Ingo Molnar has announced a new kernel-based security feature for Linux/x86 called "Exec Shield". He describes the patch, which is against the 2.4.20-rc1 kernel, as, "The exec-shield feature provides protection against stack, buffer or function pointer overflows, and against other types of exploits that rely on overwriting data structures and/or putting code into those structures. The patch also makes it harder to pass in and execute the so-called 'shell-code' of exploits. The patch works transparently, ie. no application recompilation is necessary."
Post a Comment
Watch out OpenBSD! Well, a bit anyway...
one will be able to load new kernel without restarting the system (2.5.68mm has it, IIRC) plus this patch......priceless.
Larry, Can you point to any information about loading a kernel without restarting? I haven't heard of this feature. Sounds real nice 
.
WTF are you talking about?
2.5 adds nothing like this.
Given the first comment, does OpenBSD have a similar feature for x86? How is it different/better? Why don't all x86 OS's do this?
No it does not, not now any way 3.3 only has it on certain architectures and I am pretty sure X86 is *NOT* one of them, I do believe that sparc is one, just as an example
not 2.4.20-rc1 as (hoping it gets corrected) noted above.
Why don´t all x86 OS´s do this? Well, actually some languages/compilers do bounds-checking, and so they are safe in that sense.
In a way one can say that this patch/hack tries to overcome a limitation in C/gcc itself. Use at your own risk!
This patch is against 2.4.21.rc1, not 2.4.20.
Anyway, sounds very good to me. I'll give it a try.
Thanks for the hard work.
OpenBSD is using a GCC Patch named ProPolice to do the same thing, the patch will be part of the GCC 3.4.
The patch also comes with Gentoo by default.
What impact has this patch on performance (I expect it will be quite noticable)? Are there any benchmarks done?
Gentoo does _NOT_ come with the ProPolice patch default, but it comes with the ability to use it. see http://cvs.gentoo.org/~method/propolice.html for more info.
"What impact has this patch on performance?"
As always: reading helps! I just just found the answer myself. For the interested, here is a evaluation of the performance overhead:
http://www.trl.ibm.com/projects/security/ssp/node5.html#SECTION0005...
It seems the upper bound is around 8% performance overhead.
Once again Linux is stealing Microsoft IP and contributing to the downfall of the US economy... I think RMS and all those hippies just want all decent programmers to starve. Come to think of it, open source supports terrorism... as for me, I want programmers to live happy. In fact I brought two copies of Microsoft Windows XP, just to show my support for America in these uncertain times (open source, terrorism, rogue states, WMDs). I think we need to stick together and leave all this communist open source, file sharing behind. If all software and music can be pirated for free, who will want to write software and compose music?
I've heard from a friend about it and haven't checked into details. AW, kexec lets one boot new kernel instanly.
http://marc.theaimsgroup.com/?l=linux-kernel&m=105186710014254&w=2
LoLAaLa. u're truly, deeply wasted . Enjoy your existence.
LoLAaLa. u're truly, deeply wasted . Enjoy your existence.
Info on load-linux-in-linux patch (in mm4+) :
http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.5/2.5....
That's all info I know, surely other places but that's kind of the source of it. Just because it's in akpms patch tree doesn't mean it'll make it into 2.6 though.
"open source supports terrorism..."
you can't be serious...
All of the masked gcc's in portage have propolce patched in. One only needs to unmask them, build them and enable propolice by adding -fstack-protector . This technically isn't by default since the gcc is masked, but it will hopefully be unmasked before 1.4 final (or the next rc release).
I noticed the kernel change w/o reboot patch yesturday when I did an emerge -u world and upgraded my mm-sources on Gentoo. For those curious, in "make xconfig" it states:
kexec system call (EXPERIMENTAL) (KEXEC)
kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And like a reboot you can start any kernel with it not just Linux.
The name comes from the similiarity to the exec system call.
It is on an going process to be certain the hardware in a machine is properly shutdown, so do not be surprised if this code does not initially work for you. It may help to enable device hotplugging support. As of this writing the exact hardware interface is strongly in flux, so no good recommendation can be made.
I hope you justify what you said about the open source community.
it's called LOADLIN.EXE
Seriously, it's not by cutting down the 20 seconds the BIOS takes at boot that Linux will get from 3 minutes to 10 seconds
No wonder why the Linux syscall table is getting crowded.
another option would be to run UML.
looks like I'll have to go troll-hunting in my city, these idiots are giving my ISP a bad name
rofl... nice rogers.com IP. for all of you in the dark, rogers is one of canada's largest ISP's.
damn canucks. too bad 99% of them have a inferiority complex with the US-- to the point where the majority of their population lives within 50 miles of the border. rofl.
works fine :-)
gcc -v
[snip]
gcc version 3.2.2 20030322 (Gentoo Linux 1.4 3.2.2-r3, propolice)
nothing broken, i hope it gets unmasked soon :-D
<sarcasm>Yeah, if there were no OpenSource, terrorism would cease to be. </sarcasm/>
Hey, if they can go to the trouble of stealing 4 fully fueled planes to crash into tall buildings, you'd think they'd be capable of pirating software.
It looks like this patch is implementing only a part of the functionality found in the PaX Linux kernel patch (pageexec.virtualave.net). PaX is also part of gr-security.
In other words, PaX provides several more ways to make buffer overflows harder than the Exec Shield patch does. PaX is also transparent. It *recommends* recompilation and relinking, because it makes buffer overflows harder.
The OpenBSD kernel is somewhere in between these two. It provides somewhat more than the Exec Shield patch. But not as much as PaX. However, it is not available for i386 in the official 3.3 release. It is available in 3.3 current and will be available in 3.4.
For those who want the best protection available for their systems, using PaX plus recompilation and relinking still the best option (especially in combination with the stack smashing protector, aka propolice). This is what the Trusted Debian project is doing (www.trusteddebian.org).
estel:~# gcc --version
gcc.real (GCC) 3.2.3
Copyright (C) 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
estel:~#
yeah, sid is nice.
(btw, nicely and easyly optimized for -mcpu=pentium3 and some other optimizations -- it's faster yes, nice that i can do it with only one command)
>who will want to write software and compose music?
-Actually, I do...
Lolala is obviously being humourous in a trollish way.
We Canadians have an inferiority complex? Hah. It amazes me that some of you Americans feel so threatened by us that you need to make fun of us. We don't agree with you guys on many fronts. Deal with it.
ReallyAngry User wrote:
>
>WHY??? Ugh...I hate this site.
>
Still using 'Internet Explorer', are we?
