[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spender@grsecurity.net: Re: PowerPC W^X

To: spender@grsecurity.net
Subject: Re: spender@grsecurity.net: Re: PowerPC W^X
From: Artur Grabowski <art@blahonga.org>
Date: 20 Apr 2003 11:30:16 +0200
Cc: misc@openbsd.org
References: <20030420002035.GA4173@grsecurity.net>
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

spender@grsecurity.net writes:

> 2) Demote the executable bit in the data segment, thus breaking POSIX as
> you are not able to honor the protections on the mapping.

No it doesn't break POSIX. You read the sentence "If an implementation
cannot support the combination of access types specified by prot, the
call to mmap() shall fail.", but you convienently forget to read the
next sentence that says: "An implementation may permit accesses other
than those specified by prot; however, if the Memory Protection option
is supported, the implementation shall not permit a write to succeed
where PROT_WRITE has not been set or permit any access where PROT_NONE
alone has been set. The implementation will support at least the
following values of prot: PROT_NONE, PROT_READ, PROT_WRITE, and the
inclusive OR of PROT_READ and PROT_WRITE."

Now, tell me. Where does it break POSIX? Or do you work in marketing?

> Also, I'm curious why you tout random stack gap (and your other recent
> features for that matter) without discussing the other end of the issue?
> Your random stack gap provides only 8 bits of randomness, not the 10 you
> think.  Regardless, 8-10 bits is merely an obscurity defense, of which I
> am sure you are aware.  The exploit does not even need to be reworked,
> only executed a few more times (and with 8 bits of randomness, this can
> be done in a second).  Could you point me to a discussion of this
> feature where you discuss it as what it is, an obscurity feature?

It's an obscurity feature. Something that I hacked up on the train from
HAL 2001 to Paris because I had a hang-over. It makes it more probable that a
daemon crashes and leaves a mess in logs instead of being exploited on
every attempt.

> Also, the following email to misc@ is still requiring an answer:
> 
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=105076448801556&w=2
> 
> I would personally be interested in your timeline, since as it stands
> we've heard several reports of OpenBSD being introduced to PaX during
> HAL2001, and I gave a presentation in the early summer of 2002 on PaX
> and full ASLR, for which several OpenBSD developers were in attendance
> (and an OpenBSD developer who is no longer one).

At HAL2001 we were drinking beer, partying and we were beseiged by
hundereds of people who thought that just because they'd come into our
tent and start spewing ideas at us they'd get credit for our
work. It's very possible that the stack gap randomization and other
ideas we implemented were presented to us at HAL. It's even very possible
that the idea of random stack gap was popped up in my head (or was it
Theos? I don't even remember) because someone told me about something like
that when I was drunk. But we've never tracked all the thousand ideas
that people were throwing at us.. Since most of them were stupid.

It would be different if you gave us a paper with an idea, outlining
the possible implementations, measurement of advantages and
disadvatages, with proper research and references. But don't expect us
to remember to credit someone who gives us an idea at 2am in the
morning when we're in the middle of a party and completly drunk.
HAL2001 wasn't a serious event, it was a party.

//art

Follow-Ups:
- Re: spender@grsecurity.net: Re: PowerPC W^X
  - From: spender@grsecurity.net

References:
- Re: spender@grsecurity.net: Re: PowerPC W^X
  - From: spender@grsecurity.net

Prev by Date: Re: money vs. ethics - theo did the right thing
Next by Date: Re: spender@grsecurity.net: Re: PowerPC W^X
Prev by thread: Re: spender@grsecurity.net: Re: PowerPC W^X
Next by thread: Re: spender@grsecurity.net: Re: PowerPC W^X
Index(es):
- Date
- Thread