Re: [uml-user] SKAS and the location of userland stack

[Martin Maney <uml-list-sub@tw...>]

On Sun, Mar 23, 2003 at 03:50:28PM +0100, Jan Hudec wrote:
> On Sun, Mar 23, 2003 at 08:22:03AM -0600, Martin Maney wrote:
> > So, the question is: does using SKAS automagically return the userland
> > stack to its traditional location, or does that still depend upon the
> > 'honeypot' option?
> 
> It does so, because it has no reason to do otherwise. SKAS mode has

I thought that might be the case.  The next question, then, is how
useful is the non-standard stack location in breaking typical exploits? 
Or perhaps that should be how easy is it to work around the relocated
stack - if it's pretty simple to modify exploits, or only a few are
affected by it, then it may not be worth bothering with.

In the long run (but not too long, I hope!), I'm headed towards a
firewall/gateway appliance: the host OS would be little more than a
router and the hardware base for services running in (mostly?) separate
UML instances.  The objective is to get as much of the security
advantage of running separate servers as possible without needing N
separate boxes or the expense of a multi-blade box, etc.  It's coming
along pretty well considering how little free time I've had recently!

-- 
Now people have pondered this time and again (Who dies? Everyone dies)
We suspect that we're more than mere mortal remains (Oh, everyone dies)
Wise men and prophets they've all had their say
  on the nature of our afterlives
But in case there's no beer there we'll have one more round (Oh everyone dies)
 -- James Keelaghan in "Who Dies?", an upbeat song about mortality

[uml-user] SKAS and the location of userland stack

[Martin Maney <uml-list-sub@tw...>]

I know that one thing SKAS does that's good for making UML look more
like a regular Linux system is allowing the UML userland's stack to be
at the customary location.  For my purposes, the normalization of the
userland stack's location would be a (slight) anti-feature.  I don't
care if it's "obvious" that it's a virtual system, and whatever extent
to which it breaks attack scripts is a nice bonus.

So, the question is: does using SKAS automagically return the userland
stack to its traditional location, or does that still depend upon the
'honeypot' option?

Thanks!

-- 
Microsoft, which used to say all the time that the software business
was ruthlessly competitive, is now matched against a competitor whose
model of production and distribution is so much better that Microsoft
stands no chance of prevailing in the long run. They're simply trying
to scare people out of dealing with a competitor they can't buy,
can't intimidate and can't stop. -- Eben Moglen

Re: [uml-user] SKAS and the location of userland stack

[Jan Hudec <bulb@uc...>]

On Sun, Mar 23, 2003 at 08:22:03AM -0600, Martin Maney wrote:
> 
> I know that one thing SKAS does that's good for making UML look more
> like a regular Linux system is allowing the UML userland's stack to be
> at the customary location.  For my purposes, the normalization of the
> userland stack's location would be a (slight) anti-feature.  I don't
> care if it's "obvious" that it's a virtual system, and whatever extent
> to which it breaks attack scripts is a nice bonus.
> 
> So, the question is: does using SKAS automagically return the userland
> stack to its traditional location, or does that still depend upon the
> 'honeypot' option?

It does so, because it has no reason to do otherwise. SKAS mode has
memory maps of kernel and user threads completely separated and
independent. There is nothing from the kernel part left in the user
thread and thus it has customary layout.

-------------------------------------------------------------------------------
						 Jan 'Bulb' Hudec <bulb@...>

Re: [uml-user] SKAS and the location of userland stack

[Martin Maney <uml-list-sub@tw...>]

On Sun, Mar 23, 2003 at 03:50:28PM +0100, Jan Hudec wrote:
> On Sun, Mar 23, 2003 at 08:22:03AM -0600, Martin Maney wrote:
> > So, the question is: does using SKAS automagically return the userland
> > stack to its traditional location, or does that still depend upon the
> > 'honeypot' option?
> 
> It does so, because it has no reason to do otherwise. SKAS mode has

I thought that might be the case.  The next question, then, is how
useful is the non-standard stack location in breaking typical exploits? 
Or perhaps that should be how easy is it to work around the relocated
stack - if it's pretty simple to modify exploits, or only a few are
affected by it, then it may not be worth bothering with.

In the long run (but not too long, I hope!), I'm headed towards a
firewall/gateway appliance: the host OS would be little more than a
router and the hardware base for services running in (mostly?) separate
UML instances.  The objective is to get as much of the security
advantage of running separate servers as possible without needing N
separate boxes or the expense of a multi-blade box, etc.  It's coming
along pretty well considering how little free time I've had recently!

