[Gllug] just preaching to the converted !

Daniel P. Berrange dan at berrange.com
Wed Oct 26 09:58:19 UTC 2005 

On Wed, Oct 26, 2005 at 10:48:39AM +0100, Huw Lynes wrote:
> On Tue, 2005-10-25 at 22:43 +0100, Nix wrote:
> 
> > (This is just one of the reasons why I prefer *not* to use precompiled
> > binaries. I'm wondering about the feasibility of adding random
> > perturbations to stack frames as well, done with zero overhead by a
> > suitable rand() call in GCC... hm, I shall have to hack that up.)
> > 
> Isn't that essentially what PIE and PIC do? Which I think Fedora and
> others turn on by default these days.

ExecSheild randomization works on PIE (Position Independant Executable)
program and PIC shared libraries to randomization the location of
the start of the stack, the program heap, and the address at which
shared libraries are mmap()d into a process. An ever increasing number
of programs in Fedora & RHEL are built as PIE/PIC binaries enabling
randomization. You can run this script

  http://people.redhat.com/drepper/lsexec

against a system to see which programs are protected by this feature.
For more info there's quite a few docs on around.

  http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
  http://www.redhat.com/magazine/006apr05/features/security/
  http://www.redhat.com/magazine/009jul05/features/execshield/
  http://people.redhat.com/drepper/nonselsec.pdf

The main problem with stack randomization is that the 4 GB process
address space on 32-bit architecture limits the level to which one
can randomize things. While its good at protecting against remote
users, there's not enough scope for randomization, to prevent a 
brute force attack from a local user. Switching to 64-bit gives one
a huge address space to play with, making brute force attack pretty
much impractical.

Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051026/e8e493f1/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list