Hi folks, I´m announcing a novell Linux kernel security module implementing non-exec stack and non-exec heap. I think this is the first Linux module providing non-exec heap areas. The project can be found at http://freshmeat.net/projects/rsx or http://www.ihaquer.com/software/rsx/ Here a short description from the included Readme file: --------------------------------------------------------- 1. Introduction --------------- RSX is a Runtime addressSpace eXtender providing on-the fly code remapping of existing Linux binaries in order to implement non-executable stack as well as non-exec short/long heap areas. RSX targets common buffer-overflow problems preventing code execution in mapped data-only areas. Currently a 2.4.x version of the kernel module is available. ... 3. How it works? ---------------- The Linux kernel implements a flat-memory modell under the assumption logical address == virtual address. This basically means that the code/data/stack segment selectors have the BASE filed set to 0x00000000 and the LIMIT field set to cover the whole 32bit address range. Unfortunatelly the i386 hardware doesn't provide page-level execution controll over memory regions. So implementing non-executable memory areas relly heavily on segmentation. On common i386 Linux systems the memory mapping looks somewhat like that: 0x08000000 program binary, text, bss, data short heap dynamic libs dynamic libs bss, data 0x40000000 ld.so and its logical parts long heap 0xbfffffff growing downwards stack area 0xc0000000 unaccessible kernel pages However, common ELF programms have predefined static mapping and will never touch the segment registers cs, ds, es, fs, gs, ss. We now use the following trick: virtual_address_1 == base1 + offset1 virtual_address_2 == base2 + offset1 where virtual_address_1 is the address the binary has been compiled for, virtual_address_2 is the address the binary will access if we change the base1 (for example pointed by the cs register) to be base2. This technique implies that at the resulting virtual_address_2 there will be the same physical memory as at the virtual_address_1. This is the point where we come in. Even if this technique may not work for some weird binaries, experiments prove that it harmonizes with nearly 100% of todays ELF binaries. Tecnically RSX provides on the fly page remapping as well as segment descriptor exchanging for particular processes. In the default configuration the remapping base is set to 0x50000000. This cause problems with kernels configured to support 2 GB of RAM because the physical RAM is mapped to the region beginning at 0x80000000. Different workarounds are imaginable but I don't have the time at the moment to support this. --------------------------------------------------------- There are few things on my TODO list and I´m working on some optimisation of the code. However, the module has been tested in the wild and is working without any problems on about half dozen machines. Please send comments to paulat_private IhaQueR. -- ps. I´m looking for a security developer position now.
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 09:39:12 PDT