Should mprotect(..., PROT_EXEC) be checked by IMA?
Igor Zhbanov
i.zhbanov at omprussia.ru
Wed Apr 3 18:47:15 UTC 2019
On 03.04.2019 21:19, Matthew Garrett wrote:
> On Wed, Apr 3, 2019 at 10:31 AM Igor Zhbanov <i.zhbanov at omprussia.ru> wrote:
>> I'm trying to reduce attacker's possibilities to inject any new unauthorized
>> code. Currently it could be:
>
> (snip)
>
>> 4) Anonymous executable pages (either new or existing changing to writable).
>> ^ This is what I'm talking about. Because it's relatively easy to create
>> anonymous executable page to stay below the radar. Because even if you
>> enable signature checking for all opened files it would be possible to
>> simply download the code and execute it directly from the anonymous pages.
>
> There's two possible cases here:
>
> 1) The application is legitimate but can be convinced to open and
> execute malicious code. There should be no such applications that
> download code from the internet and execute it directly, so this can
> be prevented by requiring that files be signed (which has to be done
> to protect against attackers just using an interpreted language
> instead)
> 2) The application is actively malicious. In this case this approach
> is insufficient - an actively malicious application can interpret code
> rather than executing it directly. This can only be prevented by not
> signing malicious applications.
>
> When you talk about "staying below the radar" it implies that you're
> talking about case 2, but the proposed solution is only a speed bump
> rather than a blocker.
But what about buffer/stack overflow? The application doesn't need to be
malicious. It could be just a web-browser or e-mail client processing
some evil file.
More information about the Linux-security-module-archive
mailing list