June 09, 2007

Pro C is Pro

There was a discussion of how to lock down the compsoc gaming account, such that programs such as firefox couldn’t simply execute arbitrary files which they have downloaded. A suggestion brought to the table by Bucko & Fred was to simply use LD_PRELOAD to stop the necessary syscall being made. So after failing at tower defense and hero defense until gone 4am, I felt like trying something which firstly seemed to suit my skillset better and also achieve something more productive. The whole thing worked within about 20 minutes, which I attribute to google and C being quite good for this kind of thing. Here’s some code:

#include <stdio.h>

int execve(const char *filename, char *const argv [],char *const envp[]) {
printf(“in your syscalls, stopping your execs\n”);
return -1;

If you want to compile this, try pasting into ‘noexec.c’ and then running …

gcc -fPIC -shared -o noexec.so noexec.c

... now, compare the output between …

bash -c ‘exec ls -l’

... and …

LD_PRELOAD=./noexec.so bash -c ‘exec ls -l’

Realising how easy that was, brings many possibilities to the table, and I’m sure someone else has done them before, but its open my eyes somewhat.

a. dtrace implemented in userspace
b. implementing a security manager, similar to the one java has, but for arbitrary executables
c. hilarious comedy
d. FUSE in userspace (Bucko suggested this and he’s bloody right – does FUSE need to be a kernel module?)

- 4 comments by 1 or more people Not publicly viewable

  1. Fred

    b) Implementing a security manager: this must be implemented in kernel space. It really must. Otherwise the program can just use asm and do the syscall directly to the kernel, without using libc. Even if the program doesn’t use asm, this is still a problem:

    1) If there’s a security hole allowing arbitrary code execution
    2) If the above isn’t an issue, ie you trust the program, why do you want a security manager in the first place.

    Of course, these comments only apply to a generic security manager, not one just designed to stop a few specific bits of functionality in a given program.

    09 Jun 2007, 12:16

  2. LD_PRELOAD doesn’t work with statically linked binaries.
    Also, see my post to the exec list on using LD_PRELOAD to lock down outgoing connections: It’s roughly the same idea, write your own connect function that check the arguments and sets errno and returns -1 if you want to reject it (A more elaborate version would allow the netmask to block to be set in an environment variable).
    Forwarding to the real connect requires using dlsym(RTLD_NEXT, “connect”) to pull the function from libc.

    10 Jun 2007, 19:42

  3. Re: FUSE in userspace

    I seriously doubt that FUSE would have been included in mainline kernel if this was possible, especially since it had to be approved by several core kernel maintainers.
    Not only is there the statically linked binary problem, but you’re setting yourself up for serious headaches for locking and keeping a coherent state between every single process (which is a solved problem for the kernel’s VFS layer).

    10 Jun 2007, 19:53

  4. Anton Oussik

    FUSE does not have to be a kernel module, but then you do need a microkernel or similar under it.

    11 Jun 2007, 09:49

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

June 2007

Mo Tu We Th Fr Sa Su
May |  Today  | Jul
            1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30   

Search this blog



Most recent comments

  • Apart from the plea "can I have your old one?" (the yearning never diminishes) I'd like to leave you… by Sue on this entry
  • Unfortunately I still haven't seen a film for which you have to read up on quantum mechanics as I mi… by Sue on this entry
  • I've never been to watch a film before when it's been recommended that you first read up on quantum … by Sue on this entry
  • Well this is very interesting, i really liked reading this blog, this was very informative and very … by Mio Navman Spirit S300 on this entry
  • I thought it was fascinating. Griffin isn't like any other, media–trained, polished politician, and … by Tim on this entry

Blog archive



Not signed in
Sign in

Powered by BlogBuilder