On 03/31/2016 04:44 PM, Theo de Raadt wrote: > Therefore, W^X has always been a policy for software to follow. Meaning, > the libraries won't ask for WX, ld.so won't ask for WX, nothing will. > If something wants to shoot itself in the foot, we could not stop it, > because well.. firefox was asking for it until a few months ago...
Yes, we actually have fairly strict W^X enforcement as an option (which can still be tricked by aliasing), and there's an exception for Firefox in it. >From a security perspective, the main question is whether it makes sense to deny processes the ability to request W|X mappings. I see the value in making sure they don't do this during regular operation, but is it necessary to take away this ability by blocking the syscall with those parameters? So that the process cannot make memory W|X even some code is injected into it, and use that to inject parasitic code? My expectation is that once an attacker can force a process to do that, they can also perform the mprotect after the copy of the injected code, or use some other mechanism to install the parasite (dlopen, for example). Lack of a W|X mapping would not be a substantial hurdle at this point. And parasites probably aren't that relevant as a threat until you have an ecosystem of various forms of host-based intrusion detection. >> Is there a knob to enable W^X enforcement? > > No, we don't have such a knob, because the greater ecosystem isn't > clean enough yet to mandate it. I'd like for us to get there. Thanks for the explanation. It would still be useful for testing purposes, I think, to find any transient W|X mappings which don't show up in /proc. > Well, alias mappings are generally an unsafe practice; in a ROP attack > environment it is likely that variables -- pointing towards the > aliased space -- will be found in registers... or at least registers > pointing at some object ... which points at some object ... which > knows where the alias space is.. Oh. But once one uses PC-relative addressing to reach data (both read-only and read-write), then data pointers leak code address information, too. And if you don't use PC-relative addressing, the address has to come from somewhere else. Florian
