From: Crispin Cowan [crispin@wirex.com]
Sent: Wednesday, June 06, 2001 3:17 PM
To: Paul Starzetz
Cc: bugtraq@securityfocus.com; sectools@securityfocus.com
Subject: Re: Announcing RSX - non exec stack/heap module

Paul Starzetz wrote:

> Hi folks,
>
> I´m announcing a novell Linux kernel security module implementing
> non-exec stack and non-exec heap. I think this is the first Linux module
> providing non-exec heap areas.

It's not the first.  This Oct. 28/2000 Bugtraq post
http://www.securityfocus.com/archive/1/141901 announces "PAX"
http://pageexec.virtualave.net/ which also provides a non-executable heap
segment.

Then there is the ensuing discussion over the relative merrits of this and
various other forms of buffer overflow defense in these threads:

   * http://www.securityfocus.com/archive/1/142819
   * http://www.securityfocus.com/archive/1/141980
   * http://www.securityfocus.com/archive/1/142688

Summary of my personal view only:

   * non-executable segments do add some security value
   * non-executable segments is argualy an obscurity defense, because
     attacks exploiting overflow vulnerabilities that are stopped by
     non-executable segments can always be re-worked to be "return into
     libc" style attacks that bypass the non-executable segment by pointing
     directly at code in the code segment
   * this obscurity defense arguably has value, because writing
     return-into-libc exploits is hard, and hard to make scriptable,
     because the offsets are fussy

Folks unfamiliar with this area should probably read my survey paper that
compares various buffer overflow defenses
http://immunix.org/StackGuard/discex00.pdf


> Tecnically RSX provides on the fly page remapping as well as segment
> descriptor exchanging for particular processes. In the default
> configuration the remapping base is set to 0x50000000. This cause
> problems with kernels configured to support 2 GB of RAM because the
> physical RAM is mapped to the region beginning at 0x80000000. Different
> workarounds are imaginable but I don't have the time at the moment to
> support this.

It would appearat first glance  that RSX uses the same technique as PAX.
Naturally, the PAX and RSX teams should confer to make a definitive
statement on similarities and differences.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com//Products/Immunix/purchase.html