Should mprotect(..., PROT_EXEC) be checked by IMA?

Igor Zhbanov i.zhbanov at omprussia.ru
Wed Apr 3 18:47:15 UTC 2019


On 03.04.2019 21:19, Matthew Garrett wrote:
> On Wed, Apr 3, 2019 at 10:31 AM Igor Zhbanov <i.zhbanov at omprussia.ru> wrote:
>> I'm trying to reduce attacker's possibilities to inject any new unauthorized
>> code. Currently it could be:
> 
> (snip)
> 
>> 4) Anonymous executable pages (either new or existing changing to writable).
>>    ^ This is what I'm talking about. Because it's relatively easy to create
>>    anonymous executable page to stay below the radar. Because even if you
>>    enable signature checking for all opened files it would be possible to
>>    simply download the code and execute it directly from the anonymous pages.
> 
> There's two possible cases here:
> 
> 1) The application is legitimate but can be convinced to open and
> execute malicious code. There should be no such applications that
> download code from the internet and execute it directly, so this can
> be prevented by requiring that files be signed (which has to be done
> to protect against attackers just using an interpreted language
> instead)
> 2) The application is actively malicious. In this case this approach
> is insufficient - an actively malicious application can interpret code
> rather than executing it directly. This can only be prevented by not
> signing malicious applications.
> 
> When you talk about "staying below the radar" it implies that you're
> talking about case 2, but the proposed solution is only a speed bump
> rather than a blocker.

But what about buffer/stack overflow? The application doesn't need to be
malicious. It could be just a web-browser or e-mail client processing
some evil file.



More information about the Linux-security-module-archive mailing list