Hi folks,
I´m announcing a novell Linux kernel security module implementing
non-exec stack and non-exec heap. I think this is the first Linux module
providing non-exec heap areas. The project can be found at
http://freshmeat.net/projects/rsx
or
http://www.ihaquer.com/software/rsx/
Here a short description from the included Readme file:
---------------------------------------------------------
1. Introduction
---------------
RSX is a Runtime addressSpace eXtender providing on-the fly code
remapping of existing Linux binaries in order to implement
non-executable stack as well as non-exec short/long heap areas. RSX
targets common buffer-overflow problems preventing code execution in
mapped data-only areas. Currently a 2.4.x version of the kernel module
is available.
...
3. How it works?
----------------
The Linux kernel implements a flat-memory modell under the assumption
logical address == virtual address. This basically means that the
code/data/stack segment selectors have the BASE filed set to 0x00000000
and the LIMIT field set to cover the whole 32bit address range.
Unfortunatelly the i386 hardware doesn't provide page-level execution
controll over memory regions. So implementing non-executable memory
areas relly heavily on segmentation. On common i386 Linux systems the
memory mapping looks somewhat like that:
0x08000000 program binary, text, bss, data
short heap
dynamic libs
dynamic libs bss, data
0x40000000 ld.so and its logical parts
long heap
0xbfffffff growing downwards stack area
0xc0000000 unaccessible kernel pages
However, common ELF programms have predefined static mapping and will
never touch the segment registers cs, ds, es, fs, gs, ss. We now use the
following trick:
virtual_address_1 == base1 + offset1
virtual_address_2 == base2 + offset1
where virtual_address_1 is the address the binary has been compiled for,
virtual_address_2 is the address the binary will access if we change the
base1 (for example pointed by the cs register) to be base2. This
technique implies that at the resulting virtual_address_2 there will be
the same physical memory as at the virtual_address_1. This is the point
where we come in. Even if this technique may not work for some weird
binaries, experiments prove that it harmonizes with nearly 100% of
todays ELF binaries.
Tecnically RSX provides on the fly page remapping as well as segment
descriptor exchanging for particular processes. In the default
configuration the remapping base is set to 0x50000000. This cause
problems with kernels configured to support 2 GB of RAM because the
physical RAM is mapped to the region beginning at 0x80000000. Different
workarounds are imaginable but I don't have the time at the moment to
support this.
---------------------------------------------------------
There are few things on my TODO list and I´m working on some
optimisation of the code. However, the module has been tested in the
wild and is working without any problems on about half dozen machines.
Please send comments to [EMAIL PROTECTED]
IhaQueR.
--
ps. I´m looking for a security developer position now.
