UNIX Socket FAQ

A forum for questions and answers about network programming on Linux and all other Unix-like systems

You are not logged in.

#1 2008-01-30 08:02 PM

caruccio
Member
From: Porto Alegre, Brasil
Registered: 2005-02-08
Posts: 47

Re: mprotect() all process but a buffer

Hello,

I need to protect my process from an external module execution. What I have is a module loading and executing system where functions from the module must not kill the whole process. This function must have write access to a buffer, pre-allocated on the process startup.

I'm thinking in mprotect() all my valid pages, then mprotect(PROT_READ|PROT_WRITE) only the "shared" buffer.

The questions are:

- how to protect my process from {strcpy(0, 0)}  or {ptr=0; *ptr=0;} ? whithout killing me ?

- if I mprotect(PROT_READ) all pages , then mprotect(PROT_READ|PROT_WRITE) the buffer, how to go back to right permisions on the right pages, after execute the external function ?

- how to permit the dlopen()ed lib to run after protect ?

I hope being clear.

Caruccio

Offline

#2 2008-01-30 08:37 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: mprotect() all process but a buffer

The cleanest and safest way would be to run the library code in a separate
process with a fork. The buffer can be shared with shared memory (either
sysv or posix style).

As for your question: Catching a bunch of signals like SIGSEGV, SIGBUS,
SIGABRT, etc. with a special signal handler is a start, but restoring state
after one happened can be tricky, and won't stop libraries from installing
their own handler. Same for your mmap thing: They can undo that if they
want.

So for both robustness and security I'd go for forking a new process. I don't
think it's that much slower than calling those mprotect calls in practice.

Offline

#3 2008-01-30 08:43 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: mprotect() all process but a buffer

If you want to run untrusted code without it being able to affect your process, then
I think you really just want to fork() a new child and run the untrusted code in there...
Let the OS do all the hard work of separating your address spaces and protecting
you from each other...  That's its job, after all...  No point trying to reinvent a square
wheel in user-space...

For the shared buffer, just use some standard shared memory method (mmap(),
shm_open(), shmget(), whatever)...

Edit: ARGH!  That's twice in a row you've beaten me to the punch, i3839! ;-)

So, yeah, what he said... ;-)

Offline

#4 2008-01-30 08:55 PM

caruccio
Member
From: Porto Alegre, Brasil
Registered: 2005-02-08
Posts: 47

Re: mprotect() all process but a buffer

In fact, I'm trying to do a sandbox, where (more or less trusted) external modules can run. They are trusted until the point it, accidentally, dereference a NULL pointer (I can't trust other programmer's skill).

I'm running linux, and it has a /proc/self/maps, mapping all my libs. An example:

$ cat /proc/self/maps 
08048000-0804c000 r-xp 00000000 03:02 475220     /bin/cat
0804c000-0804d000 rw-p 00003000 03:02 475220     /bin/cat
0804d000-0806e000 rw-p 0804d000 00:00 0          [heap]
b7dcf000-b7dd0000 rw-p b7dcf000 00:00 0 
b7dd0000-b7f0c000 r-xp 00000000 03:02 3129416    /lib/libc-2.5.so
b7f0c000-b7f0d000 r--p 0013c000 03:02 3129416    /lib/libc-2.5.so
b7f0d000-b7f0f000 rw-p 0013d000 03:02 3129416    /lib/libc-2.5.so
b7f0f000-b7f12000 rw-p b7f0f000 00:00 0 
b7f2f000-b7f30000 rw-p b7f2f000 00:00 0 
b7f30000-b7f4b000 r-xp 00000000 03:02 3129600    /lib/ld-2.5.so
b7f4b000-b7f4d000 rw-p 0001b000 03:02 3129600    /lib/ld-2.5.so
bf8d4000-bf8e9000 rw-p bffeb000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]

Do you think it's reliable to base my mprotect() sollution on this ? I'm mean, may I use this info to protect only certain portions of my process' pages ?

Maybe a fork() approach adds too overhead. There will be thousands of function executions per seconds, from different modules. It's a good idea to keep all modules all the time on the memory, during the execution of the process.

thanks,

Caruccio

Offline

#5 2008-01-30 09:00 PM

jfriesne
Administrator
From: California
Registered: 2005-07-06
Posts: 348
Website

Re: mprotect() all process but a buffer

Offline

#6 2008-01-30 10:28 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,839
Website

Re: mprotect() all process but a buffer

Offline

#7 2008-01-30 10:40 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: mprotect() all process but a buffer

What pages would you mmap anyway? More or less all pages that can be made
read/execute-only are already done so, what's left are global variables, stack and
heap, so protecting more is rather difficult.

Offline

#8 2008-01-31 12:33 AM

caruccio
Member
From: Porto Alegre, Brasil
Registered: 2005-02-08
Posts: 47

Re: mprotect() all process but a buffer

Offline

#9 2008-01-31 12:39 AM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: mprotect() all process but a buffer

If you protect the heap the library function can't call malloc, or any function which
does that indirectly. That's a rather big constraint.

Offline

Board footer

Powered by FluxBB