386 being misdesigned, the Linux kernel seems
to treat other archs the same way. This leads to the problem that a process can
mmap a file as PROT_READ (without EXEC!) and then happily execute the code.

Even with real memory protection, a process could still copy a file to memory
by hand, close it and set PROT_EXEC on the memory segment. In this case, you
will see an EXECUTE request on target NONE (SCD 'other' in RC and ACL).

However, a malicious program has to be run in the first place, and then it
can already contain the code instead of loading it as a library. And you are of
course all preventing execution of unchecked programs, are you not?-)

> This version is my release candidate, so please all beat on it and report. I
> need your reports!

Last night I remembered some infinished logging work in RC syscalls. This will
be added, but is very straight-forward and not bug prone.

Being so satisfied with this release, I also decided to give it release number
1.1.0. :)

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: 1.0.9c-pre4 Jörgen Sigvardsson
Previous Article (by Date): 1.0.9c-pre4 Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.