tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FWIW: sysrestrict



Le 28/07/2016 à 20:42, Joerg Sonnenberger a écrit :
On Wed, Jul 27, 2016 at 02:48:44PM +0200, Maxime Villard wrote:
It is not trying to "prevent" an attack, it is supposed to restrict what
the attacker can do. Veriexec too is useful only if there is already an
intruder. And mapping .rodata as R reduces the possibility of ROP attacks
only if there is already a vulnerability that could allow an attacker to
jump to a chosen address.

The difference is that correctly configured veriexec is a system-wide
property. It doesn't matter if you can exec something, you don't get to
execute binaries that weren't signed. Separate PT_LOAD for .rodata only
has some memory use and legacy compatibility issues, IMO it doesn't even
qualify as a "security" mechanism but just as actually enforcing the
constraints that exist.

If a vulnerability exists in a software (root or not) that allows control
of the execution flow, the attacker will often have a small payload of
shellcode, and this shellcode will try to load a bigger shellcode. Doing
this involves using special syscalls. If these syscalls are not available
the attack fails. Of course, there are many other things the attacker can
do with the small shellcode, but at least it restricts the attack surface.

The shell-payload model is only that popular because it is trivial to
adopt. Consider it a small portable VM for exploits. As I said earlier,
if your capability system allows more capabilities after an exec than
before without very specific introductions to do so, it is plainly
broken. Arguably, suid is exactly that, but it is a well understood
issue.

So let's look at a RCE exploit in an FTP server. I must be able to do
pretty much arbitrary network IO as FTP server, so the exploited FTP
server process must be able to do the same. I can access all files the
FTP user has access to and possible alo write to given locactions. In
short, I can pretty much do whatever I want with the box and the
operational constraints are likely to be irrelevant. Yes, it is harder
to exploit if you can't actually exec something. For a typical
environment, it won't stop writing a DSO and dlopen'ing it for example.
Or just creating it in memory with all the system call stubs needed.

So let's try again, except protection from script kiddies, what's the
real point?


Let's try again: I have already said it is not the perfect feature, I have
already said that it does not offer the exhaustive isolation people like
you may expect, I have already said that it just restricts syscalls without
totally preventing attacks, I have already said that I don't intend to
commit it anyway, and finally, I have already said that it is just a wild
idea with some code that I have never tested.

You (and Thor) believe the thin layer of security it offers is not that
interesting after all - and at some point, I agree with you. If people
believe that with a few adaptations it could be made better, they are
obviously free to take the code and do whatever they want with it.

But your point more or less comes down to arguing that if a house does not
have a bullet-proof door, then we should just let that door wide open since
someone will still be able to break it with a bazooka anyway. The truth of
the matter is, only few people have bazookas - and only few exploits (as
far as I know) play with dlopen to exploit simple bugs. Most intruders only
have knives and hammers, and it does not mean they are amateurs - most
exploits rely on syscalls, and it does not mean they are written by script
kiddies.

I am not going to insist more on this, I'm not trying to sell anything.


Home | Main Index | Thread Index | Old Index