-- 
Now people have pondered this time and again (Who dies? Everyone dies)
We suspect that we're more than mere mortal remains (Oh, everyone dies)
Wise men and prophets they've all had their say
  on the nature of our afterlives
But in case there's no beer there we'll have one more round (Oh everyone dies)
 -- James Keelaghan in "Who Dies?", an upbeat song about mortality

Re: [uml-user] SKAS and the location of userland stack

[Jan Hudec <bulb@uc...>]

On Sun, Mar 23, 2003 at 09:28:32AM -0600, Martin Maney wrote:
> On Sun, Mar 23, 2003 at 03:50:28PM +0100, Jan Hudec wrote:
> > On Sun, Mar 23, 2003 at 08:22:03AM -0600, Martin Maney wrote:
> > > So, the question is: does using SKAS automagically return the userland
> > > stack to its traditional location, or does that still depend upon the
> > > 'honeypot' option?
> > 
> > It does so, because it has no reason to do otherwise. SKAS mode has
> 
> I thought that might be the case.  The next question, then, is how
> useful is the non-standard stack location in breaking typical exploits? 
> Or perhaps that should be how easy is it to work around the relocated
> stack - if it's pretty simple to modify exploits, or only a few are
> affected by it, then it may not be worth bothering with.

The stack is not always _exactly_ the same poisition (IIRC it's affected
by shared libraries loaded) and the stack pointer definitely varies
quite a lot. So I would guess most exploits would work even with
relocated stack.

> In the long run (but not too long, I hope!), I'm headed towards a
> firewall/gateway appliance: the host OS would be little more than a
> router and the hardware base for services running in (mostly?) separate
> UML instances.  The objective is to get as much of the security
> advantage of running separate servers as possible without needing N
> separate boxes or the expense of a multi-blade box, etc.  It's coming
> along pretty well considering how little free time I've had recently!

It should be pretty hard to break out from a SKAS mode umlinux. It's not
that hard to break from TT mode umlinux (which is really slow if it
should be hard at all). You could use the LIDS patch (to both umlinux
and host) to make it even harder. I have seen working umlinux with LIDS
patches somewhere (usermodelinux.org IIRC). And since you will be doing
only very limited set of operations in each kernel, you can cut down
permissions quite lot.

-------------------------------------------------------------------------------
						 Jan 'Bulb' Hudec <bulb@...>

Re: [uml-user] SKAS and the location of userland stack

[Jeff Dike <jdike@ka...>]

uml-list-sub@... said:
> So, the question is: does using SKAS automagically return the userland
> stack to its traditional location, or does that still depend upon the
> 'honeypot' option? 

It's automagic.  Stack smashes will work on a skas UML if they work on the
host.  This isn't necessarily a bad thing, but I sympathize with those who
saw the old semi-immunity as a feature.

However, I believe there are generic kernel patches which will randomize the
location of user stacks.  This is a far better thing to do than to rely on
the tt UML behaviour.  It's far more robust, since to run a stack smash against
a UML only requires fiddling an address or two in the exploit.

				Jeff

Re: [uml-user] SKAS and the location of userland stack

[Martin Maney <uml-list-sub@tw...>]

On Mon, Mar 24, 2003 at 04:45:28PM -0500, Jeff Dike wrote:
> However, I believe there are generic kernel patches which will randomize the
> location of user stacks.  This is a far better thing to do than to rely on
> the tt UML behaviour.  It's far more robust, since to run a stack smash against
> a UML only requires fiddling an address or two in the exploit.

I'll have to see if I can find that patch, which sounds like it's just
what's wanted.  As for the weakness of the tt mode's relocation, I
wasn't expecting more than a roadbump - hopefully if the exploit didn't
work as expected he'd move along to the next candidate, leaving me more
time to get the fix (or workaround, or take the service down if that's
the best available option) installed.  Security is a process, not a
product, but an onion is still useful.  :-)

-- 
He that questioneth much shall learn much, and content much; but
especially if he apply his questions to the skill of the persons whom
he asketh; for he shall give them the occasion to please themselves
in speaking, and himself shall continually gather knowledge.  But let
his questions not be troublesome, for that is fit for a poser; and
let him be sure to leave other men their turns to speak.  - Francis Bacon