[Full-Disclosure] Re: Buffer overflow prevention

• Previous message: Codex: "Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Manuel Lanctôt" <inventaire@novalis-inc.com>
Date: Thu, 14 Aug 2003 16:24:07 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On August 14, 2003 03:36 pm, you wrote:
> > De : Stephen Clowater [mailto:steve@stevesworld.hopto.org]
> > Envoyé : 14 août, 2003 13:12
> > Objet : Re: Buffer overflow prevention
>
> [SNIP]
>
> > GRsecurity is a kernel patch wich allows such things as random
> > memallc bases
> > and random tcp stacks, as well as a non-executeable stack if you
> > can manage
> > this (not to mention a utility to change the PAX flags for
> > indidual binarys
> > that may need executable stack). This would work much better
> > because it dosnt
> > need to be compiled into anything but the kernel.
> >
> > If you turn on GRsecurty's randomizations for memory addresses
> > and tcp stacks
> > (wich I have tested, you can do this safely without breaking any
> > software).
> > If you do this, then a attacker trying to overflow a return
> > address has a 1
> > in 2^32 chance of the exploit actually overflowing the address. You can
> > do this and not have any impact on speed, and all of your software
> > is protected
> > with this level without having to recompile with a gcc flag.
>
> If I remember correctly, the GRsec patch is a single option in the kernel
> config. I heard about some problems induced by GRsec so I didn't compile it
> with the kernel. Is it possible to select different parts of the patch
> (like the random tcp stacks), independantly of the rest of GRsec? Or, even

There are some problems with some applications with parts of the patch. For
example, turning on the non-executeable stack will break anything that uses
an executeable stack. ie: X, java, or wine, now you can use chpax and give
each of these a non executable stack. There are also some problems with the
way grsecurity gets a little to restrictive with things like restericting
filesystems ect. All of these can be overcome, however, you need to do some
magic to get some of these things to work, and frankly, some of it really
isnt worth it.

There are several options inside the grsecurity patch that you can choose.

What you can safely turn on in GRsecurity without breaking anything is:
- -Address Space Protection
  -Address Space Layout Randomization
    -Randomize kernel stack base
    -Randomize user stack base
    -Randomize mmap() base

- -Filesystem Protections
  Everything under this option is safe to include

- -Kernel Auditing
  Everything under this option is safe to include

- -Executable Protections
  Everything under this option is safe to incude except:
   -Partially restrict non-root users

- -Network Protections
  Everything under this option is safe to include

- -Sysctl support
 This is usefull to enable, but not necesary

Compile everything staticly and you shold be fine.

I have tested this on production servers, and desktop boxes in mass and its
come out fine for x86 and sparc. I havent tried it on ppc but for the most
part it is safe, and it is also safe for production envoirnments.

> it shouldn't cause a problem on a production server?

in Gentoo, gentoo-sources is a very nice package, it already has Grsecurity
patched properly for you, and you may want to inculde POSIX ACL's, and the
crypto-loop stuff.

Mount your filesystems with -o acl,user_xattr and merge acl and you can use
setfacl and getfacl to set/view control lists on each individual file in your
filesystems. (after you include POSIX acl lists)

- --
- -

******************************************************************************
Stephen Clowater

... though his invention worked superbly -- his theory was a crock of sewage
from beginning to end.
                -- Vernor Vinge, "The Peace War"

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ?
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/O+HXcyHa6bMWAzYRAofxAKCNd+fu8yV6hFVZqjoOxoJEZmpbwgCffied
egTteYNbcKO2pso+ZJemhoc=
=V6z4
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Codex: "Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]