[grsec] [andrewg@felinemenace.org: XEN + PAX]

Brad Spengler spender at grsecurity.net
Tue Oct 11 19:25:29 EDT 2005


----- Forwarded message from Andrew Griffiths <andrewg at felinemenace.org> -----

Envelope-to: fm at felinemenace.org
To: michi+grsecurity at jackal-net.at
Cc: grsecurity at grsecurity.net
Subject: XEN + PAX
From: Andrew Griffiths <andrewg at felinemenace.org>

Hello,

Pipacs pointed me towards your post to the grsecurity mailing list
(Which I am not subscribed to..). I'll include this cc'd to the
grsecurity list in case they wish to allow it through.

I'm not sure what you're looking to do, but perhaps I can help:

With:

include/linux/mman.h:63: error: `MAP_MIRROR' undeclared (first use in
this function)

Seems to suggest you're trying to get segmexec working, which is easier
to do in 2.6 because it sets up its own GDT[1] tables with xen. Thes
GDT table are in arch/xen/i386/kernel/head.S. To get the segmentation
mapping working, you will need to duplicate the tables, making the
appropriate changes to the user code section. (Please refer to the PAX
patch for more information, specifically, the gdt table setup.)

You'll also need to flick over the pax patch to see what else they do 
(such as changing the gdt tables on scheduling or so.). This probably
will require using the xen hypervisor api or so.

So some of you are probably thinking since I have a game plan for
getting it working and have researched it a little bit, why haven't I
done it yet? It's on my todo list when I have a bit more free time..
plus I need to setup more of a development environment for it.

But if someone else wants to get it working, be my guest :) It'll be
muchly appreciated :)

Thanks,
Andrew Griffiths

[1] as opposed to 2.4 which uses the xen default gdt tables, which 
would require some basic editing to make the segmentation logic work.
If you want to make it correctly support non-segmentation logic work as
well, you'll need to make the 2.4 xen linux kernel use the xen
hypervisor to create some extra gdt's. 

Well, That's not entirely true, you could add an extra descriptor in the 
gdt, however, that opens up a vulnerability most likely if you can
change CS registers. (Haven't fully explored that, feel free to correct
me.)





----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20051011/2d413f4f/attachment.pgp


More information about the grsecurity mailing list