home linux email

Sick Security Ideas

This is a collection of obstacles designed to impede system crackers, often at the expense of some legitimate use. Nothing here is a cure (sorry, cures exist only in theory) but anything that adds an obstacle is good. My collection is limited to the kernel itself.

Term: An "undumpable process" is a process that is not allowed to dump core. Usually that means a suid file was executed.

These must be evaluated for:
a. Effectiveness against attacks. (complete, huge hurdle, weak...)
b. Annoyance factor. (standards compliant, tolerable, major PITA...),

These are adjustable too: they can apply to everyting, only root, only non-root, only undumpable processes (suid/sgid)... Suggestions? Email comments to user acahalan at cs.uml.edu.

mmap shared libraries so that the address contains a 0 byte: Make buffer overflow exploits hard for C/C++ ASCIIZ strings. (done)
can't hard link to files you don't own: Abuse of quota. Keeping buggy suid programs after root removes them (old sendmail version). Race condition exploit to change or remove a file. (done?)
undumpable process can only follow symlinks owned by self and root: Race condition exploit to change or remove a file. (done?)
can't make any link to a file you don't own if in sticky bit dir: Race condition exploit to change or remove a file. (done?)
stack segment must not be executable: Stops most stack-smashing exploits. (done)
root should obey write permission on own files: Trouble for backups, but eliminates need for immutable.
mmap shared libraries at random (crypto random) location: Makes it hard to guess location of system() in libc.
start stack at random (crypto random) location: Stack exploits must use relocatable code to work. This limits the choice of opcodes. (repeated guessing might work eventually, but the crashes can be logged)
can only view own processes and parents thereof in /proc: Privacy, could make some /tmp race conditions hard to exploit. Must hide maps of unreadable executables!
make stack grow up on architectures that support it well: Can't overwrite much on the stack because strcpy() would go away from the arguments and return address.
exec fails if euid, uid, suid, and fsuid don't all match: Stops stupid insecure system() and popen() calls. Stops many stack-smashing exploits.
if undumpable process crashes, log it and maybe kill user: Catches someone probing for holes, locates bug.
can only exec files owned by self or root: For symlink games and '.' in path.
only root can choose unusual argv[0]: prevents hiding (add special case for login shells?) would need to follow non-root symlink to get name
can't exec world writeable files: Executable might be altered.
only 3 files (stdin, stdout, stdio) open on exec: I know this is rough, so maybe only for undumpable processes. You can make a process undumpable by removing read permission. Xdm was passing some kind of TCP/IP control socket to every X program. Might apply to web servers, sendmail...
limit length and chars of filenames, args, and environment: Makes it hard to insert enough legal machine code into buggy suid programs for a stack-smashing exploit. Prevents filenames with dangerous metachars. Prevents filenames with vt100 codes. Prevents leading '-' from causing trouble.
system call to prevent a process from following symlinks: Nonportable way to stop symlink races.