Aleph, please kill my article if someone else says it better/first. I've been
waiting in silence for Solar Designer to speak up and end the debate about how
to do this, but I guess he's away from his e-mail.
Glynn Clements wrote:
> Christopher Rhodes wrote:
> > I think one of the major problems with the Linux implementation, and
> > apparently windows too, is that noone pays attention to the added security
> > provided by segmentation (at least to the point of putting the stack on a
> > different segment?)
>
> Having separate non-overlapping stack and data segments causes a great
> many problems if you want to be able to write programs in C, given
> that a data pointer has to be able to record the address of any
> variable, regardless of whether it is static (data segment) or
> automatic (stack segment).
This work has already been done: there is a kernel patch for Linux that makes
the stack segment non-executable. For details, go read Solar's source:
http://www.openwall.com/linux/
> There are workarounds (i.e. foregoing the simplicity of a flat memory
> model), but these are invariably either inefficient (e.g. the "huge"
> memory model found on 16-bit x86 C compilers), or not actually C (e.g.
> the "near" and "far" keywords in the language-which-looks-like-C-but-isn't
> that was commonly used for 16-bit x86 development).
The kernel patch makes no such compromise. As near as I can tell, it is
completely performance neutral, and largely transparent. The only compromise
is that special handling for signal delivery is required, which the kernel
patch provides.
> Also, using segmentation pretty much guarantees that your OS cannot be
> made to run on anything other than the x86 architecture (which is
> about the worst of the bunch; no sane person would use x86 if wasn't
> for the compatibility issues).
Other, more sane, processors provide for read & no-execute pages, so you use a
different kernel MMU mechanism to make the stack non-executable. Thus, Casper
Dik has a similar kernel enhancement for Solaris that makes the stack
non-executable.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
